@Tulga described requirements:
- eth3 and eth5 are members of same LAN (switching traffic between ports) - LAN1: 192.168.1.0/24 (I'm guessing subnet mask)
- eth7 and eth9 are members of LAN2: 192.168.2.0/24
- ethX (other than 3,5,7,9 and WAP port) are members of LAN3: 192.168.100.0/24
One can do it using 3 bridges, but the thing is: only one of bridges can be HW offloaded. If traffic between pairs eth3/eth5 and eth7/eth9 is not big, then these two bridges should be set with hw=no on member ports to ensure that the "big" bridge (spanning most ports) will get HW offloaded.
IP setup in this case would go directly to all 3 bridge
interfaces.
One can do it using VLANs and switch chip. The basic idea is to have three VLANs configured on switch chip, each of VLANs acting same role as each of bridges in previous paragraph. Make sure that switch chip - CPU interconnect (switch port named switch1-cpu) is tagged member of all VLANs so that ROS (CPU) will be able to interact with all VLANs (needed for routing). On the SW side one would then add all ether ports to same bridge (and make sure no VLAN-related settings are done under
/interface bridge). Those VLANs will be entirely internal to CRS2xx device and will effectively partition switch into 3 separate (on L2) switches. The manual to be used for configuring VLANs on switch chip
is this one.
IP setup in this case would need corresponding VLAN interfaces (
/interface vlan) anchored on common bridge.
In both cases it is necessary to configure IP firewall to block connections between different IP subnets according to requirements. Without it connections between subnets will be possible - not because L2 setup would bleed traffic between them but because you're using CRS2xx as router and router by default forwards packets between its L3 interfaces (interfaces which have IP address set) unless that's blocked using some other mechanism (OK, could be routing filters as well, but on device with statefull firewall enabled it's easier to block that traffic using a few simple firewall filter rules).
[edit] the above is what would work on ROS v6. I guess ROS v7 would run same configuration just fine, I'm not sure about switch chip config though. As @anav already wrote: this device is essentially ethernet switch with (low performance) L3 capability. As such I wouldn't run ROS v7 on it unless the device is used as a lab test device to test v7.