Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Interesting Traffic Issue


I have configured two routers for site to site vpn. I want to encrypt all traffic except ospf and voice so i configure access-list you can see below:

ip access-list extended 101

10 deny ospf any any

15 deny ip any any dscp cs5

20 permit ip any any

Note: i configure so that as voice dial-peer match it assign rtp packet dscp value=cs5 means precedence 5

Now problem is when i send ping packets or telnet other router, it don't hit access-list so ipsec tunnel not established. but if i remove line "15 deny ip any any dscp cs5" from access-list then it works fine and tunnel established.

As i mentioned earlier i want to exclude voice rtp packets from ipsec tunnel. access-list looks fine. So please tell what would be the issue?

Best Regards


New Member

Re: Interesting Traffic Issue

Still Waiting.....

Re: Interesting Traffic Issue

Hi Ramiz,

That is really interesting indeed.

Can you disable the cef feature on the router(no ip cef) and see if it works?

Another cool way to do this, if the crypto map will not mark the voice traffic, is to apply the crypto map on a loopback interface, then you route the IPSEC + OSPF + Voice on the external interface.

You will have a static pointing to the loopback (or OSPF), but also implement a route map to prevent the voice traffic reaching the loopback, and instead get sent directly on the outside interface.

Rate if this helps.