I finally got this working, without any need for creating VLANs or SVIs. I simply specified "no routing; vlan access 1" for all the interfaces EXCEPT for the interface to the firewall, which is the route in/out of the switch, and then added the IPs of all my subnets to VLAN 1:
The switch is now routing all traffic on all interfaces between all 6 subnets, and forwarding to the default route for any traffic not in those subnets.
Original Message:
Sent: Dec 09, 2025 06:52 AM
From: parnassus
Subject: Routing 6 class C subnets on a CX8100
Hi, all the VLANs are down because, considering each of them, there isn't an interface (in the Up state) which is member of a particular VLAN (indeed the "no_member_port" Reason is reported for the "down" Status): you need that, as example, the physical interface 1/1/1 is configured to be part of a VLAN, the same for 1/1/2.
As example, say you want that 1/1/1 be part of VLAN 63 and 1/1/2 be part of VLAN 67 then you need to configure the PVID (Port VLAN ID) called Native VLAN (and Native here is generally associated with a untagging) for those two ports in this way:
interface 1/1/1 vlan access 63
and
interface 1/1/2 vlan access 67
doing so the edge device that will be connected to interface 1/1/1 it is supposed to be addressed with an IP address within the 128.143.63.0 /24 subnet, being unaware that (internally to the Switch it is connected to) its traffic belongs to that VLAN id 63 (and travels untagged from/to the Switch to/from the edge device) and with that association its traffic will be managed by the Switch. The same for interface 1/1/2, the connected edge device, VLAN unaware, it is supposed to be addressed with an IP address within the 128.143.67.0 /24 subnet, being unaware that (internally to the Switch it is connected to) its traffic belongs to that VLAN id 67 (and travels untagged from/to the Switch to/from the edge device) and with that association its traffic will be managed by the Switch. This mode of operation is called "Access mode" because the edge devices are (VLAN unaware) access devices for the Switch.
An interface (logical or physical) can't be (Native) member of more than one VLAN Id...in other words...its VLAN membership as untagged member could be done to one VLAN Id at time BUT this doesn't lock you to let that very interface to be part of many more VLAN Id(s)...but those additionals VLAN Id(s) are tagged (and the traffic will travels tagged from/to the Switch to/from the edge device <- so the Edge device can't be unaware of its "VLAN membership" in this case)...so one VLAN untagged and more VLANs tagged...this mode of operation is called "Trunk mode" and can be seen with this configuration as example:
interface 1/1/3
no shutdown
no routing
vlan trunk native 1000
vlan trunk allowed 1000, 1010, 1020, 1030, etc. (1000 is Native Untagged, 1010, 1020, 1030 and so on are additional Tagged)
Typically the above "Trunk mode" is used when a (physical or logical) Switch's interface needs to connect to an edge device (a peer: another Switch, a device or a Server) and transport of many different VLAN needs to be achieved.
Another configuration could be (no untagged VLAN, only tagged):
interface 1/1/3
no shutdown
no routing
vlan trunk native 1000 tag
vlan trunk allowed 1000, 1010, 1020, 1030, etc. (1000 is Native Tagged, 1010, 1020, 1030 and so on are additional Tagged)
Typically used when NO Untagged membership is required (the same could be done also when operating in "Access mode" but, if so, the edge device needs to be VLAN aware necessarily and its interface needs to support VLAN Id tagging).
Original Message:
Sent: Dec 08, 2025 11:59 AM
From: harryhendo
Subject: Routing 6 class C subnets on a CX8100
Hi Parnassus,
Thanks again for your reply!
Here's the current run config:
vlan 1vlan 63vlan 67vlan 69vlan 71vlan 136vlan 137interface 1/1/1 no shutdowninterface 1/1/2 no shutdowninterface vlan 63 ip address 128.143.63.1/24interface vlan 67 ip address 128.143.67.1/24interface vlan 69 ip address 128.143.69.1/24interface vlan 71 ip address 128.143.71.1/24interface vlan 136 ip address 128.143.136.1/24interface vlan 137 ip address 128.143.137.1/24ip route 0.0.0.0/0 128.143.221.17
But no traffic is passing between systems attached at 1/1/1 and 1/1/2 that are on different subnets.
The 'show vlan' is strange, since it shows the VLANs as 'down':
csrh075a102rtr# show vlan
------------------------------------------------------------------------------------------------------------------
VLAN Name Status Reason Type Interfaces
------------------------------------------------------------------------------------------------------------------
1 DEFAULT_VLAN_1 down no_member_port default
63 subnet63 down no_member_port static
67 subnet67 down no_member_port static
69 subnet69 down no_member_port static
71 subnet71 down no_member_port static
136 subnet136 down no_member_port static
137 subnet137 down no_member_port static
All ports will participate in all VLANs (traffic from sources in subnet 63, for example, might come in on any port on the switch). So do I have to add all ports to each VLAN? Is there a shorthand to do that (like vlan add port 1/1/[1-28])?
Thanks again for your help. As you can see, I am a novice at this routing.
Original Message:
Sent: Dec 04, 2025 03:10 PM
From: parnassus
Subject: Routing 6 class C subnets on a CX8100
Hi, yes the proposed setup will let the switch to route its internal directly connected VLANs (through their SVIs = VLAN interfaces) and this is for sure a first necessary step (this only if you want the routing to happen on that device first), then you need to instruct your switch (your internal router) to route any packets having non locals as destinations (say any other non locals to simplify = any external) to a Next Hop Gateway (NHG), a typical role for a border Firewall (and this "last resort routing" could happen either (a) through a specific VLAN acting as a Transport/Transit VLAN only or (b) via a routed physical interface, as written). With this setup, as long as it works for you, the segregation of internal VLANs should be done (if necessary/required), by ACLs deployed at switch level (your internal router). Davide.
Original Message:
Sent: 12/4/2025 2:36:00 PM
From: harryhendo
Subject: RE: Routing 6 class C subnets on a CX8100
Hi Parnassus,
Thanks for your reply.
So I would setup a SVI for each of the subnets, then enable routing between each of the SVIs. For each:
conf t
vlan 180
name 180subnet
interface vlan 180
ip address 128.143.180.1/24
vrf attach default
no shut
<repeat for all other subnets>