A few (not so) minor details:
If a port is member of bridge (sfp1G in your case), then it really shouldn’t be used as interface (i.e. to set IP address on it) … bridge offers its own interface (inconveniently also named bridge, which you’re already using), member ports are in the same L2 broadcast domain (and that includes also bridge CPU-facing port). So move the address 192.168.178.250 to bridge interface.
CRS317 is also missing default route. This is either minor (if CRS is not supposed to route towards internet, then its only purpose is to give CRS access to internet … e.g. for software updates or for NTP) or major flaw (if CRS is supposed to route between 192.168.88.0/24 and internet via upstream gateway).
Regarding moving IP address 192.168.178.250/24 to bridge: currently device is still switching between all ports, including sfp1G. If you want to contain 192.168.88.0/24 in your 10Gbps network (you probably do, you don’t want broadcasts to escape to the rest of LAN), then you really should isolate sfp1G from other ports. There are several ways to do it:
- using horizon values on ports
- using VLAN
- removing sfp1G from bridge
The last one disables L3HW offload and since you don’t have any firewall running on CRS between both subnets, this is not what you want (CRS would revert to routing in CPU and CPU in this device really can’t route at 1Gbps).
I’m not sure about option #1 … it might disable L3HW as well.
So it leaves you with option #2. Now, you can configure VLANs on CRS and that doesn’t mean that any frame will ever exit any port tagged. Simply set sfp1G as access port of one VLAN and the rest of ports as access port of another VLAN. Then add a couple of VLAN interfaces and move IP addresses to those VLAN interfaces.
I suggest you to take opportunity to take ether1 off bridge and configure it as OOB management port … because re-configuring device’s layer 2 can easily mean loss of connectivity.
The changes regarding VLANs (relative to your current config) are something like this:
/interface/bridge/port
set [ find name=sfp1G ] pvid=10 frame-types=admit-only-untagged-and-priority-tagged
set [ find name=sfp-sfpplus2-10G ] pvid=20 frame-types=admit-only-untagged-and-priority-tagged
set [ find name=sfp-sfpplus3 ] pvid=20 frame-types=admit-only-untagged-and-priority-tagged
# same for the rest of sfp-sfpplus ports
/interface/bridge/vlan
# this sets brdige interface a tagged member of VLAN IDs with which ROS has to communicate
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge vlan-ids=20
/interface/vlan
add name=LAN1G interface=bridge vlan-id=10
add name=LAN10G interface=bridge vlan-id=20
# Without first configuring ether1 as OOB management port ... and doing this config vvia ether1,
# you'll loose management access performing next step. The loss should be temporary, you should be
# able to reconnect. If you can't, use winbox with MAC connectivity.
/ip address
set [ find address=192.168.178.250/24 ] interface=LAN1G
set [ find address=192.168.88.250/24 ] interface=LAN10G
# The last step. If not using ether1 OOB management access, you'll loose access (again).
# Again you should be able to reconnect afterwards.
/interface bridge
set [ find name=bridge ] vlan-filtering=yes
And some light ( 
) reading:
- different bridge personalities: http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1
- proper way of doing VLANs on ROS device: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1