Can You Configure IPv4 & IPv6 Addressing on An ISATAP? Find Out How!

Source: cybrary.it

What are we doing?

This lab consists of 2 exercises that guides you through the process of configuring an ISATAP router on an existing IPv4 network.

Why would we want to do this?

ISATAP allows the deployment of IPv6 on an existing IPv4-only networking environment without an upgrade to any routers or other support infrastructure.

With ISATAP, IPv4-dependent applications can continue to utilize IPv4 while newer applications can be deployed utilizing IPv6, since both types of traffic share a single common IPv4 infrastructure. The benefit of ISATAP is that an existing IPv4-only infrastructure can provide IPv6 connectivity immediately with no requirements for router software or hardware upgrades.¹

Who would use this?

ISATAP is mainly there to help enterprises transition from an IPv4 infrastructure to an IPv6 infrastructure. ISATAP will essentially encapsulate the IPv6 packet with an IPv4 header, making it appear as if it were just a simple old IPv4 packet traveling through the network. ISATAP should not be seen as a simpler solution to transitioning to IPv6, though, and should only be seen as a temporary tool to accommodate the IPv4/IPv6 traffic during the overhaul of the infrastructure from IPv4 to IPv6.²

Thoughts?

Although most IoT devices are still configured as IPv4-only, I’m starting to think that configuring an ISATAP router for your SOHO is not recommended, since SOHO IPs are private and the only accessible IPv4 address would be the gateway… and since ISATAP routers are to be used “within a site” where all of the endpoints must have ISATAP tunneling enabled in their stack, other tunneling modes like 6to4 or Teredo would be a more effective choice for a SOHO since modes like 6to4 and Teredo only enable the tunneling at the gateway. I feel confident on this theory, but I would love to have a devil’s advocate on this.

Vendor

Practice Labs

Lab

1.2 — Configure IPv4 and IPv6 Addressing

Learning Outcomes

• Exercise 1 — Configure the network to use an ISATAP router
• Exercise 2 — Setup network connectivity between IPv4 and IPv6 devices

CompTIA Network+ Exam Objectives

• N10–007 1.4 — Given a scenario, configure appropriate IP addressing components
• N10–007 2.2 — Given a scenario, determine the appropriate placement of networking devices on a network and install/configure them

Lab Topology

Source: Practice Labs

Exercise 1

Configure the Network to use an ISATAP Router

Learning Objective

Effectively set up an ISATAP networking environment.

Task 1 — Configure a Static IP Address for a Second Network Interface on a Domain Member

A computer running any Windows OS can act as a software-based-router by installing a secondary NIC and configuring a static IP Address to its interface.

Step 1: Connect to PLABWIN10 and open the Windows PowerShell as Administrator by typing “Windows PowerShell” in the search box to the left of the task bar.

Step 2: At the prompt, input:

netsh interface ip set address name="Ethernet 2" static 192.168.0.50 255.255.255.0

in order to create a new network interface called Ethernet 2 and to set the static IP Address of Ethernet 2 to 192.168.0.50.

Step 3: At the next prompt, input:

netsh interface ip set dns "Ethernet 2" static 192.168.0.2

in order to configure Ethernet 2’s network interface to use server PLABDC01(192.168.0.2) as the preferred DNS Server.

Step 4: At the next prompt, input:

ipconfig /all

in order to verify Ethernet 2’s interface is created and displays the correct configurations:

IPv4 Address: 192.168.0.50
Subnet Mask: 255.255.255.0
DNS Server: 192.168.0.2 

Task 1 Complete!

Task-1-Summary

• We went ahead and created a new network interface off of our Windows 10 computer(PLABWIN10), called “Ethernet 2” and gave it a static IP Address of 192.168.0.50
• We then created a static route for our Windows 10 computer(PLABWIN10) to use our Windows 2019 server(PLABDC01) as the preferred DNS Server, under IP Address 192.168.0.2

Task 2 — Configure a Static IP Address for a Second Network Interface on a Domain Controller

With this task, we will be configuring a second network interface for the Windows 2019 domain server PLABDC01.

Step 1: Connect to PLABDC01 and open Windows PowerShell as Administrator

Step 2: At the prompt, input:

netsh interface ip set address name=”Ethernet 2” static 192.168.0.2 255.255.255.0

Task 2 Complete!

