Lets understand your CRS ports
ether1 trunk port assuming to ?????????
ether1 is a trunk port to RB5009 port 5 trunk
ether3 RB 5009 access port, trunk port or hybrid port
ports 3, 5, and 7 are on a vlan 5 which only exists on the switch in order to isolate them. I use the CRS POE to power the 2 x RB5009 and 1 x LtAP. Then, the RB5009's get their IP addresses via DHCP from the LtAP. Basically, I've made a switch within a switch solely for the powering and dhcp assignments/requests of those 3 devices.
ether4 trunk port
ether4, along with a good number of others isn't used. I know I should remove them from the bridge but the laziness I've mentioned wins sometimes.
ether5 access port to ltap ??? Isnt that device supposed to connect to the RB5009???
already explained above
ether7 access port - SG5100
already explained above
ether10 is setup as an access port on management vlan100 ?????? what purpose???
Reason I ask is that its missing on /interface vlan bridge settings, I f you want to have port that you can access OFF the bridge that would explain it but then why did you note it in /interface bridge ports??? You would need to remove it, only add an ip address for a separate subnet of your choosing and add it to the wininterface list as a member.
I set this up just to make sure that the switch was doing what I thought I was telling it to do. Will be removed but an MGMT access port will be created.
ether16 unknown.
unused
ether17 downstairs
yup
ether21 NAS MISSING on bridge ports
Don't follow you here, the NAS resides on MGMT vlan 100. Switch port is set up to be an access port for that VLAN.
ether22 AP trunk port to smart AP
ether23 AP trunk port to smart AP
ether 24 CK access port on management vlan.
sfpplus1-Trunk
Mostly right. ether22 and ether23 carry VLAN100, 120, and 160 (no VLAN140). 100 is the management network that the AP resides on. 120 and 160 provide connectivity to the two VLAN-based SSIDs running on the APs. CK only resides on VLAN100 and so it put on an access port.
In summary your assignments are confused and should be cleaned up.
For example it looks like you have to connections to the RB5009, both ether1 and ether5 ????
Think I explained this clearly as to what it accomplishes. If not let me know and I'll try again.
If you provide a diagram ( and not the confusing one you posted in SWOS LOL) to show everything, the config will be much easier to match up.
I was in rare form yesterday. I am not sure this is needed assuming my explanation to the above made sense. In the end, there are a number of ports that we removed from the bridge or otherwise turned off. One port will be set up as a MGMT access port outside of the bridge.