IPv6 ISATAP (Intra Site Automatic Tunnel Addressing Protocol)

ISATAP (Intra Site Automatic Tunnel Addressing Protocol) is an IPv6 tunneling technique that allows you to connect IPv6 over an IPv4 network, similar to the automatic 6to4 tunnel.

On your IPv4 network, you can configure one of your routers as an IPv6 “headend” ISATAP router that your IPv6 hosts can connect to. The IPv4 source address of the ISATAP clients and router is embedded in the IPv6 address so that each device knows how to get to the other side of the IPv4 network.

Here’s what the IPv6 address looks like:

Ipv6 Isatap Prefix Format

The first 64 bits are for the prefix, and you can pick anything you like. Global unicast, link-local addresses, both are possible. The next 64 bits are divided into two parts:

  • 0000:5EFe: this is a reserved UOI value which indicates that this is an ISATAP address.
  • the remaining 32 bits embed the IPv4 address, in hexadecimal.

ISATAP was designed for intra site, in other words…within your site, not between sites. However, nothing is stopping you from running this between sites.

It is easy to configure, and many clients support ISATAP,  including any recent Windows or Linux OS. You can configure the tunnel destination address manually or add it to a DNS server so that it’s easy to find.

One disadvantage of ISATAP is that it does not support IPv6 multicast. This means you won’t be able to run routing protocols like OSPFv3 or EIGRP.

Configuration

Cisco IOS supports both the ISATAP client and headend router. In this lesson, I use the following topology:

Ipv6 Isatap Example Topology

R1 is the ISATAP client, R3 is the headend router. We will use 2001:DB8:13:13::/64 as the prefix on the tunnel interface. I use OSPFv2 so that R1 and R3 are able to reach each other through IPv4. R3 also has a loopback interface with an IPv6 address, something we can try to ping from R1.

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

R1

hostname R1
!
ip cef
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 192.168.12.0 0.0.0.255 area 0
!
end

R2

hostname R2
!
ip cef
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.23.2 255.255.255.0
!
router ospf 1
 router-id 2.2.2.2
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.23.0 0.0.0.255 area 0
!
end

R3

hostname R3
!
ip cef
!
interface Loopback0
 ipv6 address 2001:DB8:3:3::3/128
!
interface FastEthernet0/0
 ip address 192.168.23.3 255.255.255.0
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 192.168.23.0 0.0.0.255 area 0
!
end

Headend

Let’s start with the headend router. First, we need to enable IPv6 unicast routing:

R3(config)#ipv6 unicast-routing

Now we can focus on the tunnel interface:

R3(config)#interface Tunnel 0
R3(config-if)#ipv6 address 2001:db8:13:13::/64 eui-64
R3(config-if)#no ipv6 nd suppress-ra
R3(config-if)#tunnel source FastEthernet0/0
R3(config-if)#tunnel mode ipv6ip isatap

I configure the 2001:DB8:13:13::/64 prefix and let the router configure the last 64 bits using EUI-64. You’ll see in a bit what address we end up with. By default, the router will not send router advertisements on the tunnel interface which is why we need to add the no ipv6 and suppress-ra command,

Client

Let’s configure our client:

R1(config)#interface Tunnel 0
R1(config-if)#ipv6 address autoconfig
R1(config-if)#tunnel source FastEthernet 0/0
R1(config-if)#tunnel destination 192.168.23.3
R1(config-if)#tunnel mode ipv6ip

The tunnel interface is configured to configure its IPv6 address automatically.  The tunnel source is our FastEthernet 0/0 interface and the destination is the IPv4 address of R3.

Verification

Let’s see if our configuration works. I’ll start with the headend router…

Headend

Let’s take a look at our tunnel interface:

R3#show ipv6 interface Tunnel 0
Tunnel0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::5EFE:C0A8:1703 
  Global unicast address(es):
    2001:DB8:13:13:0:5EFE:C0A8:1703, subnet is 2001:DB8:13:13::/64 [EUI]
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FFA8:1703
  MTU is 1480 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is not supported
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 0 milliseconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfig for addresses.

Above, we see a couple of interesting things:

  • Both the link-local and global unicast prefix have the 0000:5EFE: bits that indicate that this is an ISATAP address.
  • Our IPv6 addresses end with C0A8:1703.
  • We can verify that this router is sending router advertisements.

Below you can see the decimal IPv4 address that is embedded in the IPv6 address:

Decimal 192 168 23 3
Binary 11000000 10101000 00010111 00000011
Hexadecimal C0 A8 17 03

Client

Let’s take a look at our client:

R1#show ipv6 interface Tunnel 0
Tunnel0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::C0A8:C01 
  Global unicast address(es):
    2001:DB8:13:13::C0A8:C01, subnet is 2001:DB8:13:13::/64 [PRE]
      valid lifetime 2591842 preferred lifetime 604642
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FFA8:C01
  MTU is 1480 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  Default router is FE80::5EFE:C0A8:1703 on Tunnel0

Above, we see two interesting items:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

501 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hello,

    I have a question regarding the 6to4 implementation:
    Should it work if i use another prefix than 2002:?

    I read couple of articles and in every place it’s written that 2002 is reserved for 6to4 implementation (like router knows how to extract 32 bit IPv4 address encoded in Hex format that goes after that prefix).

    But in my lab i just used another prefix (just for testing): 1002: and the 6to4 stuff worked properly as well.

    Can you please explain this behavior? Is it a correct and expected behavior or not?

    Thanks,
    Vladimir

  2. Hi @hussien.samer

    Remove the following two static routes:

    R1(config)#ipv6 route 2001::3/128 2002:C0A8:1703::3  
    R3(config)#ipv6 route 2001::1/128 2002:C0A8:C01::1  
    

    And then add a BGP configuration like this. R1:

    R1(config)#router bgp 13
    R1(config-router)#bgp log-neighbor-changes
    R1(config-router)#neighbor 2002:C0A8:1703::3 remote-as 13
    
    R1(config-router)#address-family ipv6
    R1(config-router-af)# neighbor 2002:C0A8:1703::3 activate
    R1(config-router-af)#exit-address-family
    

    R3:

    R3(config)#router bgp 13
    R3(config-router)#bgp log-neighbor-changes
    R3(config-router
    ... Continue reading in our forum

  3. Hey, can you please explain this sentence more thoroughly:
    “The second step is that we can create subnets from /48 up to /64 prefixes for all the subnets behind the end-point.”

    Why shouldn’t we always use a host mask (/128) for the tunnel 6to4 address?
    (2002:C0A8:1703::/128 for your configuration)

  4. Hello Inon

    If we have an IPv4 address of 192.168.23.3 as in the lesson, then the automatic 6to4 tunnelling will use 2002:C0A8:1703 as the beginning of the IPv6 address. Now from this, we can use any subnet prefix of /48 to /64 to represent the IPv6 addresses behind each end of the tunnel. So in a sense, 2002:C0A8:1703::/48 represents the tunnel interface on R1. All IPv6 addresses behind R1 will be mapped to the appropriate address. For example:

    We ping from 2001::3/128 to 2001::1/128. When the ping reaches R3, it will be converted to 2002:C0A8:1703::1, sen

    ... Continue reading in our forum

29 more replies! Ask a question or join the discussion by visiting our Community Forum