Intra-site Automatic Tunneling Addressing Protocol is an automatic tunneling mechanism which builds a tunnel for carrying IPv6 traffic over IPv4 within an IPv4 network.Like 6to4 tunnels, ISATAP uses the underlying IPv4 network as an NBMA link layer for IPv6 and determines the destination on
a per packet basis i.e. point-to-multipoint.It allows individual IPv4 or IPv6 dual-stack hosts within a site to communicate with other such hosts on the same virtual link, basically creating an IPv6 network using the IPv4 infrastructure.
The main difference between automatic 6to4 tunnels and ISATAP tunnels is that the automatic 6to4 is Inter-site tunnel that allows IPv6 traffic between different sites where as ISATAP as the name specifies is for Intra-site which can be used for transporting IPv6 packets within a site, but not between sites.Another aspect is the address prefix used in sites, 6to4 sites uses addresses from 2002::/16 prefix where as ISATAP tunneling sites can
use any IPv6 unicast address.
This document provides sample configuration of IPv6 ISATAP Tunneling in Cisco IOS routers.
When configuring ISATAP tunneling, there are 2 modes involved.
ISATAP router (it can be a router or server like Windows Server ) which has the IPv6 capabilities enabled and it advertise the network which
nodes can use to configure the IPv6 address when connected to the Ethernet interface.
ISATAP Client establishes a static tunnel to the server and requests for IPv6 address.Usually end hosts will be ISATAP clients such as
Windows PC with IPv6 enabled initiates the tunnel with ISATAP router.
The ISATAP router/server uses unicast addresses that include a 64-bit IPv6 prefix and a 64-bit interface identifier. The interface identifier is created in modified EUI-64 format in which the first 32 bits contain the value 000:5EFE to indicate that the address is an IPv6 ISATAP address.
In this document, the routers R1, R2 and R3 forms underlying IPv4 network using RIPv2. The router R1 is configured as ISATAP router with IPv6 capabilities enabled. In order to configure ISATAP client, IPv6 unicast routing can be disabled on the client router, so that it will behave as a
true client and install a default IPv6 static route.Loopback addresses are configured on the routers in order to generate networks.
While configuring ISATAP Tunnel, the tunnel source should be an interface configured with IPv4 address. The tunnel source command used in the configuration of an ISATAP tunnel must point to an interface with an IPv4 address configured.
TheIPv6 tunnel interface must be configured with a modified EUI-64 address because the last 32 bits in the interface identifier are formed using the IPv4 tunnel source address.
Note: All configuration is tested on Cisco 7200 Series Router running on IOS Version 15.0(1)M Advance IP Services Image.
To display the detailed information of the tunnel interface, use this command .
In router R1
R1#show ipv6 interface tunnel 1 Tunnel1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::5EFE:101:101 No Virtual link-local address(es): Global unicast address(es): 2001:DB8:AA10:10:0:5EFE:101:101, subnet is 2001:DB8:AA10:10::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FF01:101 MTU is 1480 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is not supported ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses.
In the above output you can see that the IPv6 address is formed using eui-64 mechanism but in a modified format.The eui-64 prefix 2001:DB8:AA10:10 is followed by 0000:5EFE indicating that the address is an ISATAP address and then the next 32 bits are taken from IPv4
address of the source interface i.e. in our case its loopback interface 0 which has IPv4 address 126.96.36.199------->Converted to HEX forms---->101:101.
In router R3
R3#show ipv6 interface tunnel 1 Tunnel1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::AC10:6402 No Virtual link-local address(es): Stateless address autoconfig enabled Global unicast address(es): 2001:DB8:AA10:10::AC10:6402, subnet is 2001:DB8:AA10:10::/64 [EUI/CAL/PRE] valid lifetime 2591892 preferred lifetime 604692 Joined group address(es): FF02::1 FF02::1:FF10:6402 MTU is 1480 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) Default router is FE80::5EFE:101:101 on Tunnel1
The above output shows that the ISATAP client has received its IPv6 prefix from the ISATAP router which is 2001:DB8:AA10:10 and appended
its IPv4 address of the source interface G1/0 address 172.16.100.2---->Converted to HEX---->AC10:6402.
Also note that the default router is given as ISATAP router R1 by appending the ISATAP address identifier 0:5EFE with source interface Lo 0 address 188.8.131.52--->converted to HEX--->101:101 forming the default router address as FE80::5EFE:101:101
Show ipv6 route
To display routing table information
R3#show ipv6 route IPv6 Routing Table - default - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 S ::/0 [2/0] via FE80::5EFE:101:101, Tunnel1 C 2001:DB8:AA10:10::/64 [0/0] via Tunnel1, directly connected L 2001:DB8:AA10:10::AC10:6402/128 [0/0] via Tunnel1, receive L FF00::/8 [0/0] via Null0, receive
Note that we have disabled the IPv6 unicast routing in client router, the router has installed a static route pointing to Tunnel 1 i.e. towards
Now the ISATAP router should be able to ping the client i.e. router R3
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:AA10:10::AC10:6402, timeout is 2 seconds: !!!!!
Hello Guys,I have question how can I solve below problem:My customer have 2 office which are connected via public IP, but this two office has the same subnet 192.168.5.0/24.I can't do L2 between this sites, so I created my own LAB and I trying to emulate ...
Hi,I try to register DNA Advantage license for 9300 network device through the DNAC Server.Why I tried to do it for the selected devices, I got a warning message : "Unable to initiate register license for selected device(s) as task is already in progress"...
Hello,I have an ASR1001 with 2 full view BGP. I would like to send the full table of ASR1001 to another peer.The peer wants me to be their second IP transit. What type of configuration to perform and the right method to send a full view ? Thank ...
TLDR: Kindly verify that based upon the shared config from our ASA 5506-X, and based upon documentation for our "FlexIP" security alarm, that our firewall is not blocking traffic fromthe alarm system, and causing it to go haywire.I'll post a copy of...
I have an older Cisco 2960 Catalyst switch that has been in operation for years with 7962 phones behind it. The config has not changed and all of a sudden I have begun having trust issues with the phones: May 8 21:23:25 EDT: %SWITCH_QOS_TB-5-TR...