CCIE R&S Prep: IPv6 Part 2

Peter Welcher
Architect, Operations Technical Advisor

This is the second CCIE R&S prep blog on IPv6, IPv6 Part 2. On March 1, 2013 I blogged that I intended to start a series of CCIE R&S Written exam prep blogs. That blog contains the “ground rules” and some general advice. The full URL for it is The first blog in the series was IPv6 Part 1.

It turns out there were three bits that should have been in the prior blog but dropped out somewhere along the way. So I’ll put them here, next. The rest of this blog covers IPv6 tunneling variants in summary form, with config samples.

IPv6 Filtering

! CONFTYPE: IPv6 Route Filtering
ipv6 prefix-list EFILTER seq 10 deny 2001::/64
ipv6 prefix-list EFILTER seq 20 permit ::/0 le 128
ipv6 router eigrp 100
distribute-list prefix-list EFILTER out   ! or in, route-map NOT allowed

IPv6 Redistribution

  • IPv6 can redistribute routing protocols, here is the generic router command syntax:
! CONFTYPE: IPv6 Route Redistribution
router …
redistribute source-protocol [process-id] [include-connected {level-1 | level-1-2 | level-2}] [as-number] [metric {metric-value | transparent}] [metric-type type-value]
[match {external [1 | 2] | internal | nssa-external [1 | 2]}] [tag tag-value] [route-map map-tag]
  • A route map can be used.
  • Note the “include-connected” option. It redistributes connected prefixes on the interface where the source protocol is running.

IPv6 Other

  • NAT64 is better in practice than NAT-PT, latter has ALG (App Layer Gateway) for DNS and the fixups can create problems. Cf. Ivan  Pepelnjak blogs, RFC’s, and other sources Ivan cites at
  • IPv6 only uses named ACLs. They can be used as access-class on the vty lines.
  • IPv6 ACLs implicitly allow ND unless you block it.
  • For QoS, you can use “match protocol ip” and “match protocol ipv6” to treat IPv4 and 6 differently, if desired.
  • BGP and MPLS  6PE or 6VPN are not on the CCIE topics list above. Hence I omitted them here. 

IPv6 Tunneling

See also and

Types of IPv6 over IPv4 overlay tunnels:

  • Manually coded destination:
    • Manual IPv6 over IPv4 (NOT “6over4”) tunnel uses IP protocol 41, no GRE header: tunnel mode ipv6ip
    • GRE (IPv4 | GRE | IPv6, slightly bigger header): tunnel mode gre
  • Automatic:
    • IPv4-compatible: tunnel mode ipv6ip auto-tunnel. ISATAP is recommended by Cisco over IPv4-compatible.
    • 6to4 (and IPv6 Rapid Deployment, 6RD for SP’s): tunnel mode ipv6ip 6to4
    • Intrasite Automatic Tunnel Addressing Protocol (ISATAP): tunnel mode ipv6ip isatap
    • 6over4: not implemented by Cisco – out of scope
    • Teredo: not supported on routers  – out of scope
    • 6RD (Rapid Deployment, for SP’s) – out of scope

Summary table to memorize:

Tunnel type



IPv6 over IPv4


tunnel mode ipv6ip



tunnel mode gre

IPv4 compatible

tunnel mode ipv6ip auto-tunnel


tunnel mode ipv6ip 6to4


tunnel mode ipv6ip isatap



Manual IPv6IP and GRE

! CONFTYPE: Manual IPv6 over IPv4 tunnel
interface tunnel 0
ipv6 address 3ffe:b00:c18:1::3/127
tunnel source ethernet 0
tunnel destination
tunnel mode ipv6ip


interface tunnel 0
no ip address
ipv6 address 3ffe:b00:c18:1::3/127
tunnel source Ethernet 0/0
tunnel destination
tunnel mode gre

IPv4 Compatible

  • Automatic, uses IPv4-compatible IPv6 addresses, 0’s in the 96 high-order bits, then the IPv4 address in hex at end.
  • Some examples show using BGP for dynamic routing with this.
! CONFTYPE: IPv4 compatible tunnel
interface tunnel 0
tunnel source Ethernet 0  ! or IPv4 address
tunnel mode ipv6ip auto-tunnel


  • Automatic 6to4 allows pockets of IPv6 to be connected. The tunnel is point-to-multipoint. IPv4 treated as NBMA link.
  • Uses IPv4 protocol type 41 (also used for ISATAP, IPv6IP manual tunnels). You can only have 1 6to4 and one IPv4 comptible tunnel on a router, and they’d best have different source interfaces (so the rotuer can tell inbound traffic apart, as both use IP protocol 41).
  • Relay routers can connect 6to4 networks to native IPv6 networks.
  • Format of address: 2002:border-router-ipv4::/48.
  • Note: there is no link-local addressing, so IGP routing protocols won’t work. Use static or BGP.
! CONFTYPE: 6to4 Tunnel
interface Tunnel0
description IPv6 uplink
no ip address
ipv6 address 2002:c0a8:6301::1/64   ! could even be /128
tunnel source Ethernet 0
tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 tunnel 0


  • Intra-Site Automatic Tunnel Addressing Protocol. ISATAP is intended for Intrasite IPv6 tunneling. ISATAP uses IPv4 as a virtual NBMA link. It regards the IPv4 as a single link for link-local communications. It does not require IPmc the way 6over4 does. Instead, it does neighbor discovery over IPv4. (Note the addresses contain a router IPv4 address in them.)
  • ISATAP hosts must have a potential routers list. Or DNS: This is used to obtain the prefixes on the ISATAP link, and to find the routers, since router discovery won’t work (if unicast only network).
  • ISATAP addresses use a global or link local 64 bit prefix followed by 0000:5EFE, making it a /96, then the IPv4 address in last 32 bits.
  • Generally you should block IP protocol 41 (IPv6 tunnel / ISATAP) at the firewall.
! CONFTYPE: ISATAP on head end router
ipv6 unicast-routing
interface tunnel 1
tunnel source ethernet 0
tunnel mode ipv6ip isatap
ipv6 address 2001:DB8::/64 eui-64 ! could do autoconfig on client
no ipv6 nd ra suppress.   ! RA disabled by default

6over4 Tunnel

  • Not implemented by Cisco. Scaling issues. RFC 2529.
  • 6over4 tunnels use IPv4 virtual link layer addresses. The link local addresses are FE80::IPv4 address.
  • 6over4 requires IPv4 multicast support.
  • IP protocol type 41 (ISATAP, 6over4).
  • Multicast is used for Neighbor Discovery. An IPv6 multicast packet gets encapsulated in an IPv4 multicast packet with destination 239.192.x.y, where x and y are the last two bytes of the IPv6 multicast address.
  • The source interface IP and destination IP (from last 4 bytes of IPv6 address) then are used to tunnel the IPv6 traffic.
  • ISATAP has the advantage of not relying on IPmc the way 6over4 does.


Not configurable on Cisco routers, included here for completeness of review.

  • Teredo is encapsulated IPv6 in IPv4 UDP. Teredo server listens on IPv4 UDP 3544.
  • Teredo diagnoses the type of NAT present. Symmetric NAT is not supported.
  • Teredo prefix is normally 2001:://32, followed by IPv4 of Teredo server used.
  • Teredo relays terminate that and pass traffic as native IPv6.
  • Teredo servers do not forward traffic, stateless: supports initial tunnel configuration.
  • Intended as temporary last resort.

Related Links

Prior blogs in this CCIE R&S Prep series:

My prior blogs / articles on IPv6:

Life Log

My consulting workload has picked up, so I’ll be blogging as much as I can around work necessities. I enjoyed the quick trip and final presentation in Boston (you know who you are!) this past Monday, a tightly focused trip. I’m glad Spring has come to the Washington/Annapolis/Baltimore area, making the commute more pleasant. For a while there, it seemed like Winter just wouldn’t end!


The vendors for NFD 5 paid for my travel expenses and perhaps small items, so I wish to disclose that in my blogs now. The vendors in question are: Cisco, Brocade, Juniper, Plexxi, Ruckus, and SolarWinds. I’d like to think that my blogs aren’t influenced by that. Yes, the time spent in presentations and discussion gets me and the other attendees looking at and thinking about the various vendors’ products, marketing spin, and their points of view. I intend to try to remain as objective as possible in my blogs. I’ll concede that cool technology gets my attention!

Stay tuned!

Twitter: @pjwelcher

3 responses to “CCIE R&S Prep: IPv6 Part 2

  1. Hi Peter Welcher, for the ISATAP configuration example – do you have a suggest configuration if you were planning on using a tunnel from the head-end ISATAP router to a client ISATAP router? To be more specific, how would you configure the ISATAP tunnel on the client router? I hope you can get back to be, many thanks. Shannon

  2. Hi, I was wondering if someone would be able to help me. I was hoping that someone could provide me with sample configuration for a ISATAP client router. That is if I was created a tunnel between two routers, one being the head-end ISATAP router, and the other a client ISATAP router. Any help would be appreciated. Shannon

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.