An ISP can set up a 6to4 relay service by configuring at least two well-connected IPv6-enabled routers to set up automatic 6to4 tunnels.

A 6to4 tunnel is an automatic IPv6 tunnel where a 6to4 border router in an isolated IPv6 network creates a tunnel to a 6to4 border router in another isolated IPv6 network over an IPv4 infrastructure. The tunnel destination is determined by the globally unique, 32-bit IPv4 address of the remote 6to4 border router that is concatenated to the prefix 2002::/16. 6to4 tunnels are configured between 6to4 border routers or between 6to4 border routers and hosts.

A 6to4 relay service is a 6to4 border router that offers traffic forwarding to the IPv6 Internet for remote 6to4 border routers. A 6to4 relay forwards packets that have a 2002::/16 source prefix.

6to4 tunnels and connections to a 6to4 relay service need not be requested or negotiated between customers and the ISP. The ISP simply configures the 6to4 relay service and customers can automatically connect to the service whenever they like. Because of the one-to-many relationship between the 6to4 relay service and each 6to4 tunnel (each customer), there is low maintenance and management overhead associated with 6to4 tunnels and a 6to4 relay service. However, given that customers use the IPv4 address of their border router to construct the 6to4 address that they use to connect to the 6to4 relay service (they are not delegated a /48 prefix from the ISP), the ISP may want to manage the IPv4 routing announcements for the relay service to control its use (the ISP will need IPv4 traffic statistics if it wants to identify and charge individual customers for using the service).

Reverse 6to4 delegation can be requested at:, please check the instructions at

Brief Example

Here is a minimal config fragment. Check Cisco's documentation for full details. This should be configured on a dual-stack router that has good IPv4 and IPv6 connectivity. To minimize latency, it should be on the border between your IPv4-only network and your dual-stack network. This configuration can be duplicated to additional dual-stack routers for increased reliability.

! Your unique Router ID
! Use your own real IP addresses here instead of and 2001:db8::1
! The 6to4 relay anycast address (see RFC 3068) should be
! configured as a secondary address on the loopback interface
interface Loopback0
  ip address secondary
  ip address
  ipv6 address 2001:db8::1/128
interface Tunnel1
  description 6to4 Tunnel
  no ip address
  ipv6 unnumbered Loopback0
  tunnel source loopback0
  tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 Tunnel1

WARNING: The address on the loopback interface may be selected as your router ID during a subsequent reboot or an OSPF or BGP process restart. To prevent this (particularly if you are running multiple 6to4 gateways for reliability) you should explicitly specify your OSPF or BGP router ID.

A 6to4 gateway provides routing in two different directions. First, it provides a route for packets from native IPv6 (non-6to4) devices within an IPv6 network to reach 6to4 devices which do not have native IPv6 connectivity. The 2002::/16 route should be distributed to other IPv6 routers using an IPv6-capable IGP (eg. OSPFv3 or RIPv6).

The gateway also allows packets from 6to4 devices which have only IPv4 connectivity to reach native IPv6 devices on the IPv6 network. The route to the anycast address should be distributed via an IPv4 IGP (eg. OSPF or EIGRP) to other IPv4 routers.

For example, if you run OSPFv3 and OSPF on your routers:

ipv6 router ospf 10
 ! Redistribute the 2002::/16 static route
 redistribute static
router ospf 10
 ! Redistribute the route
 redistribute connected subnets

If the router will be a public 6to4 gateway, then the network and/or the 2002::/16 network should also be announced via BGP to other networks (see RFC 3068, section 4.3). Depending on your BGP peering policy and configuration, accomplishing this may require one or more of the following:

Detailed Example

Jordi Palet Martinez posted the following example on the AfriNIC mailing list:

Details of the example configuration

The examples below is assuming that the public IPv4 address in the WAN
interface of the router is You should replace that with the right
information for your own case, same with other data used in the examples.

Also, you need to understand how to calculate the 6to4 IPv6 address for your
router. This is done using the IPv4 address and the IPv6 6to4 prefix.

The 6to4 prefix 2002::/16 is taking the first 16 bits. Then the bits 17 to
48 are the nibble notation for your IPv4 address. So in our example it will

192 = c0
1 = 01
2 = 02
3 = 03

So consequently:

We will use the first address of the prefix for the WAN interface, so

Also, the anycast address for 6to4 is:
Following the same example as above, in IPv6 will be:

For our example using a Loopback, we use, which in IPv6 will be

We show below two options for the 6to4 Relay. One basic configuration and
another using the anycast address for 6to4. You just need to configure one
of them (A or B).

A Example configuration of a basic 6to4 Relay

This relay will only be reachable for hosts or routers with a manual
configuration pointing to it.

