VRF Service Link Multiplexing

Where Can I Use This?	What Do I Need?
Prisma SD-WAN (Managed by Strata Cloud Manager)	Prisma SD-WAN

Prisma SD-WAN supports VRF Service Link Multiplexing. This feature enables users on custom VRF LANs to access internet applications via cloud-based security (Prisma Access) over Global Service Links. The process is fully automated, eliminating the need for manual static route leak rules.

Problem Statement

Previously, accessing internet applications through Prisma Access from different VRFs required either manual route leaks or a dedicated service link per VRF. These deployments were often complex and frequently caused session integrity issues because return packets lacked the necessary VRF context to reach their destination.

Solution

Prisma SD-WAN now treats service link interfaces as implicit leak interfaces. This shift provides several key advantages.

• Policy-Driven Routing: Path policies determine exactly which traffic should be routed via Prisma Access.
• Stateful VRF Awareness: The Prisma SD-WAN ION device maintains the VRF context for every flow.
• Automated Return Path: Return traffic is automatically mapped back to the correct VRF-enabled LAN interface.
• Zero Manual Overhead: Ensures seamless connectivity without the need for any manual route-leak rules.

Supported Use Cases

This feature supports Branch (Spoke) SD-WAN LAN-to-WAN initiated traffic flows.

Data Center deployments and WAN-to-LAN initiated flows are not supported.

• Native Path Preference: Custom VRF traffic prioritizes its native Custom VRF Service Link.
• Global VRF Fallback: Traffic uses a Global VRF Service Link if the native Custom VRF Service Link is unavailable.
• Global VRF Failover: Traffic fails over to an alternate Global VRF Service Link if the active link becomes unreachable.
• DIA Coexistence: Route one Custom VRF over a multiplexed Service Link while simultaneously routing another VRF directly to the internet (DIA).

Deployment Constraints

• Specific Prefix Steering: To steer traffic from a Custom VRF to specific prefixes within the Global VRF, configure manual route leaks.
• Custom VRF to Custom Service Link: Implicit leak automation does not apply when routing traffic from a Custom LAN VRF to a Custom Service Link VRF. A one-way route leak from the Service Link back to the LAN VRF is required.

Verify and Troubleshoot

Use the Prisma SD-WAN CLI to verify implicit leaks and inspect connection marks.

1. Identify implicit leaks for a specific prefix.

   dump routing prefix-reachability prefix=<IP> vni=<VNI>

2. Verify that implicit-leak appears under the Sub-Type column for public-svclink interfaces.
3. Inspect connections filtered by the mark (encoded with VNI).figure.

   inspect connection mark=<mark_value>

   The mark value (for example, 25600) is an encoded representation of the VNI, not the raw VNI ID.
4. (Optional) Clear specific VRF multiplexed flows:

   clear connection mark=<mark_value>

   This action impacts service for all matching connections.
5. Verify that the kernel applies the encoded VNI to the connection.

   conntrack -L | grep <port>

   Confirm the mark= field contains the expected value.