I would like to bridge ether ports 1 & 2, then connect ether2 to ether10 without creating a loop.
More specifically:
router1-ether1 (192.168.1.2) -----------> router2-ether1 (no ip) ---------> in a bridge group with router2-ether2 (no ip) ---------------------> an inline transparent bridge to do packet analysis --------------> router2-ether10 (192.168.1.1)
How can I achieve this without creating a loop between router2-ether2 and router2-ether10?
As long as ether1,ether2 are member ports of one bridge and ether10 is standalone or a member port of another bridge, the loop should not close internally even if they are on the same switch chip, because ports which do not belong to the same bridge get isolated on the switch chip (and out of all bridges, only one is hardware-accelerated on each switch chip, meaning it uses the MAC table and direct forwarding of that chip).
A bridge by default will not flood traffic in that manner. The behaviour you’re looking for is found in a hub, a layer 1 device. A bridge operates at layer 2 and intentionally learns MAC addresses found on ports and only forwards frames destined for those MAC addresses, broadcasts or a flood when a specific port is unknown. If you want to turn a bridge on router2 into something that behaves like a hub you could turn off MAC address learning on the ports to force the bridge to flood every frame.
/interface bridge add name=spy1
/interface bridge port add bridge=spy1 interface=ether1 learn=no
/interface bridge port add bridge=spy1 interface=ether2 learn=no
/interface bridge port add bridge=spy1 interface=ether10 learn=no
^^ You may want to allow learning on ether10 but verify it works with it off first.
Alternatively, this could all be done on router1 without the bridge and span on router2. Also, you can use the remote packet sniffing option to have all traffic sent to a machine encapsulated in UDP packets. Only router1 would be necessary:
/tool sniffer set streaming-enabled=yes streaming-server=<ip-of-monitoring-station>
/tool sniffer set filter-interface=ether1 filter-direction=any
The workstation receiving the traffic just needs Wireshark running. With the traffic being encapsulated in UDP means it can be routed eliminating the need to have the troubleshooting or packet capture system directly attached.
I also may not be fully understanding your ASCII art but you should be able to extract the essence of what you need. Without MAC address learning you want need to pipe a monitoring station (in / out) and back into the same bridge. You’ll just be able to dump off a clone of the traffic. If you need to insert an appliance that has an in and out port between router1 and router2 then just do that without the bridge magic.