Routing VLAN – How to Setup Routing for Two Companies with Different Internet Connections on the Same LAN

Here's the setup:

Two companies (A & B) share office space and a LAN. A 2nd ISP is brought in and company A wants its own Internet connection (ISP A) and company B wants its own Internet connection (ISP B).

VLANs are deployed internally to separate the two companies' networks (company A: VLAN 1, company B: VLAN 2, shared VOIP: VLAN 3).

With separate VLANs it's simple enough to use separate DHCP servers (or separate scopes on the same server) to assign the default gateway to each company's gateway for their Internet connection. Static routes can be created on each gateway to point traffic destined for the other company's VLAN or the voice VLAN so that all nodes are reachable as expected.

However, I think this is a form of asymmetrical routing, right? (The path from node A1 to node B1 is not the same as the path back from node B1 to node A1).

Can I set up policy-based routing to correct this? In that case, can I assign the same default gateway to every device on all VLANs and create a routing policy on a L3 switch to look at the source address and forward traffic to the appropriate next hop? In that case, I want the routing logic to go like this:

If the destination address is known, forward the traffic (traffic destined for a different VLAN).
If the destination address is unknown, forward the traffic to ISP A's gateway if the source address is on VLAN A; or forward the traffic to ISP B's gateway if the source address is VLAN B.

Am I thinking about this problem in the correct way? Is there another way to solve this problem that I am overlooking?

UPDATE

I tried Kyle's solution below and had some issues. Here's the relevant bits of my config (I'm testing this with a 2821 BTW):

interface GigabitEthernet0/0
 ip address 10.0.1.1 255.255.255.0
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/0.100
 description VoIP VLAN stub
 encapsulation dot1Q 100
 ip address 10.0.100.1 255.255.255.0
 no ip proxy-arp
!
interface GigabitEthernet0/0.110
 description RT VLAN stub
 encapsulation dot1Q 110
 ip address 10.0.110.1 255.255.255.0
 no ip proxy-arp
 ip policy route-map RT-out
!
interface GigabitEthernet0/0.120
 description TCI VLAN stub
 encapsulation dot1Q 120
 ip address 10.0.120.1 255.255.255.0
 no ip proxy-arp
 ip policy route-map TCI-out
!
interface GigabitEthernet0/1
 ip address 192.168.1.20 255.255.255.0
 no ip proxy-arp
 duplex auto
 speed auto
!
ip route 192.168.0.0 255.255.0.0 192.168.1.2
!
ip access-list extended match-RT-out
 permit ip 10.0.110.0 0.0.0.255 any
ip access-list extended match-TCI-out
 permit ip 10.0.120.0 0.0.0.255 any
!
route-map TCI-out permit 11
 match ip address match-TCI-out
 set ip next-hop 192.168.12.2
!
route-map RT-out permit 10
 match ip address match-RT-out
 set ip next-hop 192.168.11.2
!

And the output of show ip route:

     10.0.0.0/24 is subnetted, 4 subnets
C       10.0.1.0 is directly connected, GigabitEthernet0/0
C       10.0.110.0 is directly connected, GigabitEthernet0/0.110
C       10.0.100.0 is directly connected, GigabitEthernet0/0.100
C       10.0.120.0 is directly connected, GigabitEthernet0/0.120
C    192.168.1.0/24 is directly connected, GigabitEthernet0/1
S    192.168.0.0/16 [1/0] via 192.168.1.2

And here's the problem: It doesn't seem like my route-maps are working (well, I think they are matching, but they don't seem to be modifying the next-hop result). Output of debug ip policy for one ping to an external IP address:

*May  5 21:26:11.631: IP: s=10.0.120.100 (GigabitEthernet0/0.120), d=209.85.225.100, len 52, FIB policy match
*May  5 21:26:11.631: CEF-IP-POLICY: fib for address 192.168.12.2 is with flag 0
*May  5 21:26:11.631: IP: s=10.0.120.100 (GigabitEthernet0/0.120), d=209.85.225.100, len 52, FIB policy rejected - normal forwarding
*May  5 21:26:11.631: IP: s=10.0.120.100 (GigabitEthernet0/0.120), d=209.85.225.100, len 52, policy match
*May  5 21:26:11.631: IP: route map TCI-out, item 11, permit
*May  5 21:26:11.631: IP: s=10.0.120.100 (GigabitEthernet0/0.120), d=209.85.225.100, len 52, policy rejected -- normal forwarding

So you can see in that output that it looks like it matches…followed by an immediate FIB policy rejected - normal forwarding. I get back a ICMP Destination Host Unreachable from my router (10.0.120.1) in this case (when I've tried to ping 209.85.225.100).

This is getting long, but hopefully it explains where I'm having trouble.

Best Answer

Since they are different networks, you can just set up Source Based Routing using Policy based routing to route out different interfaces based on the source IP address of the outgoing packet.

For Cisco IOS is is basically the following (I think, untested) (F0/0 is the internal interface, 12.12.12.12, and 13.13.13.13 are your two IP gateways, you have two LANs 192.168.0.0/16 and 10.0.0.0/8):

interface FastEthernet0/0
     ip policy route-map foo-out

route-map foo-out permit 10
 match ip address match-foo-out
 set ip next-hop 12.12.12.12

route-map foo-out permit 11
 match ip address match-foo2-out
 set ip next-hop 13.13.13.13

ip access-list extended match-foo-out
 deny   ip 10.0.0.0 0.255.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any


ip access-list extended match-foo2-out
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip 10.0.0.0 0.255.255.255 any

If these are just Frame-Relay then set interface instead of next hope would be okay as well.

For your inter-company communication, you wouldn't really have to do anything but change those acls so they deny source and dest where it is the same company, ie: deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255. Also if these are two lan interfaces maybe a different route map for each interface makes more sense or is required, this is just meant to be an example to push you in the right direction, hopefully :-)

Best Answer

Related Solutions

Cisco IOS: Segregating VLANS

Cisco IOS: One SSID doesn’t pull from the correct DHCP pool

Related Topic