If all traffic needs to go from gi0/4 to gi0/3 and from gi0/2 to gi0/1 you could use layer 2 local switching. Configuration would be about:
connect Router1-TM GigabitEthernet0/4 GigabitEthernet0/3
connect Router2-TM GigabitEthernet0/1 GigabitEthernet0/2
If your linecards do not support layer 2 local connect, then consider bridge-groups:
bridge irb
interface range GigabitEthernet0/4 , GigabitEthernet0/3
bridge-group 1
interface range GigabitEthernet0/1 - 2
bridge-group 2
!
bridge 1 protocol ieee
bridge 1 priority 128
bridge 2 protocol ieee
bridge 2 priority 128
However I'm dubious if bridge is actually in PFC, not at least up-to PFC3, I'm not sure about PFC4 (SUP2T).
Finally you have option to use QinQ:
interface range GigabitEthernet0/4 , GigabitEthernet0/3
switchport
switchport access vlan 42
switchport mode dot1q-tunnel
switchport nonegotiate
!
interface range GigabitEthernet0/1 - 2
switchport
switchport access vlan 43
switchport mode dot1q-tunnel
switchport nonegotiate
!
In this option VLAN 123 that comes from Router1, gets VLAN 42 on top of it [ 42 123 ], MAC addresses from ALL Router1 VLANs are populated in VLAN 42 mac-address-table. So then MAC lookup is done against VLAN 42 where we only have traffic-manager, once we send the frame out to traffic-manager, we pop VLAN 42 out.
Now after traffic manager send it OUT, again in VLAN 123, it gets VLAN 43 on top of it [ 43 123 ], and as previously MAC lookup is done for table 43, where we only have Router2, frame is sent out towards Router2 and VLAN 43 is popped out.
By default STP is not tunneled like rest of the traffic, but STP BPDU is directly visible to the switch, and switch will react to it normally, this is often undesirable. If STP BPDU needs to be tunneled as well you need feature called 'Layer 2 Protocol Tunnel' or L2PT.
L2PT is fancy word for DMAC address rewrite, when incoming frame has DMAC identifying the frame as special BPDU, such as STP, you rewrite the DMAC to some non-special address, for STP BPDU DMAC is written ingress to 01-00-0c-cd-cd-d0 then in egress the 01-00-0c-cd-cd-d0 DMAC id again rewritten back to STP DMAC.
Configuration is as follows:
l2protocol-tunnel cdp
l2protocol-tunnel lldp
l2protocol-tunnel stp
l2protocol-tunnel vtp
You can use 'show l2protocol-tunnel interface giga0/1' to see counters for both directions of the MAC rewrite 'encap' means real DMAC was written to 01-00-0c-cd-cd-d0 and 'decap' means 01-00-0c-cd-cd-d0 was written back to real DMAC.
switch#show l2protocol-tunnel interface giga1/0/6
COS for Encapsulated Packets: 5
Port Protocol Shutdown Drop Encapsulation Decapsulation Drop
Threshold Threshold Counter Counter Counter
---------- -------- --------- --------- ------------- ------------- -------------
Gi1/0/6 cdp ---- ---- 2674827 263832 0
Best Answer
As Ron Trunk pointed out, bridging VLANs can be problematic in the results. Cisco offers SPAN for network monitoring. You can mirror the traffic from on or more interfaces or VLANs to an interface to which you connect your monitoring equipment. There is also RSPAN that lets you transport the the mirrored traffic across layer-2 to a different switch, and ERSPAN (for select equipment) that will encapsulate the mirrored traffic so that it can cross layer-3.
Understanding SPAN,RSPAN,and ERSPAN
To control traffic between the VLANs, you use something like an ACL on the router that routes traffic between the VLANs.