Hello,
I have an ASR9K on which I will configure a GRE tunnel towards a remote destination.
My problem is : for security reasons, I would like to filter the IP traffic entering my router via this GRE tunnel to deny unwanted TCP ports. Is this something that is supported by this platform ? On the "tunnel-ip" interface, I am able to configure an "ip access-group ... in" but how does it behave ? Does it filter the traffic after the GRE decapsulation (ie : IP traffic) or before (ie : GRE traffic) ?
My asumption would be that, if I apply a filter on the physical interface, I can only filter GRE vs non-GRE traffic but if I apply this filter on the GRE interface itself, maybe it will filter the IP traffic embedded into the GRE encapsulation.
Is this asumption correct please ?
Thanks !