It turns out there were three bits that should have been in the prior blog but dropped out somewhere along the way. So I’ll put them here, next. The rest of this blog covers IPv6 tunneling variants in summary form, with config samples.
! CONFIG SAMPLE
! CONFTYPE: IPv6 Route Filtering
ipv6 prefix-list EFILTER seq 10 deny 2001::/64
ipv6 prefix-list EFILTER seq 20 permit ::/0 le 128
ipv6 router eigrp 100
distribute-list prefix-list EFILTER out ! or in, route-map NOT allowed
IPv6 can redistribute routing protocols, here is the generic router command syntax:
Automatic 6to4 allows pockets of IPv6 to be connected. The tunnel is point-to-multipoint. IPv4 treated as NBMA link.
Uses IPv4 protocol type 41 (also used for ISATAP, IPv6IP manual tunnels). You can only have 1 6to4 and one IPv4 comptible tunnel on a router, and they’d best have different source interfaces (so the rotuer can tell inbound traffic apart, as both use IP protocol 41).
Relay routers can connect 6to4 networks to native IPv6 networks.
Format of address: 2002:border-router-ipv4::/48.
Note: there is no link-local addressing, so IGP routing protocols won’t work. Use static or BGP.
! CONFIG SAMPLE
! CONFTYPE: 6to4 Tunnel
description IPv6 uplink
no ip address
ipv6 address 2002:c0a8:6301::1/64 ! could even be /128
tunnel source Ethernet 0
tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 tunnel 0
Intra-Site Automatic Tunnel Addressing Protocol. ISATAP is intended for Intrasite IPv6 tunneling. ISATAP uses IPv4 as a virtual NBMA link. It regards the IPv4 as a single link for link-local communications. It does not require IPmc the way 6over4 does. Instead, it does neighbor discovery over IPv4. (Note the addresses contain a router IPv4 address in them.)
ISATAP hosts must have a potential routers list. Or DNS: isatap.corp.com. This is used to obtain the prefixes on the ISATAP link, and to find the routers, since router discovery won’t work (if unicast only network).
ISATAP addresses use a global or link local 64 bit prefix followed by 0000:5EFE, making it a /96, then the IPv4 address in last 32 bits.
Generally you should block IP protocol 41 (IPv6 tunnel / ISATAP) at the firewall.
! CONFIG SAMPLE
! CONFTYPE: ISATAP on head end router
interface tunnel 1
tunnel source ethernet 0
tunnel mode ipv6ip isatap
ipv6 address 2001:DB8::/64 eui-64 ! could do autoconfig on client
no ipv6 nd ra suppress. ! RA disabled by default
Not implemented by Cisco. Scaling issues. RFC 2529.
6over4 tunnels use IPv4 virtual link layer addresses. The link local addresses are FE80::IPv4 address.
6over4 requires IPv4 multicast support.
IP protocol type 41 (ISATAP, 6over4).
Multicast is used for Neighbor Discovery. An IPv6 multicast packet gets encapsulated in an IPv4 multicast packet with destination 239.192.x.y, where x and y are the last two bytes of the IPv6 multicast address.
The source interface IP and destination IP (from last 4 bytes of IPv6 address) then are used to tunnel the IPv6 traffic.
ISATAP has the advantage of not relying on IPmc the way 6over4 does.
Not configurable on Cisco routers, included here for completeness of review.
My consulting workload has picked up, so I’ll be blogging as much as I can around work necessities. I enjoyed the quick trip and final presentation in Boston (you know who you are!) this past Monday, a tightly focused trip. I’m glad Spring has come to the Washington/Annapolis/Baltimore area, making the commute more pleasant. For a while there, it seemed like Winter just wouldn’t end!
The vendors for NFD 5 paid for my travel expenses and perhaps small items, so I wish to disclose that in my blogs now. The vendors in question are: Cisco, Brocade, Juniper, Plexxi, Ruckus, and SolarWinds. I’d like to think that my blogs aren’t influenced by that. Yes, the time spent in presentations and discussion gets me and the other attendees looking at and thinking about the various vendors’ products, marketing spin, and their points of view. I intend to try to remain as objective as possible in my blogs. I’ll concede that cool technology gets my attention!
A principal consultant with broad knowledge and experience in high-end routing and network design, as well as data centers, Pete has provided design advice and done assessments of a wide variety of networks. CCIE #1773, CCDP, CCSI (#94014)
CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data
Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.
CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen
John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services. Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.
He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.