How to configure an ISATAP tunnel?
05/27/2020 0 2096
ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) can be used to provide IPv6 connectivity through an IPv4-only infrastructure. ISATAP is a simple tunneling mechanism that connects dual-stack (IPv6/IPv4) node to other dual-stack nodes or IPv6 nodes over IPv4 networks. The IPv4 network is viewed by ISATAP as a link layer for IPv6.
ISATAP can be used in several scenarios to provide unicast connectivity between ISATAP hosts, and ISATAP host and hosts on IPv6 networks.
- Delivery of ISATAP traffic between ISATAP hosts on the same logical ISATAP subnet:
- Delivery of ISATAP traffic between hosts on different ISATAP subnets:
- Delivery of packets between ISATAP hosts and hosts on an IPv6-capable network:
In the scenario presented above, the ISATAP hosts can communicate directly to each other without going through the ISATAP router or IPv6 network. This allows an IPv6-capable application to leverage connectivity of an existing IPv4 infrastructure.
The other two scenarios require the ISATAP router to have an IPv6 interface connected to the IPv6 network which supports forwarding between the ISATAP interface-facing IPv4 network and the IPv6 interface.
ISATAP needs to be implemented and run in both the host and router. Dual-stack node support is enabled by default on the Windows platforms.
ISATAP support in SonicOS allows the Security Appliance to function as an ISATAP router on LAN- facing interfaces and forward IPv6 packets between the ISATAP tunneling interface and IPv6 interface connected to the IPv6 network.
To configure an ISATAP tunnel:
- In MANAGE | System Setup | Network | Interfaces, at View IP Version, select IPv6.
- Scroll down and select the drop-down for Add Interface.
- In the General tab, Select the Zone for the tunnel interface.
- In the Tunnel Type drop-down list, select ISATAP Tunnel Interface.
- Enter a Name for the tunnel interface.
- Bound to IPv4 Address of - Select an interface from the drop-down menu. The ISATAP tunnel uses the IPv4 address of the bound interface as the IPv4 end address of 6over4 tunnel.
- IPv6 Subnet Prefix - Select an address object from the drop-down menu (or select Create a new address object). The IPv6 subnet prefix is a 64 bit prefix, and is used by ISATAP hosts for ISATAP address auto configuration.
- Tunnel Interface Link MTU - The recommended MTU for the interface link. A value of 0 means firewall does not advertise link MTU for the link.
- Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
- If you want to enable remote management of the firewall from this interface, select the supported management protocol(s): HTTPS, Ping, or SNMP.
- If you want to allow selected users with limited management rights to log in to the Security Appliance, select HTTP and/or HTTPS in User Login.
- Additionally, you can specify how SonicOS resolves ISATAP host queries on MANAGE | Security Configuration | Firewall Settings | Advanced Settings.
- Locate the IPv6 Advanced Configurations section.
Enable NetBIOS name query response for ISATAP – Select this to if you want the Security Appliance to answer a NetBIOS query in order to help ISATAP hosts resolve the name into an IPv4 address.