Task-2-Summary

• We went ahead and created a new network interface called Ethernet 2 on our Windows 2019 server(PLABDC01) and set the static IP Address of Ethernet 2 to 192.168.0.2
• We do this because server PLABDC01 does not have Ethernet 2 as an existing network interface yet, even though we created it on our Windows 10 computer(PLABWIN10). In order for our Windows 10 computer to use our Windows 2019 server(PLABDC01) as its preferred DNS Server, we first need to create a “home” in PLABDC01 for Ethernet 2 to use. Without manually creating a new network interface for each device to connect to, communication between the devices could not be achieved on the desired network.
• Therefore, PLABWIN10 would not be able to use PLABDC01 as its DNS Server if PLABDC01 failed to have the Ethernet 2 network set up on its device.

Task 3 — Configure a Static IP Address for a Second Network Interface on a Standalone Server

With this task, we will be configuring a second network interface for the standalone Windows 2019 server PLABSA01.

Step 1: Connect to PLABSA01 and open the Windows PowerShell as Administrator

Step 2: At the prompt, input:

netsh interface ip set address name=”Ethernet 2” static 192.168.0.40 255.255.255.0

Task 3 Complete!

Task-3-Summary

• Just like in Task 2, we needed to set-up the Ethernet 2 network on our other Windows 2019 server(PLABSA01) so that the other two devices can communicate with this device, as well.
• We went ahead and set up its static IP Address as 192.168.0.40

Task 4 — Enable IP Routing on the Standalone Server PLABSA01

With this task, we will be configuring the the standalone Windows 2019 server(PLABSA01) to be capable of IP Routing.

Step 1: Stay connected to PLABSA01 and maximize the PowerShell window. At the prompt, input:

regedit

in order to open the Registry Editor

Step 2: Navigate to:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters

Step 4: Input 1 under Value Data and click OK and close the editor

Step 5: Reboot PLABSA01 in order for IP Routing capability on PLABSA01 to be initialized

Step 6: Open Windows PowerShell again as Administrator

Step 7: At the prompt, input:

ipconfig /all

in order to confirm:

IP Routing Enabled=Yes

Task 4 Complete!

Task-4-Summary

• We’re using this standalone Windows 2019 server as a NAT so that when we convert our Windows 10 computer(PLABWIN10) to an IPv6-only device, our computer can use this server(PLABSA01) to communicate with our IPv4-only device, DNS Server PLABDC01
• This standalone server will essentially be the one responsible for encapsulating our IPv6 packets into IPv4 headers. Without enabling IP Routing on this server, IP tunneling wouldn’t be capable

Task 5 — Disable IPv6 on the Domain Controller

With this task, we will be disabling the IPv6 network protocol on PLABDC01 in order to convert it into an IPv4-only device

Step 1: Connect to PLABDC01 and right-click on the network icon on the system tray and select Open Network & Internet Settings

Step 2: Go to Ethernet -> Network and Sharing Center -> Change adapter settings

Step 3: right-click Ethernet 2 and select Properties

Step 4: un-check the box next to Internet Protocol Version 6(TCP/IPv6) and click OK

Task 5 Complete!

Task-5-Summary

• So, in this lab, it is safe to believe that this company’s infrastructure still uses legacy hardware/software that’s embedded as an IPv4-only device. Since the IETF standardizes IPv6 as the default (standard-RFC3484), our server(PLABDC01) is designed to automatically prefer the IPv6 address over the IPv4 address during a DNS request (since both IPv4 and IPv6 requests run parallel during a DNS request)³
• That means if an IPv4-only device makes a DNS request, the DNS server PLABDC01 will mistakenly resend the IPv6 address information since it’s defaulted to prefer the IPv6 address over the IPv4 address. This obviously becomes a problem since the IPv4-only devices wont be able to accept the IPv6 information
• Because of this, we need to ensure that our IPv4-only devices can still function properly during our infrastructure overhaul to IPv6. We do this by turning off the IPv6 network adaptor under our Ethernet 2 network interface so that our server(PLABDC01) can only accept the IPv4 information when using the Ethernet 2 network

Task 6 — Disable IPv4 on Domain Member Client

With this task, we will be disabling IPv4 operations on computer PLABWIN10 so that it can be converted into an IPv6-only device.

Step 1: Connect to PLABWIN10 and right-click on the network icon in the system tray and select Open Network & Internet Settings

Step 2: Go to Ethernet -> Network and Sharing Center -> Change adapter settings

Step 3: right-click Ethernet 2 and select Properties

Step 4: un-check the box next to Internet Protocol Version 4(TCP/IPv4) and click OK

Task 6 Complete!

