I have a fail over VPN Site to Site VPN solution that I inherited when hired a couple months ago. I understand the interesting traffic Permit ACL but there is also a extremly large deny ACL. I am trying to follow the packet so I can explain the entire process to management. I am going to replace this solution using the DMVPN solution hopefully. Our current solution is not scalable as we add more spokes ...the ACLs get to big. Here is a sample of our VPN solution. Again I am just trying to follow the packet and understand how the DENY ACL works...we have a VOIP solution in place as well so each spoke will need to talk to each spoke for voice,,,10 sites will not be failed over but 1 may and it needs to continue to communicate.