Ipv6 ISATAP tunneling


Comparing with other tunneling techniques like 6to4, ISATAP (Intra-site Automatic Tunnel Addressing Protocol) tunneling builds a tunnel for transport of IPv6 traffic over IPv4 within an IPv4 network, not between IPv6 networks.

ISATAP treats IPv4 network as NBMA and determines the destination on a per packet-basis (point-to-multipoint).

There is two ISATAP node behaviors, client and server : Each client builds a static tunnel to the server and requests an IPv6 address. The server (dedicated router or Windows any *nix server) with ipv6 functionalities enabled, will advertise IPv6 network information and allow IPv6 nodes to configure their applications as they were connected to an Ethernet interface.

In this Lab a server 2003 is configured as a ISATAP client node and a Cisco Router as an advertiser, ISATAP server.

The client ISATAP configuration is also applicable to windows XP workstations as well.

ISATAP address scheme is developed as follow:

64-bit link-local or global unicast prefix + 0000:5EFE + <IPv4 of ISATAP link>

0000:5EFE == the ISATAP identifier.


ISATAP router configuration:

Router Ethernet interface should be configured to communicate with all nodes that want to communicate in IPv4.

interface FastEthernet0/0
ip address
no sh
ISATAP-srv#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 YES manual up up

Tunnel0 unassigned YES unset up up


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 4/22/40 ms


The interface is up and the ipv4 address connectivity is verified, this allows the communication between IPv6 nodes and the router to automatically configure their ISATAP information.

On the tunnel interface, IPv6 RA (router advertisement) is disabled by default and need to be re-enabled, also the ISATAP is specified under IPv6 over ipv4 tunnel mode.

ipv6 unicast-routing
interface Tunnel0
ipv6 address 2001:DB8:2:1::/64 eui-64
no ipv6 nd suppress-ra
tunnel source FastEthernet0/0

tunnel mode ipv6ip isatap

no sh

IPv6 information are correctly configured and verified:

ISATAP-srv#sh ipv6 int brief
FastEthernet0/0 [up/up]
 Tunnel0 [up/up]




ISATAP node configuration:

First of all ipv6 protocol must be enabled on windows server 2003 /XP, then within “netsh”  ISATAP ipv6 mode must be specified.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\>netsh interface ipv6 isatap set router \\
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : mngmnt
Primary Dns Suffix . . . . . . . : nouri.com

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : nouri.com

Ethernet adapter loopback:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft Loopback Adapter

Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . :

Subnet Mask . . . . . . . . . . . :

IP Address. . . . . . . . . . . . : fe80::4cff:fe4f:4f50%6

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1



Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5

Default Gateway . . . . . . . . . :

NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Automatic Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : C0-A8-2B-68

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : fe80::5efe:

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1



NetBIOS over Tcpip. . . . . . . . : Disabled


ISATAP router and ipv6 node are communicating with success as the node is reached through its dynamically configured address:

ISATAP-srv#ping ipv6 fe80::5efe:c0a8:2b68
Output Interface: tunnel 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::5EFE:C0A8:2B68, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/33/44 ms


Figure2: IPv6 traffic capture


Router ISATAP-srv configuration:

ISATAP-srv#sh run
ipv6 unicast-routing
interface Tunnel0

ipv6 address 2001:DB8:2:1::/64 eui-64

no ipv6 nd suppress-ra

tunnel source FastEthernet0/0

tunnel mode ipv6ip isatap
interface FastEthernet0/0
ip address

About ajnouri
Se vi deziras sekure komuniki eksterbloge, jen mia publika (GPG) ŝlosilo: My public key for secure communication: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x41CCDE1511DF0EB8

9 Responses to Ipv6 ISATAP tunneling

  1. Sinan KAYA says:

    My name is Sinan KAYA and I live in Belgium. I’m following network management program at the moment. Actually I was searching for a solution to my
    problem and have been redirected to this page. The information which you spread here about tunnel applications may be very usefull but it can also be
    used for a wrong purpose like I’ve been experiencing last few weeks. My pc at home and notebook have been hacked by a docent on this way who gives us networking lessons at school.He gained his first access via vmware at school which I had to give permission for to learn building servers and related applications. He could easily get the ip and mac adresses of my notebook and also information about my network at home. He gained full controle on my other pc with Windows XP and has brought it to a unusable state. He has also reserved some of the ports for himself on my notebook with Windows 7 which are no more under my controle. Up to his wish he is making changes on my system and I don’t know any good advice to get rid of him. When I disable isatap,teredo tunneling for pseudo interface services and TCP/ipv6 protocole my system is crashing and I’m being obliged to make a system recovery(it’s also possible only for a few system recovery points) which results with his gaining his access back. School management don’t want to believe this and they even don’t check it out. And the policemen don’t have enough knowledge about hacking and think it’s not possible and also too lazy to ask for permission to check my provider information. And the docent is telling his misuse to the people close to him and showing my personal data as a glorious victory. Every detail which I have told here is true but I don’t know how can I proeve it and also don’t know any good advice to get completely rid of this problem. Thanks in advance.