Task-6-Summary

• Continuing with the idea that the company is overhauling their network infrastructure to eventually be IPv6 only, we would want any device that is IPv6 capable to be configured as an IPv6-only device.
• Since our Windows 10 computer(PLABWIN10) has IPv6 capabilities, in Task 6, we go ahead and disable the IPv4 network adaptor from the Ethernet 2 network interface so that our computer can act as an IPv6-only device on Ethernet 2

Task 7 — Verify the IP Address of IPv6 on the Second Interface of PLABWIN10

After disabling IPv4 on PLABWIN10, we need to verify that an IPv6 Address is automatically generated.

Step 1: Given that the Windows PowerShell is still open as Administrator, on our Windows 10 computer(PLABWIN10), expand the terminal and input at the prompt:

ipconfig

in order to confirm that only an IPv6 Address shows under Ethernet 2 and that it starts with ‘ fe80:’ (‘fe80:’ signifies that the address was automatically generated)

Task 7 Complete!

Task-7-Summary

• It’s important not to just assume that our Windows 10 computer automatically generated an IPv6 address for Ethernet 2, so it’s important to double check that only an IPv6 address is present under the Ethernet 2 interface

Task 8 — Configure an IPv6 Router ISATAP Advertisement on PLABSA01

With this task, we will configure PLABSA01 to advertise itself as an ISATAP router and send out IPv6 router advertisements from Global Address: 2001.

Step 1: Clear the PowerShell screen (clear) then, at the prompt, input:

netsh interface ipv6 set interface “Ethernet 2” forwarding=enabled advertise=enabled

Step 2: On the next prompt, input:

netsh interface ipv6 add route 2001:db8:0:1::/64 “Ethernet 2” publish=yes

This response confirms that the ISATAP routing address is now configured and it begins with 2001.

Task 8 Complete!

Task-8-Summary

• Even though we already set up our standalone server(PLABSA01) to enable IP Routing and is already technically configured be our ISATAP router, we haven’t done anything yet to advertise that it is. Because of this, non of our ISATAP devices are aware of PLABSA01 being our ISATAP router
• We fix this by enabling IP forwarding and advertise on our standalone server within Ethernet 2 and creating global routing address (2001) so that all devices can have access to it
• This enables the ISATAP devices to find the router, to connect to it, and to get addressing and routing information required to set up an ISATAP connection

Task 9 — Verify IPv6 Configuration on PLABWIN10

With this task, we will verify that PLABWIN10, which is now an IPv6-only device, is receiving the routing address beginning with 2001 to enable it to connect to the IPv4-only devices on the network.

Step 1: Clear the PowerShell screen (clear) on our Windows 10 computer(PLANWIN10), then input:

ipconfig

From what’s displayed, notice that IPv6 on the Ethernet 2 interface is bound to a global address compatible with the 2001:db8:0:1: format.

(IPv6 provides two different types of addresses: link-local addresses beginning with fe80 (which are self-assigned using EUI64) and global addresses of which are provided by local IPv6 routers (or by DHCPv6 servers). Interfaces routinely have both types of addresses simultaneously assigned as each one is used for different services and purposes.)

Exercise 1 Complete!

Exercise-1-Summary

So the first exercise was to configure our existing network to use an ISATAP router. Let’s see how we did:

First, we created a new network interface, called Ethernet 2, that our ISATAP devices can communicate on (IP 192.168.0.x)

We then configured one of our existing servers(PLABDC01) to be our designated DNS Server(192.168.0.2) and made sure to configure it as an IPv4-only device so that it doesn’t try to dish-out IPv6 information to our legacy devices that happen to be IPv4 only

Next we configured another one of our servers(PLABSA01) to act as our ISATAP router(192.168.0.4) in order to create our needed IPv4/IPv6 tunnel

Now that we have a dedicated DNS Server that’s IPv4 only and a dedicated ISATAP router, we can configure all of our IPv6-capable devices to be IPv6 only as well as ensure that our IPv4-only devices can continue to operate properly throughout the infrastructure overhaul

With our infrastructure now constructed with a dedicated DNS server, an ISATAP router, and an ISATAP device, we can progress to Exercise 2 and test to ensure that our devices are connected and communicating properly. YAY!

Exercise 2

Setup Network Connectivity between IPv4 and IPv6 Devices

Learning Objective

Have IPv4-only devices and IPv6-only devices communicate with each other on Ethernet 2

Task 1 — Add the Standalone Server to a Domain

We need to make PLABSA01 a member server of the PRACTICELABS.COM domain.

Step 1: Connect to PLABSA01 and select the PowerShell window and at the prompt and input:

netsh interface ip set dns “Ethernet” static 192.168.0.2

Step 2: In the next prompt, input:

netsh interface ip set dns “Ethernet 2” static 192.168.0.2

These commands (Step 1 and 2) set the preferred DNS server for both the interfaces on the PLABSA01 server.

Step 3: In the next prompt, input:

Add-Computer -DomainCredential practicelabs\administrator -DomainName practicelabs.com

Step 4: When asked for a password, input:

Passw0rd

and click OK

Step 5: Reboot PLABSA01

Task 1 Complete!

Task-1-Summary

• To test this network, we setup the standalone server(PLABSA01) to be added to the practicelabs.com domain to allow the ISATAP enabled devices to contact the server-router for the addressing and routing details
• We then rebooted our server(PLABSA01) for the configuration to take effect

Task 2 — Add Host Records of PLABSA01 to the PLABDC01 DNS Server

With this task, we will add both the network interfaces of PLABSA01 (IP 192.168.0.4) as ISATAP host records to the DNS service on PLABDC01.

Step 1: Connect to PLABDC01 and maximize Server Manager and click on tools and select dns

Step 2: On the DNS Manager, expand the PLABDC01 node under the console tree on the left pane.

Under the PLABDC01 node, expand the Forward Lookup Zones node and then expand PRACTICELABS.COM.

Notice that DNS records in the PRACTICELABS.COM zone are listed on the details pane at the right.

Step 3: Right-click PRACTICELABS.COM and select New Host (A or AAAA).

Step 4: In the New Host dialog box, specify the following values:

Name (uses parent domain name if blank): ISATAP
IP address: 192.168.0.4

Click Add Host.

This adds the Ethernet network interface of PLABSA01 (IP 192.168.0.4) as an ISATAP host record to the PRACTICELABS.COM zone.

Step 5: Back on the New Host dialog box, specify the following values:

Name (uses parent domain name if blank): ISATAP
IP address: 192.168.0.40

Click Add Host.

This adds the Ethernet 2 network interface of PLABSA01 (IP 192.168.0.40) as an ISATAP host record to the PRACTICELABS.COM zone.

Step 6: Click done

Step 7: Back on the DNS Manager console, find the two new Host (A) records listed.

Close the DNS Manager Application window.

Task 2 Complete!

Task-2-Summary

Because we dedicated our standalone server(PLABSA01) to be configured as an ISATAP router, we need to inform our DNS Server(PLABDC01) of this so that it can forward packet information to our ISATAP router.

In this case, we first decide to only have information coming from PRACTICELABS.COM being forwarded to our ISATAP router(PLABSA01). That way, we can test that every device is communicating properly before committing to a full deployment.

Task 3 — Configure ISATAP Router on PLABSA01

You will use NETSH commands to configure a server as an ISATAP router. In this task, you will configure an ISATAP router on the PLABSA01 server.

Step 1: Log into PLABSA01 as other user and sign in with the following credentials:

• Username: Practicelabs\Administrator
• Password: Passw0rd

Step 2: Minimize the Server Manager.

Click Start to display the Start menu.

Select Windows PowerShell > Windows PowerShell.

Step 3: In the PowerShell prompt, input:

netsh interface ipv6 isatap set router 192.168.0.4

Step 4: Notice the system responds with an OK to confirm the ISATAP router has been setup on the server.

On the next prompt, input:

ipconfig

Step 5: On the configuration details displayed, notice the details of the two tunnel adapters configured for ISATAP.

Highlight the value of the isatap.{interface_index} of the first tunnel adapter.

Step 6: Click on the PowerShell icon on the top left.

Go to Edit and choose Copy.

Step 7: On the next prompt, input the following command:

netsh interface ipv6 set interface "isatap.Interface_Index" forwarding=enabled advertise=enabled

where the “isatap.Interface_Index” is replaced with the value we copied in the previous step.

Step 8: Notice that the system responds to the command with Ok, confirming that the ISATAP addressing information is now configured on the PLABSA01 ISATAP router.

On the next PowerShell prompt, input:

netsh interface ipv6 add route 2001:db8:0:10::/64 "isatap.{interface_index}" publish=yes store=persistent

where the “isatap.Interface_Index” is once again replaced with the value we copied in a previous step.

