topic Exclude traffic from crypto map based on DSCP/IP precedence values in Network Security https://community.cisco.com/t5/network-security/exclude-traffic-from-crypto-map-based-on-dscp-ip-precedence/m-p/2931138#M909541 <P>Hi all,</P> <P></P> <P>I'm trying to configure an IPsec connection which excludes some traffic from being encripted using its dscp value. Apparently it's as easy as configuring its dscp value with a deny statement on the crypto ACL , but it's not working. Sometimes it encripts the traffic and sometimes it drops it, depending on the configuration. I need to configure a "deny tcp/udp any any" at the top of the ACL since the same source network could generate some traffic to be encripted and some not to be (skype, voip, etc...).My goal is to get something like this to work:</P> <P></P> <P>access-list 2285 deny udp any any dscp ef<BR />access-list 2285 deny udp any any dscp af41</P> <P>access-list 2285&nbsp;permit &lt;nerwork_1&gt; &lt;network_2&gt;</P> <P>(...)<BR /><SPAN>access-list 2285&nbsp;</SPAN><SPAN>permit &lt;nerwork_y&gt; &lt;network_z&gt;</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>If I use deny statements without "any any" but with "network_a network_b" it works but there are so many networks (and more to be deployed) that the "any any" are needed. I'm using a Cisco 3925 with IOS 15.4(3)M3 but I've also tested some other older IOS with the same results.</SPAN></P> <P><SPAN></SPAN></P> <P>Any help/advice? Thanks, Best regards,&nbsp;</P> <P></P> <P>José Manuel.</P> <P></P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> Fri, 21 Feb 2020 13:57:08 GMT MysticalTh0r 2020-02-21T13:57:08Z Exclude traffic from crypto map based on DSCP/IP precedence values https://community.cisco.com/t5/network-security/exclude-traffic-from-crypto-map-based-on-dscp-ip-precedence/m-p/2931138#M909541 <P>Hi all,</P> <P></P> <P>I'm trying to configure an IPsec connection which excludes some traffic from being encripted using its dscp value. Apparently it's as easy as configuring its dscp value with a deny statement on the crypto ACL , but it's not working. Sometimes it encripts the traffic and sometimes it drops it, depending on the configuration. I need to configure a "deny tcp/udp any any" at the top of the ACL since the same source network could generate some traffic to be encripted and some not to be (skype, voip, etc...).My goal is to get something like this to work:</P> <P></P> <P>access-list 2285 deny udp any any dscp ef<BR />access-list 2285 deny udp any any dscp af41</P> <P>access-list 2285&nbsp;permit &lt;nerwork_1&gt; &lt;network_2&gt;</P> <P>(...)<BR /><SPAN>access-list 2285&nbsp;</SPAN><SPAN>permit &lt;nerwork_y&gt; &lt;network_z&gt;</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>If I use deny statements without "any any" but with "network_a network_b" it works but there are so many networks (and more to be deployed) that the "any any" are needed. I'm using a Cisco 3925 with IOS 15.4(3)M3 but I've also tested some other older IOS with the same results.</SPAN></P> <P><SPAN></SPAN></P> <P>Any help/advice? Thanks, Best regards,&nbsp;</P> <P></P> <P>José Manuel.</P> <P></P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> Fri, 21 Feb 2020 13:57:08 GMT https://community.cisco.com/t5/network-security/exclude-traffic-from-crypto-map-based-on-dscp-ip-precedence/m-p/2931138#M909541 MysticalTh0r 2020-02-21T13:57:08Z