Cart
This is the first in series of guides on tunneling IPv6 over existing IPv4 networks. For this first article, I’ve chosen the method that I see many CCIE students struggle with – 6to4 tunnels.
We will be working with the diagram depicted below. Let’s examine the initial network before we start configuring anything new.
As we can see on the diagram, we seem to have three “IPv6 islands” connected with IPv4 networks to some sort of a backbone device. In “real life”, this backbone device could represent the Internet, or private network – for example MPLS VPN. In our case, it’s a single device. Edge routers in our IPv6 islands (R2, R3 and R5) have full reachability between their Loopback0 interfaces. For that, we used simple BGP configuration.
Initial IPv4 Configuration
Here are relevant configuration snippets and verification.
R2:
router bgp 65002 bgp router-id 2.2.2.2 bgp log-neighbor-changes neighbor 192.168.2.7 remote-as 7 ! address-family ipv4 no synchronization network 2.2.2.2 mask 255.255.255.255 neighbor 192.168.2.7 activate neighbor 192.168.2.7 send-community no auto-summary exit-address-family ! R2#tclsh R2(tcl)#foreach ip { +>(tcl)#2.2.2.2 +>(tcl)#3.3.3.3 +>(tcl)#5.5.5.5 +>(tcl)#} { ping $ip source Loopback0 repeat 3 timeout 1 } Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds: Packet sent with a source address of 2.2.2.2 !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 1/3/4 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 3.3.3.3, timeout is 1 seconds: Packet sent with a source address of 2.2.2.2 !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 16/17/20 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 5.5.5.5, timeout is 1 seconds: Packet sent with a source address of 2.2.2.2 !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 12/13/16 ms
R3:
router bgp 65003 bgp router-id 3.3.3.3 bgp log-neighbor-changes neighbor 192.168.3.7 remote-as 7 ! address-family ipv4 no synchronization network 3.3.3.3 mask 255.255.255.255 neighbor 192.168.3.7 activate neighbor 192.168.3.7 send-community no auto-summary exit-address-family ! R3#tclsh R3(tcl)#foreach ip { +>(tcl)#2.2.2.2 +>(tcl)#3.3.3.3 +>(tcl)#5.5.5.5 +>(tcl)#} { ping $ip source Loopback0 repeat 3 timeout 1 } Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds: Packet sent with a source address of 3.3.3.3 !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 16/17/20 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 3.3.3.3, timeout is 1 seconds: Packet sent with a source address of 3.3.3.3 !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 4/5/8 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 5.5.5.5, timeout is 1 seconds: Packet sent with a source address of 3.3.3.3 !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 12/14/16 ms
R5:
router bgp 65005 bgp router-id 5.5.5.5 bgp log-neighbor-changes neighbor 192.168.5.7 remote-as 7 ! address-family ipv4 no synchronization network 5.5.5.5 mask 255.255.255.255 neighbor 192.168.5.7 activate neighbor 192.168.5.7 send-community no auto-summary exit-address-family ! R5#tclsh R5(tcl)#foreach ip { +>(tcl)#2.2.2.2 +>(tcl)#3.3.3.3 +>(tcl)#5.5.5.5 +>(tcl)#} { ping $ip source Loopback0 repeat 3 timeout 1 } Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds: Packet sent with a source address of 5.5.5.5 !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 16/17/20 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 3.3.3.3, timeout is 1 seconds: Packet sent with a source address of 5.5.5.5 !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 12/14/20 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 5.5.5.5, timeout is 1 seconds: Packet sent with a source address of 5.5.5.5 !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 1/4/8 ms
BB:
router bgp 7 bgp router-id 7.7.7.7 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 192.168.2.2 remote-as 65002 neighbor 192.168.3.3 remote-as 65003 neighbor 192.168.5.5 remote-as 65005 ! address-family ipv4 no synchronization network 7.7.7.7 mask 255.255.255.255 neighbor 192.168.2.2 activate neighbor 192.168.2.2 send-community neighbor 192.168.3.3 activate neighbor 192.168.3.3 send-community neighbor 192.168.5.5 activate neighbor 192.168.5.5 send-community no auto-summary exit-address-family !
Initial IPv6 Configuration
On top of the connectivity between our edge devices, we have fully functional IPv6 routing within each of the islands. Let’s examine each one in turn.
In “Site A”, we are running OSPFv3 between R1 and R2. We have full visibility of all networks in use. Let’s take a look.
