: Configure Multiple Virtual Routers on SD-WAN Branch
Focus
Focus

Configure Multiple Virtual Routers on SD-WAN Branch

Table of Contents

Configure Multiple Virtual Routers on SD-WAN Branch

Configure multiple virtual routers on the SD-WAN branch to use overlapping IP subnet addresses on both hub and branch devices.
Where Can I Use This?What Do I Need?
  • PAN-OS
  • SD-WAN
  • SD-WAN license
(PAN-OS 11.2.3 and later releases, and SD-WAN Plugin 3.3.1 and later releases) We have introduced support for multiple virtual routers on the SD-WAN branches to have overlapping IP subnet addresses on both hub and branch devices. With this feature you can have multiple logical routing domains with overlapping subnets.
Ensure the following before you enable the multiple virtual routers on the SD-WAN branch devices:
  • The hub device to which the branches are connected must have the multiple virtual router support.
  • The hub devices to which the branches are connected must have all the virtual routers that are present in the branch devices.
  • In a VPN cluster, for the branches to have the multiple virtual router support, you must enable the multiple virtual router support on all the hubs first.
The following figure illustrates three SD-WAN branches with each configured with one or more virtual routers. By enabling multiple virtual routers support on the SD-WAN branches, the three branches connecting to the same SD-WAN hub can have overlapping IP subnets or belong to different entities and function independently because their traffic goes to different virtual routers.
  1. Select PanoramaSD-WANDevices and Add a new SD-WAN firewall.
  2. To configure multiple virtual routers on the SD-WAN branch device:
    • Select the Type of SD-WAN device as Branch.
    • Select Enable Multi-VR Support.
    The virtual router selected for the Virtual Router Name is used as the branch direct internet access (DIA) virtual router and considered as the default virtual router. The configuration specified under the BGP tab must be specific to the DIA virtual router.
    • We don't support FEC and packet duplication when multiple virtual router feature is enabled on the SD-WAN branch.
    • The multiple virtual router feature on SD-WAN branch is supported only in a hub-spoke topology (and not supported in a full mesh topology).
    • To process internet traffic on the SD-WAN branch, SD-WAN policy must ensure that the MPLS tag is selected only when the MPLS link has internet access and NAT.
    • PAN-OS does not support forwarding traffic in cleartext (when the VPN Data Tunnel Support is disabled on the SD-WAN Interface Profile) outside of the SD-WAN VPN tunnel when multiple virtual routers support on the SD-WAN branch feature is enabled.
    A maximum of 20 virtual routers are supported on the SD-WAN branch device. However, the number of virtual routers supported on the SD-WAN branch varies by the platform:
    Palo Alto Networks FirewallMaximum Virtual Routers SupportedMaximum SD-WAN Branch Virtual Routers Supported
    PA-46055
    PA-45055
    PA-44533
    PA-44033
    PA-41533
    PA-14201010
    PA-14101010
    PA-85055
    PA-82055
    PA-32001010
  3. (Optional) Configure virtual routers.
    1. Select the Virtual Routers tab to configure multiple virtual routers for the SD-WAN branch.
    2. BGP routing uses IPv4 by default and hence Enable IPv4 BGP Support is enabled and you can't change this configuration.
    3. Enter the name of the Virtual Router.
    4. Select a unique zone for the virtual router.
      In a VPN cluster with multiple virtual router configuration, each device (branch or hub) with virtual router that is participating in the multiple virtual router configuration must have a unique zone.
    5. (Optional) Enter the virtual Router ID, which must be unique among all routers.
    6. Specify a static IPv4 Loopback Address for BGP peering. Auto VPN configuration automatically creates a loopback interface with the same IPv4 address that you specify. If you specify an existing loopback address, the commit will fail, so you should specify an IPv4 address that is not already a loopback address.
    7. Enter the AS Number. The autonomous system number specifies a commonly defined routing policy to the internet. The AS number must be unique for every hub and branch location.
    8. Disable the Remove Private AS option (the default is enabled) if you have endpoints that need to exchange routes with a hub or branch firewall in an SD-WAN BGP topology and therefore you don’t want to remove private AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates. In this case, you want to allow the private AS numbers to leave the SD-WAN private AS in BGP Updates.
      The Remove Private AS setting applies to all BGP peer groups on the branch or hub firewall. If you need this setting to differ among BGP peer groups or peers, you must configure the setting outside of the SD-WAN plugin.
      If you change the Remove Private AS setting, commit to all SD-WAN cluster nodes, and subsequently downgrade to an SD-WAN plugin version earlier than 2.0.2, then all configuration related to Remove Private AS must be done outside of the SD-WAN plugin or directly on the firewalls.
    9. Enter Prefix(es) to Redistribute. On a hub device, you must enter at least one prefix to redistribute.
    10. Click OK
    11. Click Add at the bottom of the Virtual Routers tab to add more virtual routers.