This functions as expected. Untagged traffic from the device in ether1, is tagged with 101 and available to a router connected to sfpplus1 with a vlan101 interface.
However the device in ether1 sees all MACs on my network. Is there a way to configure the CRS326 so that the device connected to ether1 only sees MACs from vlan101?
Is your described CRS usage complete? E.g. are only those two ports in use? If yes, then what you describe is normal.
If not, how are other ports used? Tagged, untagged, …??? It would not be right if ether1 would “see” MAC of a device which is not downstream connected to ether1 nor is part of VLAN101 in any way (but is part of some other VLAN which also flows through CRS).
It’s hard to tell if what you see is correct or not. The fact is that even though you have switches in your network which make sure majority of traffic only traverses necessary ethernet ports and wires, there still is some (small) amount of traffic that “wanders” in un-necessary directions and switches will see those packets and cache MAC addresses and associate them to ports. Some “wandering” traffic is OK. Reasons for it are among others also ethernet broadcasts (e.g. ARP requests, source MAC is there and switches can cache those) and packets with destination MAC yet unknown by switch(es).
The above is true for either ports belonging to same VLAN or in case of non-VLAN network. If your observations don’t agree with my thinking, then post some more details so we can brain-storm and hopefully come to some conclusion.
Update. I put 6.42.6 (up from .4/.5) on all my routers and switches, firmware updates too, rebooted. Then no VLANs worked. I specifically tagged some ports, etc… got all VLANs working again. And this problem seems to have cleared itself up. I only see 2 macs now as expected.