Re: Sub-Interface and SVI in C9500 - Page 2

Psmurali89 · ‎11-24-2022

Hi All

I got C9500 in stackwise virtual (2 switches in stack). Am looking to configure sub-interface (for eg, twe1/0/1.340 on VRF A) in one of the physical port that connects to ISP and SVI (for eg, vlan891 on VRF A) for other internal VLAN and configure as trunk in another port. Is this possible to have SVI and sub-interface on same switch?

Psmurali89 · ‎11-24-2022

Sorry it was typo. Yes it will be

encapsulation dot1q 340

MHM Cisco World · ‎11-24-2022

One more note :- the inter-VLAN can broke if not all VLAN in same VRF.

Psmurali89 · ‎11-24-2022

Yes, the VLAN's will be on same VRF as below.

The config looks like below:

!

interface twe1/0/1.340

description Link to ISP

encapsulation dot1q 340

vrf forwarding TEST

ip add 192.168.10.1 255.255.255.0

!

Interface vlan340

desc Link to Firewall

vrf forwarding TEST

ip add 192.168.255.1 255.255.255.0

!

interface twe1/0/2

Desc link to L2 switch

switchport mode trunk

switchport trunk allowed vlan 340

!

Giuseppe Larosa · ‎11-24-2022

Hello @Psmurali89 ,

I agree with @Deepak Kumar the routed L3 subinterface cannot stay on the same VLAN-number as the SVI you need to use a different value in the encapsulation dot1q <value>.

Hope to help

Giuseppe

Psmurali89 · ‎11-24-2022

Sorry its my typo.. am using those VLANs just an example so typed it wrong. Corrected as below.

The config looks like below:

!

interface twe1/0/1.340

description Link to ISP

encapsulation dot1q 340

vrf forwarding TEST

ip add 192.168.10.1 255.255.255.0

!

Interface vlan841

desc Link to Firewall

vrf forwarding TEST

ip add 192.168.255.1 255.255.255.0

!

interface twe1/0/2

Desc link to L2 switch

switchport mode trunk

switchport trunk allowed vlan 841

!

MHM Cisco World · ‎11-24-2022

You requirement can done by VRF for both SVI and ISP subinterface but in order to be sure I will run lab tonight and share with you the point that I dont link about VRF (with traffic capture)

but until that time I will share with you point
we use VRF to totally separate the traffic.
this in L3 is easy especial in PE MPLS Core.
but here we talk about enterprise campus and config VRF for SVI have this limit :-
1- traffic from VLAN 340 to other VLAN in switch is drop
since the VLAN 340 VRF have no idea about other VLAN
2- ISP will use only to forward traffic of VLAN 340 other VLAN can not use ISP to forward traffic

what is best, for my view using PBR with SET VRF is better, this way we keep SVI VLAN in global and if we want to use ISP we set the VRF under PBR.

I will update you after finish lab

Psmurali89 · ‎11-24-2022

Hi, All the VLAN's has default route to the relevant firewall context and the firewall does the routing/policy between VRF's.

The only reason am looking to do sub-interface the port that connects to ISP is because the system MTU in the switch is 9000 (in middle of migration so cant change MTU to 1500 at this time due to dependency on other legacy switches) but the ISP MTU has to be set to 1500. If i configure as SVI then in every VLAN (nearly 50 VLAN that connects to ISP) i have to manually set the MTU to 1500.. If i configure as sub-interface then I can set the main port MTU to 1500 so all other sub-interfaces will be automatically on same MTU.

MHM Cisco World · ‎11-24-2022

Note: You can configure the MTU size for all interfaces on a device at the same time using the global command "system mtu". Starting with Cisco IOS XE 17.1.1, Catalyst 9000 switches support Per-Port MTU. Per-Port MTU supports port level and port channel level MTU configuration. With Per-Port MTU you can set different MTU values for different interfaces as well as different port channel interfaces.

so start from IOS XE 17.1.1 per-port MTU is support.

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9500-series-switches/217233-troubleshoot-mtu-on-catalyst-9000-series.html