Thank you. Just read through the link and I don't think there is any limitation on that switch. Also the switch model I got supports sub-interface. 

Sure plan as per the requirement 1 step at a time if you looking to on live device.

yes so if i have sub interface on port 1 (for eg, twe1/0/1.340 on VRF Test) and an SVI (for eg, VLAN891 on VRF Test) which will be attached to another port as trunk (for eg, in port Twe1/0/2 as trunk port which goes to another L2 switch where firewall is connected). 

meaning your ISP link and SVI in same VRF that great, there is no problem with this config. 

Note:- keep notice when you config ISP with specific VRF then any new SVI you want to forward it traffic through ISP must be in same VRF. 

Hi, 

No, I mean sub interface on port 1 (for eg, twe1/0/1.340 on VRF A) and an SVI (for eg, VLAN891 on VRF A) which will be attached to another port as trunk (for eg, in port Twe1/0/2 as trunk port which goes to another L2 switch where firewall is connected). 

Will it work as above? 

Subinterfaces are not supported on StackWise Virtual Link (SVL) 

so option 1 is gone (sub interface on port 1 (for eg, twe1/0/1.340 on VRF A) )

2nd is possible (another port as trunk (for eg, in port Twe1/0/2 as trunk port which goes to another L2 switch where firewall is connected). 

https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/switches/lan/catalyst9500/software/release/16-10/configuration_guide/vlan/b_1610_vlan_9500_cg/configuring_layer_3_subinterfaces.html.xml

Think there is some misunderstanding, I didnt mean to sub interface the stackwise virtual?

I meant to sub-interface the port that connects to ISP which is port1.. The stackwise virtual is on different port(s).  

The config looks like below:

!

interface twe1/0/1.340

description Link to ISP

vrf forwarding TEST

ip add 192.168.10.1 255.255.255.0

!

Interface vlan340

desc Link to Firewall

vrf forwarding TEST

ip add 192.168.255.1 255.255.255.0

!

interface twe1/0/2

Desc link to L2 switch

switchport mode trunk

switchport trunk allowed vlan 340

!

interface twe1/0/23

desc stackwise virtual

!

what is the use case here for the port connected to ISP required another sub interface ? why ?

we generally do sub interface required, where other side trunk ..required more vlan required to pass.

if the ISP support trunk, why not make physical interface as trunk and allowed VLAN required in the trunk

create vlan x VRFX vlan y VRF Y so on - is that works ?

The only reason am looking to do is because the system MTU in the switch is 9000 (in middle of migration so cant change MTU to 1500 at this time due to dependency on other legacy switches) but the ISP MTU has to be set to 1500. If i configure as SVI then in every VLAN (nearly 50 VLAN that connects to ISP) i have to manually set the MTU to 1500.. If i configure as sub-interface then I can set the main port MTU to 1500 so all other sub-interfaces will be automatically on same MTU. 

Yes, it will work like this:

interface twe1/0/1.340
description Link to ISP
encapsulation dot1q 341 <<<<<=== different VLAN ID
vrf forwarding TEST
ip add 192.168.10.1 255.255.255.0

Sub-interface ID is not an actual VLAN ID.  Encapsulation needs to define as VLAN but it can't be the same as other SVI. 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-12/configuration_guide/vlan/b_1612_vlan_9300_cg/configuring_layer_3_subinterfaces.pdf