Showing results for 
Search instead for 
Did you mean: 






Intra-site Automatic Tunneling Addressing Protocol is an automatic tunneling mechanism which builds a tunnel for carrying IPv6 traffic over IPv4 within an IPv4 network.Like 6to4 tunnels, ISATAP uses the underlying IPv4 network as an NBMA  link layer for IPv6 and determines the destination on

a per packet basis i.e. point-to-multipoint.It allows individual IPv4 or IPv6 dual-stack hosts within a site to communicate with other such hosts on the same virtual link, basically creating an IPv6 network using the IPv4 infrastructure.


The main difference between automatic 6to4 tunnels and ISATAP tunnels is that the automatic 6to4 is Inter-site tunnel that allows IPv6 traffic between different sites where as ISATAP as the name specifies is for Intra-site which can be used for transporting IPv6 packets within a site, but not between sites.Another aspect is the address prefix used in sites, 6to4 sites uses addresses from 2002::/16 prefix where as ISATAP tunneling sites can

use any IPv6 unicast address.


This document provides sample configuration of IPv6 ISATAP Tunneling in Cisco IOS routers.



Refer to Implementing IPv6 Addressing and Basic Connectivity for basic understanding on IPv6.




When configuring ISATAP tunneling, there are 2 modes involved.


  • ISATAP router (it can be a router or server like Windows Server ) which has the IPv6 capabilities enabled and it advertise the network which

       nodes can use to configure the IPv6 address when connected to the Ethernet interface.

  • ISATAP Client establishes a static tunnel to the server and requests for IPv6 address.Usually end hosts will be ISATAP clients such as

        Windows PC with IPv6 enabled initiates the tunnel with ISATAP router.


The ISATAP router/server uses unicast addresses that include a 64-bit IPv6  prefix and a 64-bit interface identifier. The interface identifier is  created in modified EUI-64 format in which the first 32 bits contain the  value 000:5EFE to indicate that the address is an IPv6 ISATAP address.


In this document, the routers R1, R2 and R3 forms underlying IPv4 network using RIPv2. The router R1 is configured as ISATAP router with IPv6 capabilities enabled. In order to configure ISATAP client, IPv6 unicast routing can be disabled on the client router, so that it  will behave as a

true client and install a default IPv6 static route.Loopback addresses are configured on the routers in order to generate networks.




  • While configuring ISATAP Tunnel, the tunnel source should be an interface configured with IPv4 address. The tunnel source command used in the configuration of an ISATAP tunnel must point to an  interface with an IPv4 address configured.
  • The IPv6 tunnel interface must be configured with a modified  EUI-64 address because the last 32 bits in the interface identifier are formed using the IPv4 tunnel source address.


Note: All configuration is tested on Cisco 7200 Series Router running on IOS Version  15.0(1)M Advance IP Services Image.


Topology Diagram


ipv6 isatap tunneling.jpeg




For  complete configuration, see attached files (R1, R2 and R3). - See more  at:


Configuring ISATAP Router

Configuring router R1 as ISATAP router involves the following steps:



host name R1


ipv6 unicast-routing



interface Tunnel1

no ip address

no ip redirects

ipv6 address 2001:DB8:AA10:10::/64 eui-64

!...Note that any /64 IPv6 address will work

no ipv6 nd ra suppress

!...On a tunnel interface, IPv6 router advertisements (IPv6 ra) is suppressed by default. 
This command re-enables sending IPv6 Ra's and also allows client auto-configuration

tunnel source Loopback0

!...The tunnel source should be an interface configured with IPv4 address.

tunnel mode ipv6ip isatap

!...Enables IPv6 overlay tunnel using a ISATAP address.



Configuring ISATAP Client

Configuring router R3 as ISATAP client involves the following steps:



hostname R3


!.. Note that IPv6 Unicast routing is not configured in the client router


interface Tunnel1

no ip address

ipv6 address autoconfig

!...ISATAP client tunnel 1 acquires IPv6 address automatically from ISATAP router and appends the client's

IPv4 address at the end.

ipv6 enable

tunnel source GigabitEthernet1/0

tunnel mode ipv6ip

tunnel destination




Note: For complete configuration,see attached files (R1, R2 and R3)

For  complete configuration, see attached files (R1, R2 and R3). - See more  at:
For  complete configuration, see attached files (R1, R2 and R3). - See more  at:


Verify Commands

Show IPv6 Interface


To display the detailed information of the tunnel interface, use this command .


In router R1


R1#show ipv6 interface tunnel 1
Tunnel1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::5EFE:101:101
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:DB8:AA10:10:0:5EFE:101:101, subnet is 2001:DB8:AA10:10::/64 [EUI]
  Joined group address(es):
  MTU is 1480 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is not supported
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.


In the above output you can see that the IPv6 address is formed using eui-64 mechanism but in a modified format.The eui-64 prefix    2001:DB8:AA10:10 is followed by 0000:5EFE indicating that the address is an ISATAP address and then the next 32 bits are taken from IPv4

address of the source interface i.e. in our case its loopback interface 0 which has IPv4 address>Converted to HEX forms---->101:101.


In router R3


R3#show ipv6 interface tunnel 1
Tunnel1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::AC10:6402
  No Virtual link-local address(es):
  Stateless address autoconfig enabled
  Global unicast address(es):
   2001:DB8:AA10:10::AC10:6402, subnet is 2001:DB8:AA10:10::/64 [EUI/CAL/PRE]
      valid lifetime 2591892 preferred lifetime 604692
  Joined group address(es):
  MTU is 1480 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  Default router is FE80::5EFE:101:101 on Tunnel1


The above output shows that the ISATAP client has received its IPv6 prefix from the ISATAP router which is 2001:DB8:AA10:10 and appended

its IPv4 address of the source interface G1/0 address>Converted to HEX---->AC10:6402.


Also note that the default router is given as ISATAP router R1 by appending the ISATAP address identifier 0:5EFE with source interface Lo 0 address>converted to HEX--->101:101 forming the default router address as FE80::5EFE:101:101


Show ipv6 route


To display routing table information


R3#show ipv6 route
IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S   ::/0 [2/0]
     via FE80::5EFE:101:101, Tunnel1
C   2001:DB8:AA10:10::/64 [0/0]
     via Tunnel1, directly connected
L   2001:DB8:AA10:10::AC10:6402/128 [0/0]
     via Tunnel1, receive
L   FF00::/8 [0/0]
     via Null0, receive


Note that we have disabled the IPv6 unicast routing in client router, the router has installed a static route pointing to Tunnel 1 i.e. towards

ISATAP router.




Now the ISATAP router should be able to ping the client i.e. router R3


R1#ping 2001:DB8:AA10:10::AC10:6402


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:AA10:10::AC10:6402, timeout is 2 seconds:




Routing Information Protocol
Level 1
Level 1


If we were to run OSPFv3 inside the tunnel then what would be the OSPF network type ?

Should it be non-broadcast or point-to-point ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: