Virtual Routers Overview
A security device can divide its routing component into two or more virtual routers. A virtual router supports static routing, dynamic routing protocols, and multicast protocols, which you can enable simultaneously in one virtual router. A security device can contain the following types of virtual routers (VRs):
Predefined Virtual Routers—Each security device contains two predefined virtual routers:
trust-vr—By default, contains all predefined security zones and any user-defined zones.
untrust-vr—By default, does not contain any security zones.
You cannot delete the trust-vr or untrust-vr predefined virtual routers.
Custom Virtual Routers—On some security devices, you can create and configure additional custom virtual routers.
You can define multiple VRs, but trust-vr is the default VR. All predefined and custom security zones (and all interfaces bound to those security zones) are bound to the trust-vr virtual router. To bind a security zone to the untrust-vr or to a custom VR, you must first unbind all interfaces from the zone. For a virtual system (vsys), you can select a virtual router to be the default router for the vsys.
The management virtual router supports out-of-band management and segregates firewall management traffic away from production traffic. The feature is disabled by default and you can enable it by setting a virtual router.