Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1046
Views
0
Helpful
1
Replies

[ASR9K] - Ingress ACL on GRE tunnel traffic

Sam Preston
Level 1
Level 1

‎09-14-2015 03:06 PM

Hello,

I have an ASR9K on which I will configure a GRE tunnel towards a remote destination.
My problem is : for security reasons, I would like to filter the IP traffic entering my router via this GRE tunnel to deny unwanted TCP ports. Is this something that is supported by this platform ? On the "tunnel-ip" interface, I am able to configure an "ip access-group ... in" but how does it behave ? Does it filter the traffic after the GRE decapsulation (ie : IP traffic) or before (ie : GRE traffic) ?

My asumption would be that, if I apply a filter on the physical interface, I can only filter GRE vs non-GRE traffic but if I apply this filter on the GRE interface itself, maybe it will filter the IP traffic embedded into the GRE encapsulation.

Is this asumption correct please ?

Thanks !

Labels:
0 Helpful
1 Reply 1

Eddie Chami
Cisco Employee
Cisco Employee

‎09-14-2015 09:17 PM

Sam,

 

Your understanding is correct, an ACL can be applied on a GRE interface(Ingress/Egress) just like any standard interface, it will act upon the traffic in the GRE tunnel.

 

Regards

Eddie.

0 Helpful
Customers Also Viewed These Support Documents