Routing and VRFs

In SD-WAN, routing is handled through a combination of VRFs, routes, and nexthops to create flexible network routing configurations.

VRFs provide logical separation of routing tables within a node. Each interface can be assigned a VRF, which determines which table will be used to route or forward traffic. Routes are always associated with a specific VRF, meaning they only apply to traffic entering through interfaces assigned to that VRF.

Routes define destination networks and specify how traffic should be forwarded using nexthops. Each route has:

  • A destination network

  • One or more nexthops (ordered by preference)

  • A VRF assignment

Nexthops are the forwarding waypoints within routes, determining where traffic should be sent next. They come in four types (peer, interface, gateway, and blackhole) with different forwarding behaviors. Multiple nexthops per route enable automatic failover based on their preference values.

Here’s how they work together:

graph { rankdir=LR; fontname="Arial"; splines=ortho; bgcolor="transparent"; nodesep=0.5; ranksep=0.5; node [ shape=box, style="filled,rounded", fontname="Arial", fontsize=12 ]; edge [ penwidth=1.5, fontname="Arial", fontsize=10 ]; subgraph cluster_vrf { label="VRF Red"; style="filled,rounded"; fillcolor="#FFE0E0"; color="#C0392B"; route [style="filled", label="Route\n10.1.1.0/24", fillcolor="#FFF2F2"]; nh1 [label="Nexthop (Peer 1)\nPreference: 500", fillcolor="#FEF9E7"]; nh2 [label="Nexthop (Peer 2)\nPreference: 400", fillcolor="#FEF9E7"]; } interface [label="Interface\neth0", fillcolor="#FFFFFF", color="666666"]; destination [label="Destination\n10.1.1.0/24", fillcolor="#FFFFFF", color="666666"]; interface -- route [label="Traffic enters\nvia interface"]; route -- nh1 [label="\nActive", weight=5]; route -- nh2 [style=dashed, label="\n\n\nBackup", weight=3]; nh1 -- destination [label="Traffic is\nforwarded\nvia peer\n\n"]; nh2 -- destination [style=dashed]; }

  1. Traffic enters through an interface assigned to a VRF (“VRF Red” in this example)

  2. The routing table for that VRF is consulted, matching the destination host address to the longest prefix match

  3. The route selects the highest-priority available nexthop (“Peer 1” in this case)

  4. Traffic is forwarded according to the nexthop’s type (through the peer tunnel)

If the primary nexthop becomes unavailable, traffic automatically fails over to the secondary nexthop (“Peer 2” in this case). This combination of VRFs for segmentation, routes for destination matching, and nexthops for forwarding provides flexible routing control in SD-WAN.

For more information on each component, as well as routing command line tools, consult the following links: