1 00:00:02,001 --> 00:00:09,000 [music] 2 00:00:09,300 --> 00:00:12,600 Next is going to be 6to4 tunnels. 3 00:00:12,600 --> 00:00:15,900 And the advantage to these is they're dynamic, 4 00:00:15,900 --> 00:00:22,100 they're multi-point, so it will just build a tunnel with whoever 5 00:00:22,100 --> 00:00:23,300 it needs to build a tunnel to. 6 00:00:23,600 --> 00:00:28,700 The advantage is we're not going to be putting in a tunnel destination. 7 00:00:28,700 --> 00:00:32,300 So the two previous examples we looked at, 8 00:00:32,300 --> 00:00:37,700 the GRE and the IP6 IP are point-to-point. 9 00:00:37,700 --> 00:00:39,200 You had a tunnel source. 10 00:00:39,200 --> 00:00:40,700 You had a tunnel destination. 11 00:00:40,700 --> 00:00:42,500 The tunnel comes up. 12 00:00:42,500 --> 00:00:45,800 You exchange routing protocols, whatever. 13 00:00:45,800 --> 00:00:52,500 Now as we go into 6to4 in ISATAP, I'm not going to say you can't run 14 00:00:52,500 --> 00:00:54,300 routing protocols over this. 15 00:00:54,300 --> 00:01:00,000 There are various methods, and tricks, and such to do so. 16 00:01:00,000 --> 00:01:02,400 We're not going to go into that today because, 17 00:01:02,700 --> 00:01:07,280 honestly, 6to4 and ISATAP, I don't think they're going to get used 18 00:01:07,280 --> 00:01:08,780 very much in the real world. 19 00:01:09,080 --> 00:01:14,780 As we move forward, we have MPLS, we have DMVPN which are both, 20 00:01:14,780 --> 00:01:17,180 ultimately I think, better solutions. 21 00:01:17,480 --> 00:01:19,580 But, we want to look at this anyway. 22 00:01:19,580 --> 00:01:20,781 We don't want to leave anything out. 23 00:01:20,781 --> 00:01:25,580 So we'll do 6to4 and ISATAP, but we're just going to use static routes 24 00:01:25,580 --> 00:01:29,480 with these. I'm not going to get into all the tricks you can do to 25 00:01:29,480 --> 00:01:32,180 get OSPF or EIGRP to come up over these. 26 00:01:32,480 --> 00:01:36,680 And, of course, the problem with that is there's no destination. 27 00:01:36,680 --> 00:01:39,980 That's what it comes into, is there's no destination. 28 00:01:39,980 --> 00:01:45,680 So we can do it, it can be done, but I don't think it's really worth 29 00:01:45,680 --> 00:01:47,480 going into a huge discussion on. 30 00:01:47,480 --> 00:01:50,780 This is going to be using the same topology that we've been using 31 00:01:51,080 --> 00:01:51,680 the whole time. 32 00:01:51,980 --> 00:01:55,580 And once again, we'll go between R1 and R4, 33 00:01:55,880 --> 00:01:57,380 and just going over to Switch 2. 34 00:01:57,380 --> 00:02:02,480 Most of these other sites are for when we get into MPLS and DMVPN, 35 00:02:02,480 --> 00:02:06,380 although we certainly could bring them in here if we wanted to. 36 00:02:06,689 --> 00:02:10,280 And you'll see that this config can just be duplicated for multiple 37 00:02:10,580 --> 00:02:12,080 sites. It's not a big deal. 38 00:02:12,080 --> 00:02:18,980 Let's switch over to the command line, and once again we'll start 39 00:02:18,980 --> 00:02:19,880 with router 1. 40 00:02:19,880 --> 00:02:22,580 I have no config on this at all yet. 41 00:02:22,880 --> 00:02:25,880 I took the tunnel out that we had on from previous labs. 42 00:02:26,180 --> 00:02:33,680 We're going to say interface tunnel 0, and this is where the real 43 00:02:33,980 --> 00:02:36,380 fun sort of begins. 44 00:02:36,680 --> 00:02:42,968 Let's look at this first before we get too far. 45 00:02:42,980 --> 00:02:49,280 Do Show IP Interface 46 00:02:49,280 --> 00:02:52,280 brief. Because as we start configuring our tunnel, 47 00:02:52,280 --> 00:02:57,380 what we need to know is what our egress interface is going to be. 48 00:02:57,380 --> 00:03:02,480 In the last two sections I built the tunnel between loopbacks, 49 00:03:02,780 --> 00:03:04,880 and we could do that here too. 50 00:03:05,181 --> 00:03:07,880 It's just not nearly as much fun. 51 00:03:07,880 --> 00:03:11,180 We're going to actually build this between our physicals. 52 00:03:11,180 --> 00:03:13,880 That means that from router 1's perspective, 53 00:03:13,880 --> 00:03:19,280 if you look back at the diagram, he's going to be going from FA 00.12, 54 00:03:19,280 --> 00:03:25,880 and his address is 173.1.12.1. 55 00:03:25,880 --> 00:03:29,480 This is just really where the fun begins. 56 00:03:29,780 --> 00:03:39,380 Here we go. IPv6 address-- if you read the documentation they tell 57 00:03:39,380 --> 00:03:43,080 you that 6to4 tunnels are supposed to use the 2002 address space. 58 00:03:43,080 --> 00:03:47,580 Realistically speaking you could technically do whatever you want. 59 00:03:47,580 --> 00:03:48,780 It doesn't really matter. 60 00:03:48,780 --> 00:03:52,680 But you're supposed to, fine, we'll stick with that. 61 00:03:52,680 --> 00:03:54,780 Here's where the fun comes in. 62 00:03:55,080 --> 00:04:01,080 2002 is supposed to be the first 16 bits - great. 63 00:04:01,080 --> 00:04:08,280 The next two fields, the next two fields are going to be in our case 64 00:04:08,580 --> 00:04:30,180 AD01:C01. Translation of 173 is AD1.1.12.C.1, 65 00:04:30,180 --> 00:04:38,280 so it's the IPv4 address of the underlying egress interface for the 66 00:04:38,280 --> 00:04:47,780 tunnel has to be in bits 17 through-- ultimately it's going to be 67 00:04:48,080 --> 00:04:57,080 48. Those next two fields need to be your IPv4 address converted 68 00:04:57,080 --> 00:05:01,280 to hex. By the way in case you haven't figured it out yet, 69 00:05:01,280 --> 00:05:05,180 that right there is the problem with these tunnels. 70 00:05:05,180 --> 00:05:08,480 As we go through this, well, what's the good? 71 00:05:08,780 --> 00:05:09,380 What's the bad? 72 00:05:09,380 --> 00:05:11,480 Pros and cons - there's your con right there. 73 00:05:11,480 --> 00:05:16,030 Who's going to go convert all your IPv4 address to hex? 74 00:05:16,030 --> 00:05:19,330 I'll do it for you, you have my email address at the beginning of 75 00:05:19,330 --> 00:05:22,031 the course. I'll be happy to do it for you. 76 00:05:22,281 --> 00:05:24,680 I charge by the prefix though. 77 00:05:24,980 --> 00:05:25,580 Just so you know. 78 00:05:25,880 --> 00:05:29,180 No, seriously though, this is going to be a real pain. 79 00:05:29,180 --> 00:05:31,880 And then just give it a host portion. 80 00:05:31,880 --> 00:05:35,180 I honestly don't care what the rest of it is - something like /64, 81 00:05:35,180 --> 00:05:39,080 fine. If you want to specify the link local address you can. 82 00:05:39,380 --> 00:05:41,980 In this case it's not going to really matter. 83 00:05:41,980 --> 00:05:47,380 Now we say, tunnel source, and you have to tie this to the interface 84 00:05:47,680 --> 00:05:50,380 that we just did the IP. 85 00:05:50,380 --> 00:06:02,380 It's FA 00.12, and tunnel mode IPv6 IP which is what we did in the 86 00:06:02,380 --> 00:06:10,480 previous lesson, but we have to follow it up with 6to4 because this 87 00:06:10,480 --> 00:06:11,680 is a 6to4 tunnel. 88 00:06:11,680 --> 00:06:17,080 Now what that tells the router by setting the mode to IPv6IP 6to4 89 00:06:17,080 --> 00:06:23,980 that tells him, okay, so here's the deal when a packet shows up since 90 00:06:24,280 --> 00:06:31,780 I am a 6to4 tunnel I know that I'm going to get the tunnel destination 91 00:06:31,780 --> 00:06:35,980 out of these fields right here. 92 00:06:36,280 --> 00:06:38,080 Now I'm going to get back to that in a second. 93 00:06:38,080 --> 00:06:42,280 Before I go any further though I want to go set up the tunnel on 94 00:06:42,580 --> 00:06:43,480 the other side. 95 00:06:43,480 --> 00:06:47,380 Let's go over to router 4 and say, interface tunnel 0, 96 00:06:47,680 --> 00:06:51,180 probably want to say, Do Show IP Interface Brief, 97 00:06:51,480 --> 00:07:02,880 so then we can say, tunnel source ins FA 0/0.34 tunnel mode is IPv6 98 00:07:03,180 --> 00:07:17,080 IP 6to4. And the IPv6 address is 2002:, 99 00:07:17,080 --> 00:07:22,180 and the translation on this one is also going to be ad01:. 100 00:07:22,180 --> 00:07:34,780 But this one, the 34 translates to 2204. 101 00:07:34,780 --> 00:07:42,280 So 22 for the 34, 4 for the 4, ::4 just to give them a host portion. 102 00:07:42,280 --> 00:07:48,580 Okay, now that's all fine. 103 00:07:48,580 --> 00:07:53,080 Here's the problem. 104 00:07:53,080 --> 00:08:02,292 First off, you've got to get all traffic with a 2002 to go 105 00:08:02,292 --> 00:08:03,192 to this tunnel. 106 00:08:03,192 --> 00:08:09,192 I'm trying to think of the best way to explain the overall problem 107 00:08:09,492 --> 00:08:13,692 here. Maybe the best way is just to bluntly shove it right at you. 108 00:08:13,692 --> 00:08:18,192 That is the network portion on router 4. 109 00:08:18,192 --> 00:08:22,092 His network portion has a 2204 in it. 110 00:08:22,092 --> 00:08:29,292 On router 1, his network portion has AC01 in it. 111 00:08:29,292 --> 00:08:34,992 These guys aren't on the same network. 112 00:08:34,992 --> 00:08:41,292 We have two ends of a tunnel that are not on the same network. 113 00:08:41,292 --> 00:08:47,592 When they designed the 6to4 tunnel, the idea was to embed the IPv4 114 00:08:47,892 --> 00:08:50,592 address because again, what have I not typed, 115 00:08:50,592 --> 00:08:52,092 even though the tunnel says up? 116 00:08:52,392 --> 00:08:55,092 I never said tunnel destination. 117 00:08:55,092 --> 00:09:02,292 Not once. Who is he supposed to build this tunnel to? That's what 118 00:09:02,592 --> 00:09:07,592 we don't know. Where we're supposed to find out is out of these two 119 00:09:07,592 --> 00:09:09,692 fields, that's great. 120 00:09:09,992 --> 00:09:16,492 But here's the problem, they put it in the network portion instead 121 00:09:16,792 --> 00:09:20,392 of the host portion it honestly should have probably been in the 122 00:09:20,392 --> 00:09:23,992 host portion. We're going to talk about ISATAP in the next lesson 123 00:09:24,293 --> 00:09:29,092 and that's what they did, they put it in the host portion. 124 00:09:29,392 --> 00:09:34,192 But since it's in our network portion that means that we're now going to 125 00:09:34,192 --> 00:09:40,792 have to manually push all the traffic for 2002 down the tunnel. 126 00:09:40,792 --> 00:09:57,892 IPv6 route 2002::/16 to tunnel 0, and do the exact same thing on 127 00:09:58,192 --> 00:10:08,092 router 4. We have to push all the 2002 traffic into the tunnel. 128 00:10:08,092 --> 00:10:16,492 But that's not even enough, because our network is using 2001 and 129 00:10:16,492 --> 00:10:18,592 such for the other locations. 130 00:10:18,592 --> 00:10:27,892 So now we have to teach each side how to get to the subnets on the 131 00:10:28,192 --> 00:10:32,092 other sides. Let's see, I'm on router 4 here? 132 00:10:32,092 --> 00:10:43,792 Now I'm going to need IPv6 route to 2001 DB8:100:-- we'll say 7 133 00:10:44,092 --> 00:10:48,892 ::/64. Where does that go? 134 00:10:49,192 --> 00:10:55,992 To tunnel 0. But here's the key to this whole thing. 135 00:10:56,292 --> 00:11:00,792 This is the key to what makes 6to4 work right here. 136 00:11:00,792 --> 00:11:20,592 Next hop 2002 AD01 C01::1 - router 1's tunnel address for the 6to4. 137 00:11:20,592 --> 00:11:22,692 How does this work? 138 00:11:22,992 --> 00:11:29,592 Very simple, here comes a packet to this router going to router 1's 139 00:11:29,892 --> 00:11:33,792 loopback 1 interface. That's what that is in case you're not real 140 00:11:33,792 --> 00:11:34,992 familiar looking at the diagram. 141 00:11:35,292 --> 00:11:41,292 That's router 1's loopback 1 interface and I see it goes to tunnel 142 00:11:41,292 --> 00:11:45,492 0 to this next-hop 2002. 143 00:11:45,492 --> 00:11:50,092 Now this recursive look up is what puts the 2002 into the tunnel, 144 00:11:50,092 --> 00:11:53,392 not to mention of course we're pushing it down tunnel 0. 145 00:11:53,392 --> 00:12:01,292 But this right here is the magic, the router sees that in the next-hop, 146 00:12:01,292 --> 00:12:06,392 sees that it's a 2002 address, and that it's a 6to4 tunnel, 147 00:12:06,692 --> 00:12:16,592 and it goes, oh, so AD01:C01, that's the IPv4 address of the device 148 00:12:16,592 --> 00:12:18,692 that I need to build the tunnel to. 149 00:12:18,992 --> 00:12:22,892 That's your destination right there. 150 00:12:22,892 --> 00:12:26,792 It pulls it out because he knows he's a 6to4 tunnel, 151 00:12:26,792 --> 00:12:31,592 so it pulls it out of the next-hop from the routing protocol. 152 00:12:31,592 --> 00:12:36,992 But I hope you can see why it makes it very difficult to run a dynamic 153 00:12:36,992 --> 00:12:38,792 routing protocol over this. 154 00:12:38,792 --> 00:12:41,492 I did not say impossible, I said difficult. 155 00:12:41,792 --> 00:12:47,192 I could do BGP and instead of putting this IPv6 route, 156 00:12:47,492 --> 00:12:54,392 I could've said neighbor 2002:AD01:C01::1. 157 00:12:54,392 --> 00:12:58,892 I could use that for my neighborship, and that would tell me who 158 00:12:58,892 --> 00:13:00,092 to build the tunnel to. 159 00:13:00,092 --> 00:13:05,792 Okay, so the trick is, is that we're using that address, 160 00:13:05,792 --> 00:13:12,392 the IPv6 address of the other side of the tunnel as the destination 161 00:13:12,392 --> 00:13:13,892 for our frames. 162 00:13:13,892 --> 00:13:15,692 That's all we need to do. 163 00:13:15,692 --> 00:13:20,192 That's it. Now, it'd be nice if our switches, 164 00:13:20,492 --> 00:13:22,892 and everybody, could learn about this. 165 00:13:22,892 --> 00:13:31,592 We probably also want to follow up with IPv6 router EIGRP 100 redistribute 166 00:13:31,592 --> 00:13:33,992 static metric. 167 00:13:34,292 --> 00:13:40,892 Then we pretty much do the opposite on the other end. 168 00:13:40,892 --> 00:13:54,092 We say IPv6 route 2001DBA:100:8::/64 out tunnel 0, 169 00:13:54,092 --> 00:14:07,592 with a next-hop of 2002: and this one would be AD01:2204::4. 170 00:14:07,592 --> 00:14:29,192 There we go. And if we've done our job correctly, 171 00:14:29,492 --> 00:14:42,392 we should be able to go over to our switch and say to trace to 2001:DB8:100:8::8. 172 00:14:42,392 --> 00:14:44,493 And there we go. 173 00:14:44,493 --> 00:14:50,092 You can see right here how it's passing through the tunnel right 174 00:14:50,392 --> 00:14:52,493 there, using those addresses. 175 00:14:52,493 --> 00:14:55,792 Again, how did it learn the destination? 176 00:14:55,792 --> 00:14:58,492 The destination is right there. 177 00:14:58,492 --> 00:15:00,592 It's right out of the static route. 178 00:15:00,592 --> 00:15:04,792 So, again, these work fine. 179 00:15:04,792 --> 00:15:08,992 Like I said, dynamic routing is a little tricky over them. 180 00:15:08,992 --> 00:15:10,192 Certainly, not impossible. 181 00:15:10,492 --> 00:15:14,692 BGP's actually the easiest of them, to be honest with you. 182 00:15:14,692 --> 00:15:19,492 But, there it is. 183 00:15:19,492 --> 00:15:21,592 Static's, of course, easy. 184 00:15:21,892 --> 00:15:23,392 Just redistribute the static then. 185 00:15:23,692 --> 00:15:26,092 So, what are the advantages and disadvantages? 186 00:15:26,392 --> 00:15:28,792 The advantage is it's dynamic. 187 00:15:29,092 --> 00:15:30,892 I didn't have to put in a tunnel destination.:15:19.760000 But there it is. 0:15:19.760000 --> 0:15:21.740000 Static's of course easy. 0:15:21.740000 --> 0:15:23.640000 Just redistribute the static then. 0:15:23.640000 --> 0:15:26.360000 So what are the advantages and disadvantages? 0:15:26.360000 --> 0:15:29.000000 The advantage is it's dynamic. 0:15:29.000000 --> 0:15:31.280000 I didn't have to put in a tunnel destination. 0:15:31.280000 --> 0:15:36.920000 So if I had 400 remote sites, it would just mean 400 static routes with 0:15:36.920000 --> 0:15:40.160000 their next hop set appropriately. 0:15:40.160000 --> 0:15:46.980000 Now, obviously the huge downside would be while the 400 static routes, 0:15:46.980000 --> 0:15:50.780000 it's sort of a double edged sword there, right? 0:15:50.780000 --> 0:15:55.060000 But the point is you're not making 400 tunnel interfaces and 400 subnets 0:15:55.060000 --> 0:15:58.960000 and manually setting 400 destinations and all that. 0:15:58.960000 --> 0:16:02.460000 In a way, you sort of are through the routing. 0:16:02.460000 --> 0:16:05.400000 But that's why I said, you know, if you really have that many remote sites 0:16:05.400000 --> 0:16:09.820000 and you're going to use six to four tunnels, maybe BGP would be a really 0:16:09.820000 --> 0:16:11.400000 good way to do that. 0:16:11.400000 --> 0:16:16.360000 And just have it bring up BGP neighbor relationships and then do that. 0:16:16.360000 --> 0:16:19.800000 Or like I said, if you do a little bit of research, you'll find how to 0:16:19.800000 --> 0:16:23.900000 run various dynamic routing protocols over this. 0:16:23.900000 --> 0:16:26.220000 It's not easy. It's not clean. 0:16:26.220000 --> 0:16:29.520000 And believe me when I say there's better options anyway. 0:16:29.520000 --> 0:16:31.940000 But it is functional. 0:16:31.940000 --> 0:16:33.740000 It's here. It works. 0:16:33.740000 --> 0:16:37.560000 So, that's pretty much six to four tunnels. 0:16:37.560000 --> 0:16:41.440000 They work fine. They're just a little bit tedious with the configuration 0:16:41.440000 --> 0:16:47.740000 because you have to convert all the IPv4 addresses over to hacks. 0:16:47.740000 --> 0:16:49.160000 And again, that's really no fun.