Learn how to onboard two remote network locations that
have overlapping subnets to Prisma Access.
As a general rule, you cannot have any overlapping subnets
within a Prisma Access deployment. That is, the subnets for all
remote network locations, your service connections, and your Prisma
Access for mobile users IP address pool cannot overlap. However,
in some circumstances you cannot avoid having overlapping subnets;
Your organization has two WAN links that
you want to combine for a higher bandwidth throughput in a single
remote network location (an active/active WAN deployment).
You want to configure an overlapping subnet deployment by
design (for example, your organization uses the same network topology
and IP assignments across multiple retail locations).
Your organization has one fast WAN link and a slower WAN
link, and you want to add both of them to a remote network and designate
the WAN link for traffic based on the subnet or application. For
example, you might want to route all guest Wi-Fi traffic over one
WAN and all other traffic over the other WAN, or you might want
to send all web traffic over one WAN and all other traffic over
the other WAN.
You acquired a company that uses subnets that overlap with
your existing subnets you have in use.
allows you to onboard remote network locations with overlapping
subnets, as long as you select
network connections with overlapped subnets support outbound internet
only. Refer to the table in the following figure for more details. You
can bypass these limitations by configuring source NAT on the on-premise
Palo Alto Networks next-generation firewall (if present) or networking
device (router, switch, or SD-WAN device) that connects to the IPSec
tunnel used for the remote network connection with overlapped subnets.
you add a location with overlapping subnets, it has no effect on
locations that don’t use overlapping subnets; those sites retain
their existing functionality.