The C898EA has one WAN port which it treats as a routed port (G8) and has 8 switch ports (0 through 7).Subinterfaces are supported on routed ports and are not supported on switch ports. So the behavior you report is the correct behavior.

What were you planning to do with a subinterface on G0? If we knew what you are trying to achieve we might find a way that you can do it.

Hi Richard,

first of all thank you for your hint in respect to capabilities of my cisco switch.

I suppose that one picture can tell more than a thousand words. In the figure bellow you can see a physical topology of my network. I segmented my network in several vlans depending on use case e.g for home automation, surveillance or normal internet access for multimedia devices. Each of these vlans contains their own dhcp server with specified address range. e.g. vlan 20 was assigned to ip dhcp pool network with 20.20.20.0 /24 ip address range.  All devices within their networks received successfully ip addresses from their dhcp pools. Finally I did not manage to establish an inter-VLAN routing between specified networks e.g I needed an access from vlan 10 network device to vlan 20 and vlan 30 for maintaining purposes. Unfortunately I was not able to ping IPs from IP routing table corresponding devices. According to the cisco documentation the inter-VLAN routing can be achieved by determining sub interfaces for the main Gigabit Ethernet port. I set Gigabit Ethernet 0  interface as a trunking port in the trunk mode and allowed specified but this was not enough in order to reach devices in other vlan. The wan port (Gi I used for ISP (internet connection).          

Maybe you have an idea how configure inter-vlan routing for C898EA based on given topology. All non cisco managed switches supports IEEE 802.1Q networking standard.

Do inter-vlan in SW connect to router, 
config default route toward router and hence no need for inter-vlan in Router.

Thank you for the additional information. The diagram is particularly helpful. It shows clearly that the G0 interface connects to a switch and is configured as a trunk. If G0 were operating as a routed interface (layer 3 operations) then we would expect to have subinterfaces for the various vlans. But G0 is operating as a switch interface (layer 2 operations and configured for trunking). So what we expect is to have vlan interfaces for the various vlans carried on the trunk and with each vlan interface having an IP address in the appropriate subnet for that vlan. With the vlan interfaces and IP addresses each of the subnets would be recognized as a locally connected subnet and would automatically be included in the IP routing table. And routing between the vlans would happen automatically - no extra configuration required.

I tried to connect some devices directly to router ports and which were define as access ports with different vlans. That worked as you described. I did not have any issue to ping devices in another vlans which were in the different subnets. I suppose that my initial configuration was not done proper. This is a topology which I was trying to configure on my cisco router:

Frist aim:

My intention was to define one dhcp server (DMZ) with direct connection to wan port with NAT. On other hand vlan 10, 30,40,70 shall have a internet connection. vlan 20 shall not have access to the internet but shall be reached from vlan 10 and vlan 30.

second aim:

I would like also to be able to establish VPN connection from internet to vlan 20 and vlan 30.

My approach:

I thought that DHCP relay agent would be a proper solution for routing the right ip address to the right vlan ip device according to the topology int the figure. Finally I did not manage to bridge the vlan subnets.

What would be the best way to establish the topology shown int the figure?

There are some things about your diagram that are not clear to me. It seems to show multiple vlans going through vlan 200. But the configuration of G0 as a trunk carrying all vlans means that all vlans connect directly to the router and do not need to go through vlan 200. I am also puzzled about what you show for G6 which is marked as a trunk but seems to be marked as carrying only vlan 20.

Your description of restrictions of which vlans can access specific resources is probably achievable. If the router supports vrf then that could be a good way to isolate certain vlans. Otherwise access lists on the vlan interfaces on the router could enforce your restrictions.

I thought it is mandatory to determine the G0 port as a trunk in order to be able to send data packets to vlan 200 and the basic routing configuration shall be performed on vlan 200 interface. I suppose it was a sever mistake. The router do supports vrf and I will try to configure accordingly.

I dedicated G6 for surveillance appliances. My ip cams are connected via cascade two switches.

Hence I defined a trunk port and allowed  only vlan 20 in G6 interface 

What would be the best configuration choice for the G0? Accesses port connected to vlan 200 ? Do I need to configure DHCP relay agent int order to forward data packets from vlan 200 to other vlans?

so while I appreciate the explanation of what's happening, I am not entirely sure of what solution are you providing. so what's the solution?

In my previous post I suggested these solutions " If the router supports vrf then that could be a good way to isolate certain vlans. Otherwise access lists on the vlan interfaces on the router could enforce your restrictions.".