R1:
ipv6 unicast-routing
!
interface Ethernet0/0
no ip address
ipv6 address 2002:202:202:1::1/64
ipv6 ospf 1 area 0
!
interface Serial1/0
no ip address
ipv6 address FE80::1 link-local
ipv6 address 2002:202:202:12::1/64
ipv6 enable
ipv6 ospf 1 area 0
!
ipv6 router ospf 1
router-id 1.1.1.1
log-adjacency-changes
passive-interface Ethernet0/0
!
R1#show ipv6 route ospf
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O 2002:202:202::2/128 [110/64]
via FE80::2, Serial1/0
R2:
ipv6 unicast-routing
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ipv6 address 2002:202:202::2/64
ipv6 ospf 1 area 0
!
interface Serial1/0
no ip address
ipv6 address FE80::2 link-local
ipv6 address 2002:202:202:12::2/64
ipv6 enable
ipv6 ospf 1 area 0
!
ipv6 router ospf 1
router-id 2.2.2.2
log-adjacency-changes
passive-interface Loopback0
!
R2#show ipv6 route ospf
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O 2002:202:202:1::/64 [110/74]
via FE80::1, Serial1/0
In “Site B”, configuration is very similar, but I decided to use EIGRPv6 as the routing protocol instead. Let’s take a look at that!
R3:
unicast-routing
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ipv6 address 2002:303:303::3/64
ipv6 eigrp 34
!
interface Serial1/1
no ip address
ipv6 address FE80::3 link-local
ipv6 address 2002:303:303:34::3/64
ipv6 eigrp 34
!
ipv6 router eigrp 34
passive-interface Loopback0
eigrp router-id 3.3.3.3
!
R3#show ipv6 route eigrp
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D 2002:303:303:4::/64 [90/2195456]
via FE80::4, Serial1/1
R4:
ipv6 unicast-routing
!
interface Ethernet0/0
no ip address
ipv6 address 2002:303:303:4::4/64
ipv6 eigrp 34
!
interface Serial1/1
no ip address
ipv6 address FE80::4 link-local
ipv6 address 2002:303:303:34::4/64
ipv6 eigrp 34
!
ipv6 router eigrp 34
passive-interface Ethernet0/0
eigrp router-id 4.4.4.4
!
R4#show ipv6 route eigrp
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D 2002:303:303::/64 [90/2297856]
via FE80::3, Serial1/1
Similarly to this, “Site C” is running yet another routing protocol – RIPng. Here are the relevant configurations.
R5:
ipv6 unicast-routing
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
ipv6 address 2002:505:505::5/64
ipv6 rip 1 enable
!
interface Serial1/0
no ip address
ipv6 address FE80::5 link-local
ipv6 address 2002:505:505:56::5/64
ipv6 rip 1 enable
!
ipv6 router rip 1
!
R5#show ipv6 route rip
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
R 2002:505:505:6::/64 [120/2]
via FE80::6, Serial1/0
R6:
ipv6 unicast-routing
!
interface Ethernet0/0
no ip address
ipv6 address 2002:505:505:6::6/64
ipv6 rip 1 enable
!
interface Serial1/0
no ip address
ipv6 address FE80::6 link-local
ipv6 address 2002:505:505:56::6/64
ipv6 rip 1 enable
!
ipv6 router rip 1
!
R6#show ipv6 route rip
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
R 2002:505:505::/64 [120/2]
via FE80::5, Serial1/0
Connecting the Islands With 6to4 Tunnels
As is the case with so many technologies, 6to4 tunnels are more difficult to understand than they are to configure. Let’s see what problem they solve first.
Connecting Sites A, B and C in our network using tunnels should be relatively easy. All we have to do is build tunnels from R1 to R3 and to R3, as well as between R3 and R5. That’s not so much of a problem, but what happens when we add Site D to the mix? Well, we can build another set of tunnels and we’re good to go. What if … we add 100 more sites? Using “manual” tunneling, such as GRE, doesn’t scale very well in that scenario, as we will need full mesh of tunnels, or (N-1)/2 tunnels, where N is the number of nodes.
The solution may be to use 6to4 tunnels, which provide some level of automation, with some restrictions. The basic idea is simple. IPv4 address of the “island edge node”, in our case R2, R3 and R5, will be embedded in IPv6 addresses used at the particular site. For example, we can decide that Site A will use R2′s Loopback0 for this purpose and we will use 2.2.2.2, converted to hex, as this embedded address. Similar to this, we’ll use 3.3.3.3 and 5.5.5.5 for sites B and C. The next bit is interesting.
