Regarding config: the VLAN part is mostly wrong on all devices. The rule you broke most often is “never add vlan interface, anchored to bridge, back to bridge as port”.
I suggest you to read:
- about bridge functions
bridge has multiple personalities and it seems you got confused about what is what (don’t feel ashamed, many of us were or still are) - tutorial on how to do VLANs with many example use cases. While your particular use might not be covered, you should get a fairly good idea after studying the article.
The CRS125 seems mostly fine, I guess the problem is that you’re configuring two bridges and only one can be HW offloaded. If ROS somehow selects bridge-admin for HW offloading, then you’re toast. You should convert the config to single bridge and set the management ports to be access ports to management VLAN (e.g. 666). At the same time set switch-cpu1 “port” as trunk port for management VID and then create and appropriately configure VLAN interface off common bridge.