SD-WAN deployments require strict routing separation and support for overlapping IP subnets to meet regulatory requirements and accommodate complex network architectures. Enabling multiple virtual routers (VRs) in your SD-WAN deployment logically separates the routing infrastructure over SD-WAN overlays, which helps you to comply with regulations and maintain network segregation while utilizing overlapping IP subnets.

With this new functionality, you can run multiple instances of routing protocols on your multiple VRs when connecting to neighboring routers. Those VRs can now use overlapping address spaces and still successfully route traffic to the appropriate destination based on the virtual router ID (VR-ID) associated with each virtual router. This provides you with the flexibility to maintain multiple segregated VRs for each connection.

To enable multiple virtual routers on an SD-WAN branch, you must first configure multiple virtual routers on the SD-WAN hub to which these branches connect. You can configure a maximum of 20 virtual routers on an SD-WAN branch. However, the maximum number of virtual routers varies based on the Palo Alto Networks Next-Generation Firewalls you use in your deployment.

This illustration contains three SD-WAN branches, each configured with two virtual routers. When you enable support for multiple VRs on the SD-WAN branches, those three branches connected to the same SD-WAN hub can use overlapping IP subnets or belong to different devices. In this configuration, these SD-WAN branches can function independently because the branch traffic goes to different virtual routers.