Skip to content

Routing

← Back to all decks

25 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard

🟢 Easy (3)

1. How do you view the routing table on a modern Linux system?

Show answer Use `ip route show` (iproute2). Legacy alternatives are `route -n` and `netstat -rn`.

Remember: "Routing table = GPS for packets." Each entry says: to reach network X, send via gateway Y on interface Z.

Example: ip route show displays the routing table. The "default via" entry is the gateway of last resort.

Fun fact: The `ip` command from iproute2 replaced `route` (from net-tools). On modern systems, `route` may not even be installed.

2. What is the default gateway and what happens if it is missing?

Show answer The default gateway handles all traffic that does not match a more specific route. If it is missing, the host can only communicate with directly-connected networks.

Remember: "Static = manual, Dynamic = automatic." Static routes are added with ip route add; dynamic routes are learned via OSPF, BGP, etc.

Gotcha: Static routes don't adapt to failures — if the next hop dies, traffic blackholes.

Analogy: The default gateway is like the exit door of a building — all traffic not addressed to someone inside the building goes through it.

3. What is longest prefix match in routing?

Show answer The kernel selects the most specific (longest prefix) matching route. A /24 route is preferred over a /8 route, which is preferred over the default route.

Remember: "Longest prefix wins." A /32 route beats a /24 route beats the default /0 route. More specific = higher priority.

Example: If routes exist for 10.0.0.0/8 and 10.0.1.0/24, traffic to 10.0.1.5 uses the /24.

Under the hood: The kernel uses a longest-prefix-match trie (radix tree) for fast route lookups, even with hundreds of thousands of routes.

🟡 Medium (4)

1. How do you add a persistent static route on a Debian/Ubuntu system?

Show answer Add `up ip route add via ` to the interface stanza in /etc/network/interfaces, or use netplan/nmcli depending on the distribution.

Remember: "Gateway = next hop router." The default gateway handles all traffic that doesn't match a more specific route.

Example: ip route add default via 192.168.1.1 sets the default gateway.

Gotcha: `ip route add` changes are lost on reboot. Use netplan (Ubuntu), nmcli (RHEL), or /etc/network/interfaces (Debian) for persistence.

2. What is the key difference between OSPF and BGP?

Show answer OSPF is an interior gateway protocol (link-state, fast convergence, used within an organization). BGP is an exterior gateway protocol (path-vector, slower convergence, used between autonomous systems and increasingly inside datacenters).

Gotcha: BGP misconfigurations can take down the internet — route leaks and hijacks are real threats.

Remember: "BGP = the routing protocol of the internet. Autonomous Systems peer via BGP."

Remember: "OSPF = within your network (interior). BGP = between networks (exterior)." OSPF converges fast, BGP is policy-rich.

3. Why does asymmetric routing cause problems with stateful firewalls?

Show answer Stateful firewalls track connections by seeing both directions of traffic. With asymmetric routing, the return path bypasses the firewall, so it drops the return traffic as it has no matching connection state.

Remember: "OSPF = Open Shortest Path First." It uses Dijkstra's algorithm to find the shortest path. Area 0 is the backbone.

Example: OSPF routers exchange link-state advertisements (LSAs) to build a topology map.

Debug clue: `tcpdump` on the firewall shows SYN packets but no SYN-ACK return — classic sign of asymmetric routing.

4. How do you implement policy-based routing on Linux?

Show answer Use `ip rule add` to create rules that match on source address, fwmark, or other criteria, and direct matching traffic to a custom routing table created with `ip route add ... table `.

Gotcha: Asymmetric routing (different paths in/out) breaks stateful firewalls — they see only half the connection.

Remember: "traceroute shows the forward path only — the return path may differ."

Example: Route all traffic from 10.0.1.0/24 through a VPN: `ip rule add from 10.0.1.0/24 table vpn` + `ip route add default via 10.0.0.1 table vpn`.

🔴 Hard (3)

1. How do you identify and diagnose a blackhole route on Linux?

Show answer Run `ip route get ` to see if the kernel selects a blackhole route, and `ip route show type blackhole` to list all blackhole routes. Symptoms are silent packet drops with no ICMP unreachable or TCP RST.

Debug clue: `ip route get ` shows which route the kernel selects. If it says "blackhole," that\'s your problem.

2. How do CNI plugins like Calico program routing on Kubernetes nodes, and where do you look when pod connectivity breaks?

Show answer Calico adds per-pod /32 routes (or per-node CIDR routes for Flannel) to the node's routing table, typically via a tunnel interface. Check `ip route show` on the node — missing or stale routes from the CNI indicate plugin misconfiguration or a failed bird/routing daemon.

Under the hood: Calico uses BGP (yes, the internet routing protocol) to distribute pod routes between nodes. `calicoctl node status` shows BGP peer state.

3. An application cannot reach a remote network but local network traffic works fine. The default route exists and points to the correct gateway IP. What do you check next?

Show answer Check the ARP/neighbor table with `ip neigh show `. If the entry is INCOMPLETE or FAILED, the gateway is not responding to ARP — it may be down, on a different VLAN, or have a misconfigured IP. The route is correct but the next-hop is unreachable at L2.