Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
538
Views
0
Helpful
0
Replies

Exclude traffic from crypto map based on DSCP/IP precedence values

MysticalTh0r
Level 1
Level 1

‎10-31-2016 01:40 AM - edited ‎02-21-2020 05:57 AM

Hi all,

I'm trying to configure an IPsec connection which excludes some traffic from being encripted using its dscp value. Apparently it's as easy as configuring its dscp value with a deny statement on the crypto ACL , but it's not working. Sometimes it encripts the traffic and sometimes it drops it, depending on the configuration. I need to configure a "deny tcp/udp any any" at the top of the ACL since the same source network could generate some traffic to be encripted and some not to be (skype, voip, etc...).My goal is to get something like this to work:

access-list 2285 deny udp any any dscp ef
access-list 2285 deny udp any any dscp af41

access-list 2285 permit <nerwork_1> <network_2>

(...)
access-list 2285 permit <nerwork_y> <network_z>

If I use deny statements without "any any" but with "network_a network_b" it works but there are so many networks (and more to be deployed) that the "any any" are needed. I'm using a Cisco 3925 with IOS 15.4(3)M3 but I've also tested some other older IOS with the same results.

Any help/advice? Thanks, Best regards, 

José Manuel.

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card