cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4012
Views
0
Helpful
4
Replies

Multiple ISATAP border routers

ARJAN TOXOPEUS
Level 4
Level 4

Hi All! have a challenge...

Am working of MS UAG DirectAccess and we have 6 sites out there.

The requirement was to also have manage-out functionality working.

To get this done we have 1 global ISATAP cloud. In each Datacenter we have a Cisco 2800 running 6to4 tunneling and ISATAP tunnel for autoconfiguration of the hosts.

Now all is working with the default commands.

The challenge is that because we have 6 ISATAP routers the Win7 clients ISATAP adapter also has 6 default gateways in the local routing table. So it can happen that the traffic from a host is send half across the globe before reaching a ISATAP router.

Althought this router will then be able to send back the client to the correct ISATAP border router it's adding a huge delay.

Now I have a ISATAP tunnel on one of the boxes that looks like this.

interface Tunnel0
no ip address
ipv6 address 2002:B1A1:6951:8000::/64 eui-64
ipv6 enable
ipv6 nd prefix 2002:B1A1:695A:8100::/64 infinite infinite no-autoconfig
no ipv6 nd suppress-ra
tunnel source GigabitEthernet0/1
tunnel mode ipv6ip isatap
end

I found that I can add several prefixes but this leads to having several IPs on the NIC of the ISATAP host.

I can block that by adding the no-autoconfig

ipv6 nd prefix 2002:C1A1:615A:8100::/64 infinite infinite no-autoconfig

What I want is that the Windows host adds a route with default gateway to it's local routing table to it knows the shortest path to this cloud.

The above works but the route appears as on-link.

Does anyone know how to get the route in with the gateway IP fe80:x.x.x.x in stead of On-link??

Greatly appreciated!

Arjan

4 Replies 4

Michael Vincent
Level 1
Level 1

Since this is one cloud, could you use an Anycast address for the ISATAP routers?  This way, the hosts would see the same prefix from all ISATAP routers and configure only a single IPv6 address and should reach the 'closest' ISATAP router (based on routing metrics) due to the Anycast addressing.

Hi again,

Well the problem is not that they do not have an ip in the same cloud. They do. All ISATAP routers have the same IPv6 prefix setup and the clients get this prefix.

The problem is that because there are 6 isatap entries in DNS they connect to each one and get the info from all routers. This leads to 6 default ::/0 gateways. One towards each datacenter ISATAP router.

This means that a ISATAP client in SiteA could connect to ISATAP router in SiteB when it actually should talk to the SiteA ISATAP router.

In itself not a problem as the router in siteB have the correct routes so traffic is send back to the router in SiteA. But this leads to traffic flowing across the globe.

To resolve this I want to add routes to the advertisement so that the ISATAP router in SiteA adds a router to the local IPv6 nets connected to it.

Adding the second prefix as shows above works but the only thing is that the gateway for this router shows as On-Link. It should show the fe80:

Was hoping that anyone would know how to configure the ISATAP nd advertisement to make that happen. Or show me an alternative way of injecting a route into the WIN7 client routing table from an Cisco router.

Arjan

Maybe I'm missing something about your configuration or I didn't convey the anycast solution in enough detail.

Using an anycast address for the ISATAP routers imply all 6 will have the *same* address.  Thus, only 1 DNS entry.  This is similar to anycast RP for multicast:

http://www.cisco.com/en/US/docs/ios/solutions_docs/ip_multicast/White_papers/anycast.html

or the IPv4 anycast you're probably using for your 6to4 relay:  192.88.99.1.

The clients would see only 1 IPv6 prefix, only "1" ISATAP router (the anycast address) and thus configure only 1 gateway route.  Routing metrics would route the clients to the 'closest' ISATAP router, not across the globe.  See:

http://en.wikipedia.org/wiki/Anycast

http://tools.ietf.org/html/draft-templin-isatap-dhcp-06#appendix-B

If that won't work for you, you can hardcode the Win 7 clients with the following:

C:\> netsh interface ipv6 isatap set router

cheers.

I hear what you are saying but it should be possible to get these routes in just as a WIN2008 server running as ISATAP router does.

Before running external ISATAP border routers the MS UAG server was acting as ISATAP router.

The routing table looked like this:

*****

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination      Gateway

12    266 ::/0                     fe80::5efe:10.200.248.6

  1    306 ::1/128                  On-link

12   4106 2002::/16                fe80::5efe:10.200.248.6

12    266 2002:1a5c:12d5::/64      fe80::5efe:10.200.248.6

12     18 2002:1a5c:12d5:8000::/49 On-link

12     18 2002:1a5c:12d5:8000::/64 On-link

12    266 2002:1a5c:12d5:8000:0:5efe:10.200.140.5/128

                                    On-link

12    266 2002:1a5c:12d5:8100::/64 fe80::5efe:10.200.248.6

12    266 2002:1a5c:12d5:8101::/64 fe80::5efe:10.200.248.6

12    266 2002:1a5c:28e7::/64      fe80::5efe:10.200.248.6

11    266 fe80::/64                On-link

12    266 fe80::5efe:10.200.140.5/128

                                    On-link

11    266 fe80::844e:fbcd:6d2:6e67/128

                                    On-link

  1    306 ff00::/8                 On-link

11    266 ff00::/8                 On-link

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination      Gateway

12    266 ::/0                     fe80::5efe:10.200.248.6

  1    306 ::1/128                  On-link

12   4106 2002::/16                fe80::5efe:10.200.248.6

12    266 2002:1a5c:12d5::/64      fe80::5efe:10.200.248.6

12     18 2002:1a5c:12d5:8000::/49 On-link

12     18 2002:1a5c:12d5:8000::/64 On-link

12    266 2002:1a5c:12d5:8000:0:5efe:10.200.140.5/128

                                    On-link

12    266 2002:1a5c:12d5:8100::/64 fe80::5efe:10.200.248.6

12    266 2002:1a5c:12d5:8101::/64 fe80::5efe:10.200.248.6

12    266 2002:1a5c:28e7::/64      fe80::5efe:10.200.248.6

11    266 fe80::/64                On-link

12    266 fe80::5efe:10.200.140.5/128

                                    On-link

11    266 fe80::844e:fbcd:6d2:6e67/128

                                    On-link

  1    306 ff00::/8                 On-link

11    266 ff00::/8                 On-link

****************

Here you can see that the client received 3 routes for the UAG DirectAccess specific clients where there is a next-hop router defined.

The setup running this via Cisco ISATAP shows the same except it does not add the fe80::5efe:10.200.248.6 as router address. In stead it shows On-Link.

Think the Anycast might be helpfull but would prefer to stick to the basic ISATAP config.

So am looking for the correct command on the ISATAP tunnel interface.

Also any info on how to interconnect multiple ISATAP clouds is very much appreciated since it seems to be hard to find.

Appreciate it!

Arjan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco