Home > Security and SD-WAN > Site-to-site VPN > Subnetting large-scale Z1 deployments for route summarization

Subnetting large-scale Z1 deployments for route summarization

Table of contents
No headers

When several Z1 Teleworker Gateways are deployed to establish Site-to-site VPN tunnels to an MX in Concentrator Mode, a static route for each VPN connection needs to be configured on the MX's default gateway. However, configuring one static route per device is inconvenient for large-scale Z1 deployments. Using Route Summarization, this task can be accomplished with one route if configured correctly. 


1. Configure the MX as a VPN Concentrator.


2. Configure the Class B summarized route. Use a Class B (or /16 in CIDR notation) network when configuring the static route to the VPN Concentrator on your third-party default gateway. This can be done with any private Class B subnet such as

Note: The subnets suggested in this example are not required for proper Route Summarization. Other subnetting methodologies such as VLSM (variable length subnet mask addressing) can appropriately achieve similar deployment goals. 



Figure 1. Sample configuration of the route needed on a Cisco Router. Where is the default gateway of the corp network



Figure 2. Configuring the local subent on the Z1 for VPN route summarization. 


3. Subnet each Z1 within the range of the summarized route. When deploying each Z1, go to Configure > Addressing & VLANs and configure the device’s Local Subnet in the same range as the route. Each Z1 will be in a /24 addressing scheme that is part of the /16 route that you configured. Use a unique Class C subnet for each Z1 to avoid overlapping subnets. If there are overlapping subnets, traffic will not be able to route.


Figure 3. An example deployment with Z1s on separate  Class C subnets and the route on the corporate gateway pointing to the Class B subnet.

The Z1s are subnetted in the same Class B network (/16) and on a distinct subnet range from the datacenter. This separation allows Route Summarization to work because all VPN traffic is destined for one large subnet that encompasses many smaller Z1 networks.  

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1449

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community