    Kind regards,

    Sinan KAYA

    • cciethebeginning says:

      Hi Sinan,

      These are general advices and I encourage you to look for more appropiate sites for the subject matter :
      1- Start by changing ALL your account passwords (financial accounts and other critical data…) by phone or maybe locally, certainly NOT from the same computer!
      2- Unplug your computer from Internet and replace your anti-virus and anti-malware by a more efficient ones, generally they are not too expensive(30$-70$).
      Something like “Zonealarm” provide a suite with anti-virus+anti-malware+personal firewall (try version available)
      3- Check the entire PC with your anti-virus + anti-malware.
      4- If your PC is “entirely” controlled by the hacker (Trojans, key-loggers, rootkits, remote control, backdoors…) maybe a good idea is to backup your most critical data (after cleaning them of course!) and reinstall your OS from the scratch.
      5- A personal firewall with a restrictive mode(zonealarm for example), can detect any incoming and outgoing attempts of connection (IPv6 application included)
      You can see what applications or programs are requesting a connection and allow or deny them.
      For program you don’t know, google them a lot of resources available about legitimate and illegitimate processes and programs. (I think there is such an integrated service in ZoneAlarm)
      6- If IPv6 is not supported by the firewall, disable ISATAP/teredo IPv6 tunneling because of the risk to bypass your network firewall (or NAT box).
      7- Further consider “https”, “secure email connections”, SSL and VPN clients for your data transmission over the Internet.
      8- And remember being safe in not only a question of software or hardware or technical threats, but mostly “social engeneering” and your behavior concerning things like: email-links, attachement, downloading, what sites and content to trust and what data you trust to the network.

      Good luck and good work!

  2. Azi says:

    Hello ,

    I just checked your ISATAP tunneling lesson which is very good, and quite handy . I think for the results you are using wire shark or Ethreal . I can see in results the tunnle is setuped but why dosent its says “ISATAP tunnel ” rather it says “Internet Protocol Verson 6 “. Because if you setup GRE , on wire shark it will show you GRE tunneling . SO i was thinking what is the logical reason behind that.
    Thank you

  3. Azi says:

    Secondly i wanted to check the performance of the tunnels ,but i dont know any good software to do that , i have searched on internet but i got only one free software called “IPerf” . So if you can suggest me any software for the performance checking of tunnels.

    I am using XP for my system , and Cisco routers , so i want to know the CPU usage, jitter , delay etc of the router having a tunnel set uped and traffic going through that . Please kindly if you can help me in that regards .

    Thank you
    Kind Regards ,

    • cciethebeginning says:

      Hi Azi,
      ISATAP is a basic tunneling mechanism (protocol 41: encapsulation of IPv6 inside ipv4) not based on GRE
      – link to a pdf document illustrating ISATAP encapsulation.
      ISATAP belongs to the general category of transition 6to4 which encompass the following techniques:
      – ISATAP
      PTM (Point-to-Multipoint)
      Deployed inside IPv4 local site / campus
      :0:5EFE: /64

      – Automatic IPv4-compatible
      PTM (Point-to-Multipoint)
      typically between two IPv6 sites

      – Automatic 6to4 (IPv6 over IPv4)
      PTM (Point-to-Multipoint)
      typically between two and more IPv6 sites
      tunnel addresses are configured per-site= f (IPv4)hex

      – Manual 6to4 (IPv6 over IPv4)
      PTP (Point-to-Point)
      tunnel addresses are configured per-pair (IPv6 tunnel borders belong to the same subnet)

      – IPv6 over IPv4 GRE (any IPv6 over IPv4)
      PTP (Point-to-Point)
      tunnel addresses are configured per-pair (IPv6 tunnel borders belong to the same subnet)

      For performance measurement you can Jperf (http://sourceforge.net/projects/jperf/) to stress links and for SLA, the amazing Cisco IP SLA integrated feature, more accurate for jitter/Latency/Loss monitoring with great flexibility.

  4. Where can I find Turkish of this article

  5. Eduu says:

    First of all, I would like to thank you a lot! This guide helped me a lot to finish my lab! I just have a doubt, I did the same thing that you did, but it didn´t work. So searching in other sites, I saw an example that needed to configure a DNS in router cisco. Then I configured DNS in cisco router and it worked. You didn´t mention anything about DNS, so is it really necessary?

    • ajnouri says:

      Hi Eduu,

      The ISATAP tunnel configuration process itself doesn’t require any name resolution configured on the router.
      Make sure your configuration works for IPv6 addresses first and then you can deal with IPv6 name resolution and address hosts by their domain name by configuring a dedicated internal or provider DNS server on all your internal hosts, the ISATAP router included, if you want to test reachability with Internet hosts by their domain name.

      With nowadays ubiquitous dualstack equipements for home and enterprises, I hope you are not considering ISATAP (deprecated) as a transition solution for your network.

      • Eduu says:

        Hi ajnouri,

        Thank you for your reply! In fact I’m doing a project for the university with some transition techniques from IPv4 to IPv6 using ISATAP, Dual Stack, GRE over IPv4 and 6rd in their own scenarios. Yesterday night I removed the DNS from my ISATAP scenario (in GNS3), and it continued working, so I think it was a bug. My lab is working with these steps above. Thank you again!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: