Ipv6 ISATAP tunneling
June 30, 2008 9 Comments
OVERVIEW
Comparing with other tunneling techniques like 6to4, ISATAP (Intra-site Automatic Tunnel Addressing Protocol) tunneling builds a tunnel for transport of IPv6 traffic over IPv4 within an IPv4 network, not between IPv6 networks.
ISATAP treats IPv4 network as NBMA and determines the destination on a per packet-basis (point-to-multipoint).
There is two ISATAP node behaviors, client and server : Each client builds a static tunnel to the server and requests an IPv6 address. The server (dedicated router or Windows any *nix server) with ipv6 functionalities enabled, will advertise IPv6 network information and allow IPv6 nodes to configure their applications as they were connected to an Ethernet interface.
In this Lab a server 2003 is configured as a ISATAP client node and a Cisco Router as an advertiser, ISATAP server.
The client ISATAP configuration is also applicable to windows XP workstations as well.
ISATAP address scheme is developed as follow:
64-bit link-local or global unicast prefix + 0000:5EFE + <IPv4 of ISATAP link>
0000:5EFE == the ISATAP identifier.
DEPLOYMENT
ISATAP router configuration:
Router Ethernet interface should be configured to communicate with all nodes that want to communicate in IPv4.
interface FastEthernet0/0 ip address 192.168.43.103 255.255.255.0 no sh |
ISATAP-srv# ISATAP-srv#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.43.103 YES manual up up … Tunnel0 unassigned YES unset up up ISATAP-srv#ping 192.168.43.104 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.43.104, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/22/40 ms ISATAP-srv# |
The interface is up and the ipv4 address connectivity is verified, this allows the communication between IPv6 nodes and the router to automatically configure their ISATAP information.
On the tunnel interface, IPv6 RA (router advertisement) is disabled by default and need to be re-enabled, also the ISATAP is specified under IPv6 over ipv4 tunnel mode.
ipv6 unicast-routing interface Tunnel0 ipv6 address 2001:DB8:2:1::/64 eui-64 no ipv6 nd suppress-ra tunnel source FastEthernet0/0 tunnel mode ipv6ip isatap no sh |
IPv6 information are correctly configured and verified:
ISATAP-srv#sh ipv6 int brief FastEthernet0/0 [up/up] … Tunnel0 [up/up] FE80::5EFE:C0A8:2B67 2001:DB8:2:1:0:5EFE:C0A8:2B67 ISATAP-srv# |
ISATAP node configuration:
First of all ipv6 protocol must be enabled on windows server 2003 /XP, then within “netsh” ISATAP ipv6 mode must be specified.
Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\>netsh interface ipv6 isatap set router \\192.168.43.103 Ok. |
C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : mngmnt Primary Dns Suffix . . . . . . . : nouri.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : nouri.com Ethernet adapter loopback: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Loopback Adapter Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.43.104 Subnet Mask . . . . . . . . . . . : 255.255.255.0 IP Address. . . . . . . . . . . . : fe80::4cff:fe4f:4f50%6 Default Gateway . . . . . . . . . : 192.168.43.103 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter Automatic Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface Physical Address. . . . . . . . . : C0-A8-2B-68 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : fe80::5efe:192.168.43.104%2 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : Disabled C:\> |
ISATAP router and ipv6 node are communicating with success as the node is reached through its dynamically configured address:
ISATAP-srv#ping ipv6 fe80::5efe:c0a8:2b68 Output Interface: tunnel 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::5EFE:C0A8:2B68, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/33/44 ms ISATAP-srv# |
Figure2: IPv6 traffic capture
ROUTER CONFIGURATION
Router ISATAP-srv configuration:
ISATAP-srv#sh run …ipv6 unicast-routing …interface Tunnel0 ipv6 address 2001:DB8:2:1::/64 eui-64 no ipv6 nd suppress-ra tunnel source FastEthernet0/0 tunnel mode ipv6ip isatap ! interface FastEthernet0/0 ip address 192.168.43.103 255.255.255.0 … |