locked
understanding isatap routing RRS feed

  • Question

  • Hello,

    deployed uag with da and isatap dns entry so isatap is used inside my network, uag device is the isatap router. now i am not really familiar with ipv6, for my understanding, if i do a traceroute via ipv6 it even should display the route from the isatap router but it won´t - it tracerts directly to the target host, even if the target host is on a different ipv4 subnet. 

    Question1: if i connect from a win7 to a w2008r2 machine internally via isatap and the w2008 machine is located at a different city-location inside my corporate network, so ipv4 routing has to take place in any way, does istap route me first through the isatap and then through the ipv4 router or is it smart enough to realize that the isatap router can be ignored and the more cost effective way would be to use ipv4 directly in the first place?

    Question2: If i connect from a win7 to win2008r2 machine on the same ipv4 subnet via isatap, is the whole traffic first routed via the isatap router or is isatap virtual interface smart enough to realize it´s the same subnet and connects me directly?

    Question3: If tracert won´t show me the hops, like in the old v4 way, how can i traceroute an ipv6 address?

    sorry and mea culpa, these are maybe VERY VERY noob questions, but i must know, this stuff is really interesting ;-)

    best regards,
    Joerg



    Sunday, January 10, 2010 1:00 PM

Answers

  • If both machines are clients of the same ISATAP router, then they will talk to each other directly using IPv4. meaning the IPv4 router will be used by the machines A and B.
    • Marked as answer by Erez Benari Tuesday, January 12, 2010 8:06 PM
    Tuesday, January 12, 2010 1:58 PM

All replies

  • Hi Joerg,

    Answer1: All ISATAP hosts that are connected to a single ISATAP router, are considered as one subnet. They don't need to contact the ISATAP router in order to communicate with each other. All traffic is immediately converted to IPv4 and sent using the proper IPv4 route.

    Answer2: If both machines are ISATAP hosts of the same ISATAP router, then answer1 above applies as well. Traffic is sent directly between the hosts using IPv4.

    Answer3: It shows you the exact hops. You can notice that all ISATAP hosts have the ISATAP router as a default gateway, so that all IPv6 traffic (other than the ISATAP subnet) is sent via the ISATAP router.

    read here for more information about ISATAP: http://technet.microsoft.com/en-us/library/bb726951.aspx

    Sunday, January 10, 2010 5:23 PM
  • Hi Yaniv,

    thank you very much for answering that fast!!! I just downloaded the doc, great whitepaper! will study it the next days.

    My question 1) resulted in my experience of doing a traceroute from one isatap machine in v4 subnet a to one isatap machine in v4 subnet b. tracert -4 schows me all the hops it takes but tracert alone or tracert -6 shows no hop at all, it simply says, same subnet. So i guess the whole isatap system as long it is only one isatap router is considered as one single subnet (regardless of how many ipv4 subnets are actually there).

    best regards
    Joerg


     
    Sunday, January 10, 2010 6:15 PM
  • Yes, you are right.
    ISATAP is a virtual interface, and it treats all other ISATAP hosts as a one subnet -with a single "virtual" hop between them.
    even though, on the sublayer it is translated to IPv4 with possibly numerous hops
    Monday, January 11, 2010 6:50 AM
  • Exactly. That's the interesting thing about ISATAP. If you have two ISATAP hosts that are, say, 4 IPv4 router hops from each other, ISATAP still considers them on the same segment -- or just 1 IPv6 hop :)

    Thanks!
    Tom
    MS ISDUA
    Monday, January 11, 2010 11:40 AM
  • Aaah, and then again, another question came to my mind ;-) and...it´s a nasty one...or a noob one...don´t know by now ;-) :

    Let´s assume you enroll isatap in your ipv4 network. let´s assume you have two ipv4 subnets inside your network, 192.168.30.x/24 and 10.10.1.x/24. let´s assume further in each of these networks is a win7 machine which are both isatap enabled. now: without isatap, when machine a would try to connect to machine b it must use some ipv4 router, because the 192.168.30.x machine wants to reach the 10.10.1.x machine, so all the traffic is going through the ipv4 router. NOW what about this with isatap anabled? Will the ipv4 router transparently used by isatap OR is isatap smart enough to recognize it could reach the other machine DIRECTLY?

