Here's the setup:
Two companies (A & B) share office space and a LAN. A 2nd ISP is brought in and company A wants its own Internet connection (ISP A) and company B wants its own Internet connection (ISP B).
VLANs are deployed internally to separate the two companies' networks (company A: VLAN 1, company B: VLAN 2, shared VOIP: VLAN 3).
With separate VLANs it's simple enough to use separate DHCP servers (or separate scopes on the same server) to assign the default gateway to each company's gateway for their Internet connection. Static routes can be created on each gateway to point traffic destined for the other company's VLAN or the voice VLAN so that all nodes are reachable as expected.
However, I think this is a form of asymmetrical routing, right? (The path from node A1 to node B1 is not the same as the path back from node B1 to node A1).
Can I set up policy-based routing to correct this? In that case, can I assign the same default gateway to every device on all VLANs and create a routing policy on a L3 switch to look at the source address and forward traffic to the appropriate next hop? In that case, I want the routing logic to go like this:
- If the destination address is known, forward the traffic (traffic destined for a different VLAN).
- If the destination address is unknown, forward the traffic to ISP A's gateway if the source address is on VLAN A; or forward the traffic to ISP B's gateway if the source address is VLAN B.
Am I thinking about this problem in the correct way? Is there another way to solve this problem that I am overlooking?
UPDATE
I tried Kyle's solution below and had some issues. Here's the relevant bits of my config (I'm testing this with a 2821 BTW):
interface GigabitEthernet0/0
ip address 10.0.1.1 255.255.255.0
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.100
description VoIP VLAN stub
encapsulation dot1Q 100
ip address 10.0.100.1 255.255.255.0
no ip proxy-arp
!
interface GigabitEthernet0/0.110
description RT VLAN stub
encapsulation dot1Q 110
ip address 10.0.110.1 255.255.255.0
no ip proxy-arp
ip policy route-map RT-out
!
interface GigabitEthernet0/0.120
description TCI VLAN stub
encapsulation dot1Q 120
ip address 10.0.120.1 255.255.255.0
no ip proxy-arp
ip policy route-map TCI-out
!
interface GigabitEthernet0/1
ip address 192.168.1.20 255.255.255.0
no ip proxy-arp
duplex auto
speed auto
!
ip route 192.168.0.0 255.255.0.0 192.168.1.2
!
ip access-list extended match-RT-out
permit ip 10.0.110.0 0.0.0.255 any
ip access-list extended match-TCI-out
permit ip 10.0.120.0 0.0.0.255 any
!
route-map TCI-out permit 11
match ip address match-TCI-out
set ip next-hop 192.168.12.2
!
route-map RT-out permit 10
match ip address match-RT-out
set ip next-hop 192.168.11.2
!
And the output of show ip route:
10.0.0.0/24 is subnetted, 4 subnets
C 10.0.1.0 is directly connected, GigabitEthernet0/0
C 10.0.110.0 is directly connected, GigabitEthernet0/0.110
C 10.0.100.0 is directly connected, GigabitEthernet0/0.100
C 10.0.120.0 is directly connected, GigabitEthernet0/0.120
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
S 192.168.0.0/16 [1/0] via 192.168.1.2
And here's the problem: It doesn't seem like my route-maps are working (well, I think they are matching, but they don't seem to be modifying the next-hop result). Output of debug ip policy for one ping to an external IP address:
*May 5 21:26:11.631: IP: s=10.0.120.100 (GigabitEthernet0/0.120), d=209.85.225.100, len 52, FIB policy match
*May 5 21:26:11.631: CEF-IP-POLICY: fib for address 192.168.12.2 is with flag 0
*May 5 21:26:11.631: IP: s=10.0.120.100 (GigabitEthernet0/0.120), d=209.85.225.100, len 52, FIB policy rejected - normal forwarding
*May 5 21:26:11.631: IP: s=10.0.120.100 (GigabitEthernet0/0.120), d=209.85.225.100, len 52, policy match
*May 5 21:26:11.631: IP: route map TCI-out, item 11, permit
*May 5 21:26:11.631: IP: s=10.0.120.100 (GigabitEthernet0/0.120), d=209.85.225.100, len 52, policy rejected -- normal forwarding
So you can see in that output that it looks like it matches...followed by an immediate FIB policy rejected - normal forwarding. I get back a ICMP Destination Host Unreachable from my router (10.0.120.1) in this case (when I've tried to ping 209.85.225.100).
This is getting long, but hopefully it explains where I'm having trouble.
Since they are different networks, you can just set up Source Based Routing using Policy based routing to route out different interfaces based on the source IP address of the outgoing packet.
For Cisco IOS is is basically the following (I think, untested) (F0/0 is the internal interface, 12.12.12.12, and 13.13.13.13 are your two IP gateways, you have two LANs 192.168.0.0/16 and 10.0.0.0/8):
If these are just Frame-Relay then set interface instead of next hope would be okay as well.
For your inter-company communication, you wouldn't really have to do anything but change those acls so they deny source and dest where it is the same company, ie:
deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255. Also if these are two lan interfaces maybe a different route map for each interface makes more sense or is required, this is just meant to be an example to push you in the right direction, hopefully :-)