IPv6 tunneling over IPv4 Configuration

Since IPv4 and IPv6 are not compatible with each other, we need some migration strategies. One technique that we can use is tunneling. Basically, it means that we encapsulate IPv6 packets into IPv4 packets (or the other way around) so they can be routed. In this lesson, I’ll show you how to configure IPv6 static tunneling over an IPv4 network. There are two methods:

  • Manual tunnels
  • GRE (Generic Routing Encapsulation) tunnels

Both tunnel types are very similar, with just minor differences. Both support IPv6 IGPs through the tunnel interface and forwarding of multicast traffic. The manual tunnels refer to RFC 4213, which defines how to encapsulate IPv6 packets in IPv4. GRE is a generic encapsulation type that rides on top of IPv4 and isn’t only for IPv6. It can carry many different protocols and if you ever configured an IPSEC VPN with IGPs running through it you had to use GRE.

Configuration

Let’s continue by looking at some examples and how to configure the static point-to-point IPv6 tunnels.

ipv6 static tunneling

This is the topology we’ll be using. Three routers are running IPv4. R1 and R3 also run IPv6, and we want connectivity between them without adding IPv6 support on R2. Let’s configure all IPv4 and IPv6 addresses:

R1(config)#interface loopback 0
R1(config-if)#ipv6 address 2001::1/128
R1(config-if)#exit
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#exit  
R2(config)#interface fastEthernet 1/0
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 192.168.23.3 255.255.255.0
R3(config-if)#exit
R3(config)#interface loopback 0
R3(config-if)#ipv6 address 2001::3/128

Our next step is to create a tunnel interface between R1 and R3. They need to be able to reach each other through IPv4. I’ll create a new loopback interface on R1 and R3, advertise them in EIGRP, and use these addresses for the tunnel:

R1(config)#interface loopback 1
R1(config-if)#ip address 1.1.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#router eigrp 123
R1(config-router)#no auto-summary 
R1(config-router)#network 192.168.12.0
R1(config-router)#network 1.1.1.0
R2(config)#router eigrp 123
R2(config-router)#no auto-summary 
R2(config-router)#network 192.168.12.0
R2(config-router)#network 192.168.23.0
R3(config)#interface loopback 1
R3(config-if)#ip address 3.3.3.3 255.255.255.0
R3(config-if)#exit
R3(config)#router eigrp 123
R3(config-router)#no auto-summary 
R3(config-router)#network 192.168.23.0
R3(config-router)#network 3.3.3.0

I could also use physical interfaces, but they can go down. Whenever a physical interface goes down, our IGP (EIGRP in this example) could find another path to the loopback interfaces (if there is one).

R1(config)#interface tunnel 0
R1(config-if)#tunnel source loopback 1
R1(config-if)#tunnel destination 3.3.3.3
R1(config-if)#tunnel mode ipv6ip
R3(config)#interface tunnel 0
R3(config-if)#tunnel source loopback 1
R3(config-if)#tunnel destination 1.1.1.1
R3(config-if)#tunnel mode ipv6ip

This is how we configure a tunnel interface. By default, a tunnel interface is always GRE, so with the tunnel mode ipv6ip command, I changed it to a “manual” tunnel. Let’s check the tunnel:

R1#show interfaces tunnel 0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1 (Loopback1), destination 3.3.3.3
  Tunnel protocol/transport IPv6/IP
R3#show interfaces tunnel 0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 3.3.3.3 (Loopback1), destination 1.1.1.1
  Tunnel protocol/transport IPv6/IP

Use the show interfaces tunnel command to check if the tunnel is working. You can see mine is up, and the encapsulation type is TUNNEL. Our tunnel is working now, but we have some things left to do. We’ll enable IPv6 routing, and advertise the loopback and tunnel interfaces in RIPNG:

R1(config)#ipv6 unicast-routing
R1(config)#ipv6 router rip RIPNG
R1(config-rtr)#exit
R1(config)#interface loopback 0
R1(config-if)#ipv6 rip RIPNG enable 
R1(config-if)#exit
R1(config)#interface tunnel 0
R1(config-if)#ipv6 enable
R1(config-if)#ipv6 rip RIPNG enable
R3(config)#ipv6 unicast-routing 
R3(config)#ipv6 router rip RIPNG
R3(config-rtr)#exit
R3(config)#interface loopback 0
R3(config-if)#ipv6 rip RIPNG enable
R3(config-if)#exit
R3(config)#interface tunnel 0
R3(config-if)#ipv6 enable 
R3(config-if)#ipv6 rip RIPNG enable

I enabled RIPNG (I could have chosen OSPFv3 or EIGRP) on the loopback0 and tunnel0 interface. You can see I also added an IPv6 address on the tunnel0 interfaces. We don’t need any IPv4 addresses on our tunnel0 interfaces. Let’s check the routing tables:

R1#show ipv6 route rip           
IPv6 Routing Table - 4 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
R   2001::3/128 [120/2]
     via FE80::303:303, Tunnel0
R3#show ipv6 route rip  
IPv6 Routing Table - 4 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
R   2001::1/128 [120/2]
     via FE80::101:101, Tunnel0

You can see both routers learned about each other IPv6 networks. Let’s try a ping:

R1#ping 2001::3 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::2, timeout is 2 seconds:
Packet sent with a source address of 2001::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

A quick ping proves that we have connectivity.

That’s all you have to do to create a manual tunnel and encapsulate IPv6 packets in IPv4 packets. Not that bad, right? How about GRE? You can easily change the tunnel type:

R1(config)#interface tunnel 0
R1(config-if)#tunnel mode gre ip
R3(config)#interface tunnel 0
R3(config-if)#tunnel mode gre ip

Use tunnel mode gre ip or type no tunnel mode ipv6ip so it switches back to the default (GRE). Let’s check the tunnel:

R1#show interfaces tunnel 0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1 (Loopback1), destination 3.3.3.3
  Tunnel protocol/transport GRE/IP

It looks pretty much the same, except it now says GRE. The only difference between GRE and the manual tunnel is that GRE has a higher MTU by default, and there’s something with the link-local IPv6 address of the tunnel interface:

  • The link-local address for the GRE tunnel is created with EUI-64 and takes the lowest-numbered interface’s MAC address.
  • The link-local address for the manual tunnel is FE80::/96 + 32 bits from the tunnel source IPv4 address.

Configurations

Want to take a look for yourself? Here you will find the final configuration of each device.

R2

hostname R2
!
interface fastEthernet 0/0
 ip address 192.168.12.2 255.255.255.0
!
interface fastEthernet 1/0
 ip address 192.168.23.2 255.255.255.0
!
router eigrp 123
 no auto-summary 
 network 192.168.12.0
 network 192.168.23.0
!
end

R3

hostname R3
!
ipv6 unicast-routing
!
interface loopback 0
 ipv6 address 2001::3/128
 ipv6 rip RIPNG enable 
!
interface loopback 1
 ip address 3.3.3.3 255.255.255.0
!
interface fastEthernet 0/0
 ip address 192.168.23.3 255.255.255.0
!
interface tunnel 0
 tunnel source loopback 1
 tunnel destination 1.1.1.1
 tunnel mode ipv6ip
 tunnel mode gre ip
 ipv6 rip RIPNG enable
!
router eigrp 123
 no auto-summary 
 network 192.168.23.0
 network 3.3.3.0
!
ipv6 router rip RIPNG
!
ipv6 general-prefix MYPREFIX 6to4 fastEthernet 0/0
!
end

R1

hostname R1
!
ipv6 unicast-routing
!
interface loopback 0
 ipv6 address 2001::1/128
 ipv6 rip RIPNG enable 
!
interface loopback 1
 ip address 1.1.1.1 255.255.255.0
!
interface fastEthernet 0/0
 ip address 192.168.12.1 255.255.255.0
!
interface tunnel 0
 tunnel source loopback 1
 tunnel destination 3.3.3.3
 tunnel mode ipv6ip
 tunnel mode gre ip
 ipv6 rip RIPNG enable
!
router eigrp 123
 no auto-summary 
 network 192.168.12.0
 network 1.1.1.0
!
ipv6 router rip RIPNG
!
ipv6 general-prefix MYPREFIX 6to4 fastEthernet 0/0
!
end


And that’s how you configure IPv6 static tunneling. If you have any questions just leave a comment!

Tags: ,


Forum Replies

  1. Tunnel interface ip is not required.is it not necessary?

  2. IPv6 uses the link-local addresses as the next-hop for routing entries so there is no need to configure a “global” IPv6 address.

  3. Hello,
    I see that you are using multiple interfaces, but our router is only base license.. which means we can only have up to 2 interfaces(that are not psychical).

    Will it be possible with only 2 interfaces and(loopback 0&1) and have the tunnel psychical? I see that you write that it can be psychical, but what kind of changes would we need to do if so?

  4. Hi Tor,

    The tunnel0 interface is using the source IP addresses of my loopback interfaces. You can also build the tunnel between the IP addresses on the FastEthernet0/0 interfaces. Just use those as the source and destination and you are ready to go.

    Rene

  5. Hello Rene, and thanks for previous answer. We got it fixed, we changed two of the routers to cisco 1812, and the one running ipv4 only is a asa 5505. we are kinda stuck again though. I want all the other fastethernet ports(1-9) behind lets say destiny(cisco 1812), to access the servers behind cryo. Whatever I do, it wont work…

    Thanks again,
    regards

20 more replies! Ask a question or join the discussion by visiting our Community Forum