Step 9: From the details displayed, notice under the first Tunnel adapter, the value:

IPv6 Address: 2001:db8:0:10:0:5efe:192.168.0.4

This indicates that the IPv4 address 192.168.0.4 is now associated with a global IPv6 address of 2001:db8:0:10:0:5efe.

Task 3 Complete!

Task-3-Summary

• Just because all of our devices know about our ISATAP router, and that our ISATAP router is enabled for IP Routing, doesn’t mean our router(PLABSA01) is fully configured to start tunneling packet information
• So, in Task 3, we decide to finish setting up our ISATAP router by configuring our tunnels
• This means that ISATAP is setup and the IPv6-only devices are now able to connect to IPv4-only devices using the global address and routing information

Task 4 — Enable ISATAP on an IPv4-only Domain Server

After setting up PLABSA01 as an ISATAP router, you enable the IPv4-only domain server to access the ISATAP router. In this task, you will enable PLABDC01 to connect to the ISATAP router PLABSA01.

Step 1: Switch to PLABDC01. Minimize the Server Manager, launch the Windows PowerShell application and input the following:

netsh interface isatap set router 192.168.0.4

Step 2: Notice that the system responds to the command with an Ok. This confirms that PLABDC01 is now ISATAP enabled.

On the next prompt, input:

ipconfig

Step 3: From the results displayed, notice the following:

1) The alpha-numeric values of the isatap. {interface_index} for the Tunnel adapter on this server is the same as was noted on the PLABSA01 which is the ISATAP router. This confirms that the ISATAP router is providing the addressing information to the ISATAP-enabled server.

2) The IPv6 address for PLABDC01 is from the global series 2001:db8:0:10:0:5efe and is associated with the IPv4 address 192.168.0.2

Therefore, the ISATAP router(PLABSA01) is providing the required addressing and routing information to the IPv4-only device PLABDC01.

Task 4 Complete!

Task-4-Summary

• Since our DNS server(PLABDC01) isn’t ISATAP enabled by default, we needed to enable ISATAP forwarding on PLABDC01 so that it can communicate properly with our ISATAP router(PLABSA01)
• With our DNS server(PLABDC01) and our ISATAP router(PLABSA01) now communicating properly, we can officially say that our new ISATAP network is fully setup and ready for testing!

Task 5 — Verify Connectivity between IPv4-only and IPv6-only Devices on the Network

Now that the network is configured for ISATAP connection, the IPv6-only PLABWIN10 should be able to communicate with the IPv4-only PLABDC01. We will verify that the connection is working by sending ping packets.

With this task, we will ping PLABDC01 from PLABWIN10 to verify that they can communicate with each other using the ISATAP configuration on PLABSA01.

Step 1: Switch to PLABWIN10. Maximize the Windows PowerShell window and input:

ping plabdc01

Step 2: Notice that PLABDC01 responds. Moreover, the response is from the global IPv6 address provided by the ISATAP router.

On the next prompt, input:

ping 192.168.0.2

This command pings the IPv4 service on PLABDC01.

Exercise 2 Complete!

Exercise-2-Summary

This exercise was used to ensure that our constructed ISATAP network had proper communication between each device. Lets see how we did:

First, we added our standalone server(PLABSA01) as a host on PRACTICELABS.COM’s domain to begin testing our connectivity

We then finished configuring our DNS server(PLABDC01) and our ISATAP router(PLABSA01) to begin tunneling IP packet information between each other, officially finishing the ISATAP connectivity to our network infrastructure

Finally we tested the connectivity by confirming a successful ping request between our ISATAP device(PLABWIN10) and our DNS server(PLABDC01), letting us know that our packets tunneled successfully and that our ISATAP network is functioning properly for our network!

Phew! We made it to the end and now we have a functioning IPv4/IPv6 tunnel in our company’s network. We can now begin overhauling our infrastructure to IPv6 and start getting our network back into shape!

Resources:

[1]: Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) Guide, Microsoft Corporation 2010 https://docshare02.docshare.tips/files/5530/55308368.pdf

[2]: How ISATAP Works And How It Can Help You Migrate To IPv6, Gregg O’Brien 2013 https://teamarin.net/2013/05/14/how-isatap-works-and-how-it-can-help-you-migrate-to-ipv6-2/

[3]: Dual Stack IPv4/IPv6 Devices, Cisco Systems Inc 2010 https://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/aag_c45-625513.pdf