Configure Multiple Virtual Routers on SD-WAN Branch
Table of Contents
3.2 & Later
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure Multiple Virtual Routers on SD-WAN Hub
- Configure Multiple Virtual Routers on SD-WAN Branch
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
Configure Multiple Virtual Routers on SD-WAN Branch
Configure multiple virtual routers on the SD-WAN branch to use overlapping IP subnet
addresses on both hub and branch devices.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
(PAN-OS 11.2.3 and later releases, and SD-WAN Plugin 3.3.1 and later
releases) We have introduced support for multiple virtual routers on the
SD-WAN branches to have overlapping IP subnet addresses on both hub and branch
devices. With this feature you can have multiple logical routing domains with
overlapping subnets.
Ensure the following before you enable the multiple virtual routers on the SD-WAN
branch devices:
- The hub device to which the branches are connected must have the multiple virtual router support.
- The hub devices to which the branches are connected must have all the virtual routers that are present in the branch devices.
- In a VPN cluster, for the branches to have the multiple virtual router support, you must enable the multiple virtual router support on all the hubs first.
The following figure illustrates three SD-WAN branches with each configured with one
or more virtual routers. By enabling multiple virtual routers support on the
SD-WAN branches, the three branches connecting to the same SD-WAN hub can have
overlapping IP subnets or belong to different entities and function independently
because their traffic goes to different virtual routers.
- Log in to the Panorama Web Interface.Select PanoramaSD-WANDevices and Add a new SD-WAN firewall.To configure multiple virtual routers on the SD-WAN branch device:
- Select the Type of SD-WAN device as Branch.
- Select Enable Multi-VR Support.
The virtual router selected for the Virtual Router Name is used as the branch direct internet access (DIA) virtual router and considered as the default virtual router. The configuration specified under the BGP tab must be specific to the DIA virtual router.- We don't support FEC and packet duplication when multiple virtual router feature is enabled on the SD-WAN branch.
- The multiple virtual router feature on SD-WAN branch is supported only in a hub-spoke topology (and not supported in a full mesh topology).
- To process internet traffic on the SD-WAN branch, SD-WAN policy must ensure that the MPLS tag is selected only when the MPLS link has internet access and NAT.
- PAN-OS does not support forwarding traffic in cleartext (when the VPN Data Tunnel Support is disabled on the SD-WAN Interface Profile) outside of the SD-WAN VPN tunnel when multiple virtual routers support on the SD-WAN branch feature is enabled.
A maximum of 20 virtual routers are supported on the SD-WAN branch device. However, the number of virtual routers supported on the SD-WAN branch varies by the platform:Palo Alto Networks Firewall Maximum Virtual Routers Supported Maximum SD-WAN Branch Virtual Routers Supported PA-460 5 5 PA-450 5 5 PA-445 3 3 PA-440 3 3 PA-415 3 3 PA-1420 10 10 PA-1410 10 10 PA-850 5 5 PA-820 5 5 PA-3200 10 10 (Optional) Configure virtual routers.- Select the Virtual Routers tab to configure multiple virtual routers for the SD-WAN branch.BGP routing uses IPv4 by default and hence Enable IPv4 BGP Support is enabled and you can't change this configuration.Enter the name of the Virtual Router.Select a unique zone for the virtual router.In a VPN cluster with multiple virtual router configuration, each device (branch or hub) with virtual router that is participating in the multiple virtual router configuration must have a unique zone.(Optional) Enter the virtual Router ID, which must be unique among all routers.Specify a static IPv4 Loopback Address for BGP peering. Auto VPN configuration automatically creates a loopback interface with the same IPv4 address that you specify. If you specify an existing loopback address, the commit will fail, so you should specify an IPv4 address that is not already a loopback address.Enter the AS Number. The autonomous system number specifies a commonly defined routing policy to the internet. The AS number must be unique for every hub and branch location.Disable the Remove Private AS option (the default is enabled) if you have endpoints that need to exchange routes with a hub or branch firewall in an SD-WAN BGP topology and therefore you don’t want to remove private AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates. In this case, you want to allow the private AS numbers to leave the SD-WAN private AS in BGP Updates.The Remove Private AS setting applies to all BGP peer groups on the branch or hub firewall. If you need this setting to differ among BGP peer groups or peers, you must configure the setting outside of the SD-WAN plugin.If you change the Remove Private AS setting, commit to all SD-WAN cluster nodes, and subsequently downgrade to an SD-WAN plugin version earlier than 2.0.2, then all configuration related to Remove Private AS must be done outside of the SD-WAN plugin or directly on the firewalls.Enter Prefix(es) to Redistribute. On a hub device, you must enter at least one prefix to redistribute.Click OKClick Add at the bottom of the Virtual Routers tab to add more virtual routers.