A1) Enable IPv6 in the router

ipv6 unicast-routing

A2) Ethernet0/0 interface configuration (obviously you can use another

 interface Ethernet0/0
  description 6to4 Relay Service
  ip address

A3) tunnel 6to4 virtual interface

  interface Tunnel2002
  description 6to4 Relay Interface
  no ip address
  no ip redirects
  ipv6 address 2002:c001:0203::1/128
  tunnel source Ethernet0/0
  tunnel mode ipv6ip 6to4

A4) 6to4 prefix route

  ipv6 route 2002::/16 Tunnel2002

B Example configuration of a 6to4 Relay with anycast support

B1) Enable IPv6 in the router

ipv6 unicast-routing

B2) We use the loopback (recommended), but you could use an Ethernet
Interface or any other one

  interface Loopback0
   description 6to4 Anycast Relay Service
   ip address secondary
   ip address
   ipv6 address 2002:c003:0203::1/128
   ipv6 mtu 1480
   no ipv6 mfib fast

Note: When using IPv4 anycast addresses is recommended to configure
explicitly the BGP/OSPF ID with a unicast address, otherwise, the router may
take by default the anycast address as the ID.

B3) tunnel 6to4 virtual interface

  interface Tunnel2002
   description anycast 6to4 Relay Interface
   no ip address
   no ip redirects
   ipv6 address 2002:C058:6301::/128 anycast
   ipv6 unnumbered Loopback0
   no ipv6 mfib fast
   tunnel source Loopback0
   tunnel mode ipv6ip 6to4
   tunnel path-mtu-discovery

C Configuration for a public Relay

If you choose the anycast option (B), then you can also make the relay
public via the following steps.

C1) You need to announce the 2002::/16 prefix usually via BGP. The example
below will help you. You should add this to the normal unicast IPv6
configuration and replace the right information for your own case.

  router bgp myASN
   no bgp default ipv4-unicast
   bgp log-neighbor-changes
   neighbor remotepeer_IPv6_address remote-as remoteASN
   neighbor remotepeer_IPv6_address description Peer to remoteISP

   address-family ipv6
   neighbor remotepeer_IPv6_address activate
   neighbor remotepeer_IPv6_address route-map remoteISP_in in
   neighbor remotepeer_IPv6_address route-map remoteISP_out out
   network my_IPv6_prefix
   network 2002::/16

  ipv6 route 2002::/16 Null0

  ipv6 prefix-list 6to4_prefix seq 5 permit 2002::/16

  route-map remoteISP_out permit 10
   match ipv6 address prefix-list 6to4_prefix

Note: Of course, you need to replace some of the parameters with your
specific data, such as myASN, remotepeer_IPv6, my_IPv6_prefix, remoteASN,
remoteISP, remoteISP_in and remoteISP_out.

C2) Additionally you need to configure the announce of the 6to4 anycast
prefix,, to your neighbor ISPs.

Once you have started announcing this prefix, add yourself to the list of ISPs currently announcing a 6to4 prefix.

D Configuration for a Private Relay

Alternatively, if you only want to offer the relay to your own customers,
you need to announce the prefix only to them. Then you will
need to use example A) and use something adapted to your own network/routing

For example, if you are using OSPF as your IGP, you will add something such

  router ospf 1
   auto-cost reference-bandwidth 10000
   network area 0

E Real-life configuration for 6to4 public relay on a Cisco 7600 platform

In addition to the scenarios above it could be really tricky to debug all of the associated problems. If you're using a Cisco 7600 platform it is worth checking out the following:

1) DO NOT put as a secondary address on a Loopback interface. Otherwise you will not enable cef fully.

2) Additional addressing on Loopback ('normal' IPv4- and IPv6-loopbacks on Lo64 below) is not obligatory, though it will allow for proper diagnostics from the router towards 6to4 clients.

3) In an MPLS environment CHECK OUT for "mls mpls tunnel-recir" in the running-conf. It is mandatory to ensure bi-directional traffic flows.

Below is a real-life configuration that delivers (appears courtesy of CCIE #10389), IGP part is omitted for clarity. Feel free to ask questions/comment at aa916-ripe contacts.

mls mpls tunnel-recir
interface Loopback64
 ip address secondary
 ip address
 no ip redirects
 ipv6 address 2002:C0a8:029B::1/128
 ipv6 enable
 ipv6 mtu 1280
 no ipv6 redirects
 no ipv6 unreachables
interface Tunnel64
 no ip address
 no ip redirects
 ipv6 address 2002:C058:6301::/128 anycast
 ipv6 unnumbered Loopback64
 ipv6 enable
 ipv6 mtu 1280
 no ipv6 redirects
 tunnel source Loopback64
 tunnel mode ipv6ip 6to4
 tunnel path-mtu-discovery
ipv6 route 2002::/16 Tunnel64
router bgp xxxx
 address-family ipv4
  redistribute connected route-map to-bgp
 address-family ipv6
  redistribute static route-map to-bgp6
route-map to-bgp permit 10
 match ip address prefix-list xxxx:6to4-anycast
 set local-preference 200
 set community xxxx:yy xxxx:zz
route-map to-bgp6 permit 10
 match ipv6 address prefix-list xxxx:6to4
 set local-preference 200
 set community xxxx:yy xxxx:zz
ip prefix-list xxxx:6to4-anycast seq 5 permit
ipv6 prefix-list xxxx:6to4 seq 5 permit 2002::/16