This is such an interesting idea that special purpose /16 prefix is assigned for it. All IPv6 addresses in 2002::/16 range are supposed to be built using this method. Let’s see how embedding works.
We have IPv4 address 2.2.2.2 and IPv6 prefix 2002::/16. When we convert 2.2.2.2 to hex and divide it into 2-byte tuples, we get: 0202:0202. We can omit leading zeroes, so this becomes 202:202. Just as an example, had we used 172.19.213.44, this would have resulted in the following: AC13:D52C. Luckily, we used something simpler. When we have converted the address to hex, we will simply append it to 2002://16 prefix, resulting in 2002:202:202::/48. Very simple.
The resulting /48 subnet can be further divided into subnets at a particular site. In our case we used several subnets in all three sites. If you look carefully, you will notice they are all parts of the same 2002:xxxx:xxxx::/48 subnet at each site. All of those addresses are “hidden”, or reachable behind the same IPv4 node – our “island edge”.
This is how addressing is formed in each site, but let’s look at other important building blocks of this solution. First of all, we need to build tunnels themselves. Let me configure them on each of our end-nodes and I will then explain what I did. Here are the configurations.
R2:
interface Tunnel0 no ip address ipv6 unnumbered Loopback0 tunnel source Loopback0 tunnel mode ipv6ip 6to4 !
R3:
interface Tunnel0 no ip address ipv6 unnumbered Loopback0 tunnel source Loopback0 tunnel mode ipv6ip 6to4 !
R5:
interface Tunnel0 no ip address ipv6 unnumbered Loopback0 tunnel source Loopback0 tunnel mode ipv6ip 6to4 !
Did you notice something strikingly similar with all three? Yes, they are indeed identical. Furthermore, we specify only source of the tunnel, but not the destination. The reason for that is that destination is implied by the destination address of the IPv6 packet. For example, packet going from Site A to Site B will have destination 2002:303:303:x::y. When this packet needs to be tunneled across the IPv4 cloud, our border router, R2, will know where to send it based on the 32 bits following 2002 prefix. Pretty clever.
We are not done however. On each of the nodes, we need to ensure that 2002::/16 prefix is reachable via Tunnel0 interface. For that, we need one simple static route on each of the nodes, pointing to the Tunnel0 interface. We also need to let other routers in the site know about this. While we could simply use static routing, originate the default from the edge node, I opted for a simple redistribution. Let’s look at those configurations now.
R2:
ipv6 route 2002::/16 Tunnel0 ! ipv6 router ospf 1 redistribute static metric 10 !
R3:
ipv6 route 2002::/16 Tunnel0 ! ipv6 router eigrp 34 redistribute static metric 1 1 1 1 1500 !
R5:
ipv6 route 2002::/16 Tunnel0 ! ipv6 router rip 1 redistribute static metric 10 !
With this done, we should now have 2002::/16 visible in the routing tables on R1, R4 and R6, as well as full reachability between all the sites. Let’s check this out.
R1:
R1#show ipv6 route ospf IPv6 Routing Table - default - 7 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external, ND - Neighbor Discovery O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 OE2 2002::/16 [110/10] via FE80::2, Serial1/0 O 2002:202:202::2/128 [110/64] via FE80::2, Serial1/0 R1#tclsh R1(tcl)#foreach ip { +>(tcl)#2002:0202:0202::2 +>(tcl)#2002:0202:0202:1::1 +>(tcl)#2002:0303:0303::3 +>(tcl)#2002:0303:0303:4::4 +>(tcl)#2002:0505:0505::5 +>(tcl)#2002:0505:0505:6::6 +>(tcl)#} { ping $ip repeat 3 timeout 1 } Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:202:202::2, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 8/9/12 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:202:202:1::1, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 0/4/8 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:303:303::3, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 24/25/28 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:303:303:4::4, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 36/38/44 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:505:505::5, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 20/24/28 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:505:505:6::6, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 32/33/36 ms
R4:
R4#show ipv6 route eigrp IPv6 Routing Table - default - 7 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external, ND - Neighbor Discovery O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 EX 2002::/16 [170/2560512256] via FE80::3, Serial1/1 D 2002:303:303::/64 [90/2297856] via FE80::3, Serial1/1 R4#tclsh R4(tcl)#foreach ip { +>(tcl)#2002:0202:0202::2 +>(tcl)#2002:0202:0202:1::1 +>(tcl)#2002:0303:0303::3 +>(tcl)#2002:0303:0303:4::4 +>(tcl)#2002:0505:0505::5 +>(tcl)#2002:0505:0505:6::6 +>(tcl)#} { ping $ip repeat 3 timeout 1 } Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:202:202::2, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 24/25/28 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:202:202:1::1, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 32/34/36 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:303:303::3, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 8/12/20 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:303:303:4::4, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 4/4/4 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:505:505::5, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 24/25/28 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:505:505:6::6, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 28/33/36 ms
R6:
R6#show ipv6 route rip IPv6 Routing Table - default - 7 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external, ND - Neighbor Discovery O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 R 2002::/16 [120/11] via FE80::5, Serial1/0 R 2002:505:505::/64 [120/2] via FE80::5, Serial1/0 R6#tclsh R6(tcl)#foreach ip { +>(tcl)#2002:0202:0202::2 +>(tcl)#2002:0202:0202:1::1 +>(tcl)#2002:0303:0303::3 +>(tcl)#2002:0303:0303:4::4 +>(tcl)#2002:0505:0505::5 +>(tcl)#2002:0505:0505:6::6 +>(tcl)#} { ping $ip repeat 3 timeout 1 } Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:202:202::2, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 24/25/28 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:202:202:1::1, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 32/33/36 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:303:303::3, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 24/25/28 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:303:303:4::4, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 32/33/36 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:505:505::5, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 8/9/12 ms Type escape sequence to abort. Sending 3, 100-byte ICMP Echos to 2002:505:505:6::6, timeout is 1 seconds: !!! Success rate is 100 percent (3/3), round-trip min/avg/max = 0/2/4 ms
There we go – simple and easy!
Note for end: While prefix 2002::/16 is supposed to be used for this purpose, IOS will work perfectly fine with any valid IPv6 prefix and build tunnels across IPv4 network.
–
Marko Milivojevic – CCIE #18427
Senior Technical Instructor – IPexpert
Join our Online Study List
Thank you Marko, that made it perfectly clear and non-scary.
any debug that shows the translation happnening?
Isn’t ping enough? :-)
–
Marko Milivojevic – CCIE #18427
Senior Technical Instructor – IPexpert
Join our Online Study List
yeah i guess it is :)>
access-list 101 permit ip host 3.3.3.3 host 2.2.2.2
access-list 101 permit ip host 2.2.2.2 host 3.3.3.3
ipv6 access-list TUNN
permit ipv6 host 2002:202:202:12::1 host 2002:303:303:4::4
permit ipv6 host 2002:303:303:4::4 host 2002:202:202:12::1
R2#sh debugging
Generic IP:
IP packet debugging is on (detailed) for access list 101
Generic IPv6:
IPv6 unicast packet debugging is on (detailed) for access list TUNN
R2#debug ip packet detail 101
IP packet debugging is on (detailed) for access list 101
R2#
*Mar 1 00:28:17.791: IPv6: Sending on Serial0/1
*Mar 1 00:28:18.079: IPV6: source 2002:202:202:12::1 (Serial0/1)
*Mar 1 00:28:18.079: dest 2002:303:303:4::4 (Tunnel0)
*Mar 1 00:28:18.083: traffic class 0, flow 0×0, len 100+4, prot 58, hops 63, forwarding
*Mar 1 00:28:18.083: IP: tableid=0, s=2.2.2.2 (local), d=3.3.3.3 (Serial0/0), routed via FIB
*Mar 1 00:28:18.083: IP: s=2.2.2.2 (local), d=3.3.3.3 (Serial0/0), len 120, sending, proto=41
*Mar 1 00:28:18.263: IP: tableid=0, s=3.3.3.3 (Serial0/0), d=2.2.2.2 (Loopback0), routed via RIB
*Mar 1 00:28:18.267: IP: s=3.3.3.3 (Serial0/0), d=2.2.2.2, len 120, rcvd 4, proto=41
*Mar 1 00:28:18.267: IPV6: source 2002:303:303:4::4 (Tunnel0)
*Mar 1 00:28:18.271: dest 2002:202:202:12::1 (Serial0/1)
*Mar 1 00:28:18.271: traffic class 0, flow 0×0, len 100+20, prot 58, hops 62, forwarding
[...] unlike automatic 6to4 tunnels, which I blogged about last time, ISATAP tunnels automatically send traffic to its IPv6 destination [...]