Configure Multiple Virtual Routers on SD-WAN Branch

Where Can I Use This?	What Do I Need?
PAN-OS SD-WAN	SD-WAN plugin license

(

PAN-OS 11.2.3 and later releases, and SD-WAN Plugin 3.3.1 and later releases

) We have introduced support for multiple virtual routers on the SD-WAN branches to have overlapping IP subnet addresses on both hub and branch devices. With this feature you can have multiple logical routing domains with overlapping subnets.

Ensure the following before you enable the multiple virtual routers on the SD-WAN branch devices:

The hub device to which the branches are connected must have the multiple virtual router support.
The hub devices to which the branches are connected must have all the virtual routers that are present in the branch devices.
In a VPN cluster, for the branches to have the multiple virtual router support, you must enable the multiple virtual router support on all the hubs first.

The following figure illustrates three SD-WAN branches with each configured with one or more virtual routers. By enabling

multiple virtual routers support

on the SD-WAN branches, the three branches connecting to the same SD-WAN hub can have overlapping IP subnets or belong to different entities and function independently because their traffic goes to different virtual routers.

Log in to the Panorama Web Interface.
Select
Panorama
SD-WAN
Devices
and
Add
a new SD-WAN firewall.
To configure multiple virtual routers on the SD-WAN branch device:
Select the
Type
of SD-WAN device as
Branch
.
Select
Enable Multi-VR Support
.
The virtual router selected for the
Virtual Router Name
is used as the branch direct internet access (DIA) virtual router and considered as the default virtual router. The configuration specified under the
BGP
tab must be specific to the DIA virtual router.
We don't support FEC and packet duplication when multiple virtual router feature is enabled on the SD-WAN branch.
The multiple virtual router feature on SD-WAN branch is supported only in a hub-spoke topology (and not supported in a full mesh topology).
To process internet traffic on the SD-WAN branch, SD-WAN policy must ensure that the MPLS tag is selected only when the MPLS link has internet access and NAT.
PAN-OS does not support forwarding traffic in cleartext (when the
VPN Data Tunnel Support
is disabled on the
SD-WAN Interface Profile
) outside of the SD-WAN VPN tunnel when multiple virtual routers support on the SD-WAN branch feature is enabled.
A maximum of 20 virtual routers are supported on the SD-WAN branch device. However, the number of virtual routers supported on the SD-WAN branch varies by the platform:
Palo Alto Networks Firewall	Maximum Virtual Routers Supported	Maximum SD-WAN Branch Virtual Routers Supported
PA-460	5	5
PA-450	5	5
PA-445	3	3
PA-440	3	3
PA-415	3	3
PA-1420	10	10
PA-1410	10	10
PA-850	5	5
PA-820	5	5
PA-3200	10	10
(
Optional
) Configure virtual routers.
Select the
Virtual Routers
tab to configure multiple virtual routers for the SD-WAN branch.
BGP routing uses IPv4 by default and hence
Enable IPv4 BGP Support
is enabled and you can't change this configuration.
Enter the name of the
Virtual Router
.
Select a unique zone for the virtual router.
In a VPN cluster with multiple virtual router configuration, each device (branch or hub) with virtual router that is participating in the multiple virtual router configuration must have a unique zone.
(
Optional
) Enter the virtual
Router ID
, which must be unique among all routers.
Specify a static IPv4
Loopback Address
for BGP peering. Auto VPN configuration automatically creates a loopback interface with the same IPv4 address that you specify. If you specify an existing loopback address, the commit will fail, so you should specify an IPv4 address that is not already a loopback address.
Enter the
AS Number
. The autonomous system number specifies a commonly defined routing policy to the internet. The AS number must be unique for every hub and branch location.
Disable the
Remove Private AS
option (the default is enabled) if you have endpoints that need to exchange routes with a hub or branch firewall in an SD-WAN BGP topology and therefore you don’t want to remove private AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates. In this case, you want to allow the private AS numbers to leave the SD-WAN private AS in BGP Updates.
The
Remove Private AS
setting applies to all BGP peer groups on the branch or hub firewall. If you need this setting to differ among BGP peer groups or peers, you must configure the setting outside of the SD-WAN plugin.
If you change the
Remove Private AS
setting, commit to all SD-WAN cluster nodes, and subsequently downgrade to an SD-WAN plugin version earlier than 2.0.2, then all configuration related to
Remove Private AS
must be done outside of the SD-WAN plugin or directly on the firewalls.
Enter
Prefix(es) to Redistribute
. On a hub device, you must enter at least one prefix to redistribute.
Click
OK
Click
Add
at the bottom of the
Virtual Routers
tab to add more virtual routers.