    best regards,
    Joerg
    Tuesday, January 12, 2010 10:04 AM
  • If both machines are clients of the same ISATAP router, then they will talk to each other directly using IPv4. meaning the IPv4 router will be used by the machines A and B.
    • Marked as answer by Erez Benari Tuesday, January 12, 2010 8:06 PM
    Tuesday, January 12, 2010 1:58 PM
  • Hi Yaniv,

    is this true EVEN if the machines are actually on the SAME LOCAL NETWORK? Will still the ipv4 routes used?

    best regards
    Joerg
    Tuesday, January 12, 2010 8:11 PM
  • Yes,
    In this case the IPv4 routes are on-link. which means no routers (IPv4 or IPv6) are used
    Wednesday, January 13, 2010 2:23 PM
  • Hi Joerg,

    Keep in mind that ISATAP is the "Intra Site Automatic Tunnel Addressing Protocol"

    So, it is a tunneling protocol where IPv6 communications are encaptulated within IPv4. Its the IPv4 capsule that allows you to route through your IPV4 network.

    The "automatic addressing" part is due to the the fact that the ISATAP router assigns your clients an IPv6 address to use inside the IPv4 capsule.

    So, over the wire, the communication appears as a IPv4 packet, but once it hits its endpoint, the IPv4 header is removed and it's a native IPv6 conversation to the client and server applications.

    Tom
    MS ISDUA
    Saturday, January 16, 2010 5:58 PM
  • Hi Yaniv

     

    After directaccess is setup and isatap is deployed, all ipv6 servers now have an isatap address. Ping between ipv6 servers return with an isatap address.

    Question  : if the directaccess is offline for a day or so will communication stop between isatap hosts?

    I have notice as a test if the directaccess server is offline then the isatap hosts dont have a isatap default gateway and i am unable to ping between hosts, the hosts keep trying to ping the isatap address.

    Regards

    Paul

    Thursday, October 21, 2010 12:20 PM
  • The IPv6 address (ISATAP) address is registered in DNS and you can find it there. That's why the clients are using that address, since IPv6 is used preferentially by Windows hosts.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, October 21, 2010 12:30 PM
  • Yes there are isatap dns entries but i dont have a native ipv6 enalbed network.

    With isatap enabled does directaccess become the default router and gateway for isatap hosts ?

    Thursday, October 21, 2010 12:52 PM
  • Q1: Yes there are isatap dns entries but i dont have a native ipv6 enalbed network.

    Q2: With isatap enabled does directaccess become the default router and gateway for isatap hosts ?


    A1: ISATAP is designed to provide IPv6 connectvitiy when you dont have an IPv6 enabled network by encapsulating within IPv4.

    A2: Yes, if ISATAP is enabled as part of the UAG DA wizard.


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, October 21, 2010 3:33 PM
  • So the best solution is if you don't have a native ipv6 network is to deploy isatap and configure the directaccess servers in an array with nlb for redundancy?

    Seeing that you dont want the directaccess servers to be offline.

    Thursday, October 21, 2010 5:08 PM
  • ISATAP is a good option to provide IPv6 connectivity for most existing IPv4 based networks.

    Have a look at this guidance for more info: http://technet.microsoft.com/en-us/library/ee406201.aspx

    Yes, Using DA with a UAG array and NLB is a good option for general high availability and will also provide redundancy for the ISATAP router role...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, October 21, 2010 10:47 PM
  • Hi,

    I just wanted to emphasize that the UAG server doesn't take part in the routing between ISATAP hosts.

    Even if the server is down for an hour, the 2 ISATAP hosts will be able to communicate with one another using their ISATAP addresses.

    However, after some times, the hosts will notice that the ISATAP router is gone, and so they'll lose their ISATAP address. in this case, they should fallback to IPv4 with no problem.

    Friday, October 22, 2010 9:37 PM