@GRL 

Thanks for responding.  I agree with you in that VLAN isolation is a gateway setting and it should not affect switch routing.  But it does!

I have set up some VLANs with switch routing using your article as a guide.  Things are somewhat working and I'll mention the problem I've run into in a moment.  Back to the isolation matter...  On one of the switch routed VLANs, I have connected a Windows laptop.  It gets its IP address OK through the DHCP relay and the gateway IP shows up as the SVI of the core switch.  When I do a tracert to another device on another switch routed VLAN, I can see that the packets are going to the SVI and being forwarded directly to the other device.  If I isolate the laptop's VLAN on the gateway, the tracert returns the famous * * * after the SVI entry.  It would appear that the gateway is somehow telling the switch to isolate the VLAN.  That's the problem.

Back to the problem I have after setting up some VLANs for inter-VLAN routing.  I have set up a Transit VLAN between the core switch and the gateway.  The default route for the switch has the gateway's Transit VLAN interface as the next hop.  Likewise, there is a return route to the switch with the next hop being the Transit SVI.  The problem is that no traffic is passing through the Transit VLAN.  It appears the traffic is continuing to use the subnet interfaces of the switch and gateway.  For example, doing a tracert to a web site shows the SVI (in this case, 192.168.30.2) as the first hop and the gateway (192.168.30.1) as the next hop.  Any ideas on what I may be doing wrong?

  @Vincent-TP 

I feel that I must disagree with you on this one.  Many networks tend to have their IoT VLAN isolated.  In my case, a smart TV on the IoT VLAN needs to have access to a media server on a different VLAN.  Therefore I override the isolation with a gateway ACL allowing the IoT network to access the media VLAN.  It is simple and very straightforward.  The only devices on the media VLAN are the gateway and a NAS which hosts the media server.  The NAS has its own firewall for limiting access to the rest of its ports.

On the ACL priority issue, my testing shows that a switch ACL is not overriding an isolation setting as the gateway ACLs do.

  @GRL 

Thank-you for the quick response.  I think I will try the split links idea and see how it goes.  My surprise this morning (after leaving things alone overnight) was to find the data counter for the Transit VLAN at 0.  I will let you know the results.

  @GRL 

Again, thanks!  The only thing I did not do before was to eliminate the management VLAN default gateway from the SVI.  After doing so, I never noticed any difference.

After streaming video on the laptop and also on a TV connected to another switch-based VLAN, the Transit VLAN data counter was still pretty low.  Still not sure why.  The inter-VLAN routing was working OK despite the problems with ping and traceroute.  Another problem surfaced...  The wife's PC on a gateway routed VLAN started to have DNS related problems and could not resolve any domain names.  The PC is downstream from the core switch but no settings were changed in that VLAN and the VLAN has connectivity to the gateway.  For a lack of time, and to keep the wife happy, I decided to do this on another day.  I have reverted back to my previous "router on a stick" configuration and everything is OK.