Product Documentation

Virtual Routing and Forwarding

Citrix SD-WAN allows segmenting networks for more security and manageability by using VRF. For example, you can separate guest network traffic from employee traffic, create distinct routing domains to segment large corporate networks, and segment traffic to support multiple customer networks. Each routing domain has its own routing table and enables the support for overlapping IP subnets.

Citrix SD-WAN appliances implement OSPF and BGP routing protocols for the routing domains to control and segment network traffic.

A Virtual Path can communicate using all routing domains regardless of the definition of the access point. This is possible because SD-WAN encapsulation includes the routing domain information for the packet. Therefore, both end networks know where the packet belongs to. It is not necessary to create a WAN Link or an Access Interface for each routing domain.

Following are the list of points to consider when configuring the VRF functionality:

  • By default, routing domains are enabled on an MCN.
  • Routing domains are enabled on the Branch sites.
  • Each enabled routing domain should have a virtual interface and virtual IP associated with it.
  • Routing selection is part of all the following configurations:
    • Interface group
    • Virtual IP
    • GRE
    • WAN Link -> Access Interface
    • IPsec tunnels
    • Routes
    • Rules
  • Routing domains are exposed in the web interface configuration only when multiple domains are created.
  • For a Public Internet link, only one primary and secondary access interfaces can be created.
  • For a Private Intranet/MPLS link, one primary and secondary access interface can be created per routing domain.

Virtual Routing and Forwarding

In this article