Configure Multiple Virtual Routers on SD-WAN Branch
Table of Contents
3.2 & Later
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure Multiple Virtual Routers on SD-WAN Hub
- Configure Multiple Virtual Routers on SD-WAN Branch
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
Configure Multiple Virtual Routers on SD-WAN Branch
Configure multiple virtual routers on the SD-WAN branch to use overlapping IP subnet
addresses on both hub and branch devices.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
(
PAN-OS 11.2.3 and later releases, and SD-WAN Plugin 3.3.1 and later
releases
) We have introduced support for multiple virtual routers on the
SD-WAN branches to have overlapping IP subnet addresses on both hub and branch
devices. With this feature you can have multiple logical routing domains with
overlapping subnets.
Ensure the following before you enable the multiple virtual routers on the SD-WAN
branch devices:
- The hub device to which the branches are connected must have the multiple virtual router support.
- The hub devices to which the branches are connected must have all the virtual routers that are present in the branch devices.
- In a VPN cluster, for the branches to have the multiple virtual router support, you must enable the multiple virtual router support on all the hubs first.
The following figure illustrates three SD-WAN branches with each configured with one
or more virtual routers. By enabling
multiple virtual routers support
on the
SD-WAN branches, the three branches connecting to the same SD-WAN hub can have
overlapping IP subnets or belong to different entities and function independently
because their traffic goes to different virtual routers.- SelectandPanoramaSD-WANDevicesAdda new SD-WAN firewall.
- To configure multiple virtual routers on the SD-WAN branch device:
- Select theTypeof SD-WAN device asBranch.
- SelectEnable Multi-VR Support.
The virtual router selected for theVirtual Router Nameis used as the branch direct internet access (DIA) virtual router and considered as the default virtual router. The configuration specified under theBGPtab must be specific to the DIA virtual router.- We don't support FEC and packet duplication when multiple virtual router feature is enabled on the SD-WAN branch.
- The multiple virtual router feature on SD-WAN branch is supported only in a hub-spoke topology (and not supported in a full mesh topology).
- To process internet traffic on the SD-WAN branch, SD-WAN policy must ensure that the MPLS tag is selected only when the MPLS link has internet access and NAT.
- PAN-OS does not support forwarding traffic in cleartext (when theVPN Data Tunnel Supportis disabled on theSD-WAN Interface Profile) outside of the SD-WAN VPN tunnel when multiple virtual routers support on the SD-WAN branch feature is enabled.
A maximum of 20 virtual routers are supported on the SD-WAN branch device. However, the number of virtual routers supported on the SD-WAN branch varies by the platform:Palo Alto Networks FirewallMaximum Virtual Routers SupportedMaximum SD-WAN Branch Virtual Routers SupportedPA-46055PA-45055PA-44533PA-44033PA-41533PA-14201010PA-14101010PA-85055PA-82055PA-32001010 - (Optional) Configure virtual routers.
- Select theVirtual Routerstab to configure multiple virtual routers for the SD-WAN branch.
- BGP routing uses IPv4 by default and henceEnable IPv4 BGP Supportis enabled and you can't change this configuration.
- Enter the name of theVirtual Router.
- Select a unique zone for the virtual router.In a VPN cluster with multiple virtual router configuration, each device (branch or hub) with virtual router that is participating in the multiple virtual router configuration must have a unique zone.
- (Optional) Enter the virtualRouter ID, which must be unique among all routers.
- Specify a static IPv4Loopback Addressfor BGP peering. Auto VPN configuration automatically creates a loopback interface with the same IPv4 address that you specify. If you specify an existing loopback address, the commit will fail, so you should specify an IPv4 address that is not already a loopback address.
- Enter theAS Number. The autonomous system number specifies a commonly defined routing policy to the internet. The AS number must be unique for every hub and branch location.
- Disable theRemove Private ASoption (the default is enabled) if you have endpoints that need to exchange routes with a hub or branch firewall in an SD-WAN BGP topology and therefore you don’t want to remove private AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates. In this case, you want to allow the private AS numbers to leave the SD-WAN private AS in BGP Updates.TheRemove Private ASsetting applies to all BGP peer groups on the branch or hub firewall. If you need this setting to differ among BGP peer groups or peers, you must configure the setting outside of the SD-WAN plugin.If you change theRemove Private ASsetting, commit to all SD-WAN cluster nodes, and subsequently downgrade to an SD-WAN plugin version earlier than 2.0.2, then all configuration related toRemove Private ASmust be done outside of the SD-WAN plugin or directly on the firewalls.
- EnterPrefix(es) to Redistribute. On a hub device, you must enter at least one prefix to redistribute.
- ClickOK
- ClickAddat the bottom of theVirtual Routerstab to add more virtual routers.