Can you make a recommendation for a switch-based L3 router which can
- hold a moderate number of routes (interface routes, a few hundred statics + default)
- OSPF and BGP
- 1024 layer-3 dot1q subinterfaces (or maybe VLAN interfaces)
+ traffic policing in and out per subinterface/vlan
- IPv4 & IPv6 native
- 2x GigE ports
- Not tip-over under 1gbps DDoS towards a VLAN interface.
I've been using 3560Gs, but they seem to lack the output traffic policing. I'd prefer to have subinterfaces which don't run spanning-tree, versus Vlan Interfaces to a trunk interface which runs spanning-tree. These switches sit at the L3 boundary between two L2 networks.
Cost is a big factor; but I also must carry vendor licenses & support contract, if the vendor asserts that not doing so is illegal in US.
For the "budget end", I'm using a pair of Catalyst 4506s with SupIV (WS-X4515), bonded 6xGigE uplink (WS-X4306-GB=) and bonded 6xGigE 802.1q downlink (WS-X4306-GB=) to a stack of six 48-port L2 gigE switches. The switches at this installation carry Internet traffic, but also SAN and other higher-rate traffic.
The specs on the 4506+supIV claim to support 48 mpps, which would be about 20gbps of DoS attack traffic (at 52 byte packets). However, I have not tested this, and typical traffic through the L3 router is sub-gigabit in this application. The bonded gigE is used only to handle smaller DoS attacks until ACLs can be applied upstream. Cost for a pair of these routers is about $3.5k + $3k/yr maintenance contract.
In many situations, you would prefer to use a pair of chassis switch/routers, rather than a separate L3 router and L2 switching network. I am also using pairs of C6509s + sup720 + 3bxl, plus 6x WS-X6548-GE-TX per chassis, costing about $76k per pair + $6k/year maintenance contract.