Today I'm going to play around with some IPv6 tunnelling techniques
The topology for this example will be a string of 4 IPv4 enabled routers connected by Ethernet, each with a Loopback 100.100.100.x/32 with all the interfaces advertised into OSPF
Here are their base configurations:
R1
hostname R1
interface Loopback0
ip address 100.100.100.1 255.255.255.255
!
interface FastEthernet0/0
description R2 Fa0/0
ip address 10.1.12.1 255.255.255.0
!
router ospf 1
network 10.1.12.1 0.0.0.0 area 0
network 100.100.100.1 0.0.0.0 area 0
R2
hostname R2
interface Loopback0
ip address 100.100.100.2 255.255.255.255
!
interface FastEthernet0/0
description R1 Fa0/0
ip address 10.1.12.2 255.255.255.0
!
interface FastEthernet0/1
description R3 Fa0/1
ip address 10.1.23.2 255.255.255.0
!
router ospf 1
network 10.1.12.2 0.0.0.0 area 0
network 10.1.23.2 0.0.0.0 area 0
network 100.100.100.2 0.0.0.0 area 0
R3
hostname R3
interface Loopback0
ip address 100.100.100.3 255.255.255.255
!
interface FastEthernet0/0
description R4 Fa0/0
ip address 10.1.34.3 255.255.255.0
!
interface FastEthernet0/1
description R2 Fa0/1
ip address 10.1.23.3 255.255.255.0
!
router ospf 1
network 10.1.23.3 0.0.0.0 area 0
network 10.1.34.3 0.0.0.0 area 0
network 100.100.100.3 0.0.0.0 area 0
R4
hostname R4
interface Loopback0
ip address 100.100.100.4 255.255.255.255
!
interface FastEthernet0/0
description R3 Fa0/0
ip address 10.1.34.4 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 10.1.34.4 0.0.0.0 area 0
network 100.100.100.4 0.0.0.0 area 0
IPv6 over GRE and IPv6 over IPv4
IPv6 over GRE over IPv4 is the easiest configuration method for a point-to-point tunnel IPv6 over an IPv4 network.
The initial tunnel configuration between R1 and R3 in this example is nothing special - we're just specifying that the tunnel needs to be set up between the Loopback interfaces, the only thing we are doing here is assigning the IPv6 address to each tunnel endpoint
R1
interface Tunnel13
ipv6 address FEC0:13::1/64
tunnel source 100.100.100.1
tunnel destination 100.100.100.3
R3
interface Tunnel13
ipv6 address FEC0:13::3/64
tunnel source 100.100.100.3
tunnel destination 100.100.100.1
R1#ping fec0:13::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:13::1, timeout is 2 seconds:
!!!!!
IPv6 over IPv4 is working fine
R1#sh int tun13 | i transport
Tunnel protocol/transport GRE/IP
As we can see we are tunneling IPv6 over GRE over IPv4 - GRE is a handy protocol since it carries all sorts of protocols over it but in this case it's a little inefficient with regards to the encapsulation overhead and potentially reducing the effective MTU on this path so we could look at directly transporting IPv6 over IPv4 and skip the GRE middle man and have a larger payload MTU
R1
interface Tunnel13
tunnel mode ipv6ip
R3
interface Tunnel13
tunnel mode ipv6ip
R1#sh int tun13 | i transport
Tunnel protocol/transport IPv6/IP
IPv6 over IPv4 automatic tunnels
Another type of tunnelling method is quite interesting in the way that it's defined. The destination address of the tunnel is not actually specified, this is because this is encoded within the destination IPv6 Address. The 2002::/16 network is a special segment that is used to contain the IPv4 destination address and network
R1
interface Tunnel123
no ip address
no ip redirects
ipv6 address 2002:6464:6401:1::/128
tunnel source 100.100.100.1
tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 Tunnel123
In this case, the tunnel source IPv4 address is converted to hexadecimal 100.100.100.1 becomes 6464:6401 and the associated network is 1 (this way we can terminate multiple IPv6 networks using the same IPv4 address if we had to)
All of the remote ends of the tunnel are in the 2002::/16 network so we instruct the router to reach them via the tunnel where it inspects the destination and automatically establishes the tunnel destination
R2
interface Tunnel123
no ip address
no ip redirects
ipv6 address 2002:6464:6402:1:/128
tunnel source 100.100.100.2
tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 Tunnel123
R1#ping 2002:6464:6402:1::
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:6464:6402:1::, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/12 ms
This is a multipoint tunnel, if we add another IPv6overIPv4 tunnel or R3, things should work just as easily
R3
interface Tunnel123
no ip address
no ip redirects
ipv6 address 2002:6464:6403:9:/128
tunnel source 100.100.100.3
tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 Tunnel123
R1#ping 2002:6464:6403:9::
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:6464:6403:9::, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/10/12 ms
ISATAP tunnels
A similar concept to the above but somewhat different are ISATAP tunnels - unlike IPv6inIPv4 auto tunnels which have to use the 2002::/16 network, ISATAP tunnels are a lot more flexible in the address allocations available. IPv6 addresses are automatically derived from the tunnel source IPv4 address but are created using the eui-64 method to embed the IPv4 address and the special
5EFE identifier which is used before the hex encoded IPv4 address to let us know that this is an ISATAP address
R2
interface Tunnel24
no ip address
no ip redirects
ipv6 address FEC0:24::/64 eui-64
no ipv6 nd ra suppress
tunnel source 100.100.100.2
tunnel mode ipv6ip isatap
R4
interface Tunnel24
no ip address
no ip redirects
ipv6 address FEC0:24::/64 eui-64
no ipv6 nd ra suppress
tunnel source 100.100.100.4
tunnel mode ipv6ip isatap
R2#sh ipv6 int tun24 | i EUI
FEC0:24::5EFE:6464:6402, subnet is FEC0:24::/64 [EUI]
We can see that the EUI address is using the
5EFE flag for ISATAP addressing and
6161:6402 which is the hex encoded version of 100.100.100.2
R4#sh ipv6 int tun24 | i EUI
FEC0:24::5EFE:6464:6404, subnet is FEC0:24::/64 [EUI]
As R4 is on the same subnet as R2 in tunnel 24 we don't need a specific route for it, however a tunnel to R4 (100.100.100.4) will be established by inspecting the destination address
R2#ping FEC0:24::5EFE:6464:6404 source tun24
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:24::5EFE:6464:6404, timeout is 2 seconds:
Packet sent with a source address of FEC0:24::5EFE:6464:6402
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
These are the main transition techniques for carrying IPv6 over IPv4 enabled networks at least for what should be found in the CCIE for Routing and Switching Version 4.0