1080*80 ad
Home » Blog » Advanced iproute2: Policy Routing, Multipath Routing, and VRFs

Advanced iproute2: Policy Routing, Multipath Routing, and VRFs

Benhcmark Administrator Benhcmark Administrator
23/11/2025
0 Views 0
Advanced iproute2: Policy Routing, Multipath Routing, and VRFs

A Deep Dive into iproute2: Mastering Policy Routing, Multipath, and VRFs

The days of relying on ifconfig and route for network configuration are long behind us. For modern Linux systems, the iproute2 suite is the definitive toolset for managing network interfaces, IP addresses, and routing tables. While many administrators are familiar with basic commands like ip addr and ip route, the true power of iproute2 lies in its advanced capabilities.

These advanced features allow you to build sophisticated, resilient, and secure network topologies that were once the exclusive domain of expensive, dedicated hardware. In this guide, we will explore three of the most powerful concepts you can implement with iproute2: Policy-Based Routing (PBR), Multipath Routing, and Virtual Routing and Forwarding (VRFs).

Beyond Destination: An Introduction to Policy-Based Routing

Standard routing is simple: the kernel looks at a packet’s destination IP address, consults a single main routing table, and forwards it to the next hop. Policy-Based Routing (PBR), however, breaks this mold by allowing you to make routing decisions based on a wider set of criteria, or “policies.”

With PBR, you can direct traffic based on:

  • The source IP address
  • The incoming network interface
  • The protocol (TCP, UDP, etc.)
  • Source or destination ports
  • Packet markings (fwmark)

This flexibility is incredibly useful in complex network environments. A common use case is a server with two internet connections (multi-homed). You might want regular user traffic to go out one ISP, while traffic from a specific application or server goes out the other for performance or billing reasons.

The Core Components: Rules and Tables

PBR in Linux is built on two key components: multiple routing tables and a ruleset that directs the kernel to use a specific table. By default, Linux uses the main table, but you can create and populate many others.

Here’s a practical example: Imagine a server at 192.168.1.100 needs to use a secondary internet connection via gateway 10.10.10.1 on interface eth1, while all other traffic uses the primary gateway.

  1. Define a New Routing Table:
    First, give your new table a name for easy reference by editing the /etc/iproute2/rt_tables file. Add a line like this:

    100   isp2

  2. Add a Route to the New Table:
    Next, add a default route to this new table that points to your secondary gateway. Notice the table isp2 argument.

    ip route add default via 10.10.10.1 dev eth1 table isp2

  3. Create a Rule to Use the Table:
    Finally, create a rule that tells the kernel: “Any traffic coming from the IP address 192.168.1.100 should use the routing table named isp2.”
    bash
    ip rule add from 192.168.1.100 lookup isp2

Now, all traffic originating from 192.168.1.100 will be routed through 10.10.10.1, while all other traffic on the system will ignore this rule and use the default main routing table.

Boost Your Network with Multipath Routing

What if you want to use two internet connections simultaneously for increased bandwidth and automatic failover? This is the purpose of Equal-Cost Multipath (ECMP) routing. Multipath routing allows you to define multiple next-hop gateways for the same destination.

When the kernel has multiple paths to a destination, it will spread the traffic across them, providing both load balancing and redundancy. If one of the links fails, the kernel will automatically stop sending traffic down that path, creating a highly resilient connection.

Setting up a default multipath route is surprisingly simple. You just specify multiple nexthop options in a single ip route command.

ip route add default \
nexthop via 192.168.1.1 dev eth0 weight 1 \
nexthop via 10.10.10.1 dev eth1 weight 1

In this command:

  • nexthop: This keyword defines one of the possible paths.
  • weight: This parameter allows you to influence how traffic is balanced. A link with a weight of 2 will receive roughly twice as much traffic as a link with a weight of 1.

It’s important to understand that this is typically per-flow, not per-packet balancing. The kernel hashes source/destination IPs and ports to decide which path a specific connection (or flow) will take. This ensures all packets for a single TCP session follow the same path, preventing out-of-order packet issues.

Network Segmentation on a New Level: Understanding VRFs

Virtual Routing and Forwarding (VRF) is a powerful feature for creating isolated routing domains within a single Linux instance. Think of VRFs as “VLANs for your routing tables.” Each VRF operates as a self-contained virtual router with its own set of interfaces, routing tables, and rules.

This is essential for security and multi-tenancy. You can use VRFs to:

  • Completely separate traffic from different customers on the same physical server.
  • Isolate a management network from production application traffic.
  • Create distinct development, testing, and production environments on one machine.

Interfaces assigned to a VRF can only communicate with other interfaces in the same VRF or through explicitly configured routes that cross VRF boundaries.

Implementing a VRF in Linux

Let’s set up a basic VRF named vrf-blue to isolate the eth1 interface.

  1. Create the VRF Device:
    A VRF is a virtual network device. You create it and associate it with a unique routing table ID (e.g., table 100).

    ip link add vrf-blue type vrf table 100

  2. Bring the VRF Up:
    Just like any other interface, you need to enable it.

    ip link set vrf-blue up

  3. Assign an Interface to the VRF:
    This is the key step. By making eth1 a member of vrf-blue, you move it into that isolated routing domain.

    ip link set eth1 master vrf-blue

  4. Configure Networking within the VRF:
    From this point on, any configuration for eth1 must be performed within the context of the VRF. You can no longer configure it directly. Notice the use of the -n vrf-blue or netns vrf-blue option to specify the network namespace.
    bash
    ip -n vrf-blue addr add 10.20.30.10/24 dev eth1
    ip -n vrf-blue route add default via 10.20.30.1

To see the IP addresses or routing table for the vrf-blue domain, you must use the same -n vrf-blue syntax. Running ip route without it will only show the default main table, not the routes inside your VRF.

Putting It All Together: Why iproute2 Matters

By mastering Policy-Based Routing, Multipath Routing, and VRFs, you elevate your network management skills far beyond the basics. These iproute2 capabilities allow you to build robust, efficient, and highly secure network configurations directly within the Linux kernel. Whether you’re managing a single critical server or a complex virtualized environment, these tools provide the power and flexibility needed to meet any networking challenge.

Source: https://linuxhandbook.com/courses/networking-scale/advanced-iproute2/

900*80 ad

Related Articles
      1080*80 ad
      About Hosterdojo

      Hosterdojo reviews server performance, network capabilities, and other related benchmarks. If you are a provider interested in submitting your VPS products, feel free to reach out to me.

      Email: [email protected]
      Telegram Channel: https://t.me/hosterdojo

      Follow

      Useful Link

      Girl in a jacket