IPv6
What It Is
IPv6 is the current version of IP with 128-bit addresses, no broadcast, built-in neighbor discovery, and address planning that should be done by prefix, not by conserving individual host addresses. The operational shift is not just "bigger IPv4." IPv6 changes how hosts learn gateways, how addresses are assigned, how local discovery works, and how filtering should be written.
Address Types
| Type | Range / Example | What It Means | Operational Note |
|---|---|---|---|
| Global unicast | 2000::/3 |
Internet-routable unicast | Use provider or RIR-assigned space |
| Unique local | fc00::/7, commonly fd00::/8 |
Private-style internal addressing | Useful inside orgs, not Internet-routed |
| Link-local | fe80::/10 |
Local-link communication | Required on IPv6 interfaces, used for next hops |
| Loopback | ::1/128 |
Local host | Same role as 127.0.0.1 |
| Unspecified | ::/128 |
No address yet | Used before address assignment |
| Multicast | ff00::/8 |
One-to-many delivery | Replaces broadcast behavior |
| Documentation | 2001:db8::/32 |
Examples and docs | Use this in public examples |
Modern note: IPv6 does not have broadcast. Neighbor discovery, router discovery, and many local control-plane functions use ICMPv6 and multicast.
Address Writing
| Rule | Example | Notes |
|---|---|---|
| Drop leading zeros in a hextet | 2001:0db8::1 becomes 2001:db8::1 |
Hextets are 16-bit chunks |
| Compress one run of zero hextets | 2001:db8:0:0:0:0:0:1 becomes 2001:db8::1 |
Use :: only once |
| Prefer lowercase hex | 2001:db8::a |
Easier to read and compare |
| Show prefix length | 2001:db8:10:20::/64 |
Prefix length matters more than a mask |
Watch out: 2001:db8::1/64 describes host address 2001:db8::1 inside the 2001:db8::/64 prefix. The subnet itself is 2001:db8::/64.
Common Prefix Sizes
| Prefix | Common Use | Notes |
|---|---|---|
| /128 | Single host address | Loopbacks, host routes, exact firewall objects |
| /127 | Point-to-point router links | Common modern choice for routed links |
| /126 | Small link segment | Sometimes seen, usually less preferred than /127 |
| /64 | Standard LAN or VLAN subnet | Required for SLAAC-style host addressing |
| /56 | Small site allocation | Gives 256 /64s |
| /48 | Site or larger enterprise allocation | Gives 65,536 /64s |
| /32 | Provider or large allocation | Often seen in ISP or large org planning |
Modern note: In normal LAN design, use /64 per VLAN. Do not shrink user VLANs to save addresses. IPv6 address planning should preserve clean aggregation and operational clarity.
SLAAC, DHCPv6, And Router Advertisements
| Mechanism | What It Provides | What It Does Not Provide |
|---|---|---|
| RA | Default gateway, prefix info, flags, timers | Usually not full host config by itself |
| SLAAC | Host creates its own address from RA prefix | Central lease tracking |
| Stateless DHCPv6 | DNS and other options | Address assignment |
| Stateful DHCPv6 | Address assignment and options | Default gateway |
| Static | Explicit address and prefix | Scale or automatic renumbering |
Key RA flags:
| Flag | Meaning | Common Effect |
|---|---|---|
| M | Managed address config | Host should use DHCPv6 for address assignment |
| O | Other config | Host can use DHCPv6 for options like DNS |
| A | Autonomous address config | Prefix can be used for SLAAC |
| L | On-link | Prefix is reachable on the local link |
Watch out: DHCPv6 does not hand out the default gateway like IPv4 DHCP. Hosts learn the default router from Router Advertisements.
Neighbor Discovery
IPv6 Neighbor Discovery uses ICMPv6 for functions that IPv4 handled with ARP, ICMP redirects, and some router discovery behavior.
| Function | IPv6 Mechanism | What To Check |
|---|---|---|
| Resolve neighbor MAC | Neighbor Solicitation and Neighbor Advertisement | Neighbor cache |
| Find routers | Router Solicitation and Router Advertisement | RA source and flags |
| Check duplicate address | Duplicate Address Detection | DAD state and logs |
| Redirect better path | ICMPv6 Redirect | Whether redirects are allowed |
| Find link MTU | Packet Too Big | Firewall handling of ICMPv6 |
Watch out: Blocking ICMPv6 broadly breaks IPv6. Filter it deliberately, but do not treat it like optional ping traffic.
Planning Pattern
| Layer | Example | Reason |
|---|---|---|
| Organization | 2001:db8:1000::/40 |
Large aggregate |
| Region | 2001:db8:1010::/44 |
Summarize regionally |
| Site | 2001:db8:1012::/48 |
Standard site boundary |
| Function | 2001:db8:1012:1000::/52 |
Users, servers, infrastructure, guest |
| VLAN | 2001:db8:1012:1010::/64 |
One routed segment |
| Host | 2001:db8:1012:1010::25/64 |
Actual interface address |
Design note: Leave gaps between regions, sites, and functions. IPv6 gives you enough space to make routing, firewall policy, and documentation clean.
Security Notes
| Topic | Modern Guidance | Why It Matters |
|---|---|---|
| RA Guard | Use on access ports where supported | Limits rogue default gateways |
| DHCPv6 Guard | Use where DHCPv6 is controlled | Limits unauthorized DHCPv6 servers |
| First-hop security | Validate platform support | Some features can be bypassed on old gear |
| Extension headers | Filter carefully at edges | Some paths handle them inconsistently |
| Temporary addresses | Expect changing client source IPs | Affects logs and allowlists |
| ULA plus GUA | Plan intentionally | Avoid accidental split-brain policy |
| NAT66 | Avoid as a default design | IPv6 should not need NAT for normal reachability |
Modern note: IPv6 security is not "no NAT means unsafe." The firewall policy still controls reachability. NAT was never a security boundary by itself.
Troubleshooting
| Symptom | Check | Likely Cause |
|---|---|---|
| Host has address but no Internet | RA default route, firewall, DNS | Missing or blocked RA, wrong edge policy |
| Host has only link-local | RA presence, DHCPv6 state, switch guards | No usable prefix advertised |
| Neighbor stuck incomplete | Neighbor cache, L2 path, multicast handling | ND messages not passing |
| Works by IP, fails by name | DNS records, resolver address, DHCPv6 or RA DNS options | DNS config issue |
| Large transfers fail | Path MTU, ICMPv6 Packet Too Big | ICMPv6 filtered |
| Wrong source address used | Address selection, temporary address settings | Multiple IPv6 addresses on host |
| VPN or peering conflict | Prefix plan, ULA generation | Overlapping ULA or poor allocation |
Cisco IOS/IOS-XE Examples
Basic routed interface:
ipv6 unicast-routing
!
interface GigabitEthernet1/0/1
description Routed link to DIST-01
no switchport
ipv6 address 2001:db8:100:10::1/127
no shutdownSVI with a /64 user VLAN:
ipv6 unicast-routing
!
interface Vlan20
description CORP-WIRED-USERS
ipv6 address 2001:db8:100:20::1/64
ipv6 nd ra interval 30
no shutdownStatic default route using a link-local next hop:
ipv6 route ::/0 GigabitEthernet1/0/1 fe80::2Notes:
- Use /64 for normal LAN and VLAN segments.
- Use /127 for point-to-point routed links when both sides support it.
- Default routes often point to a link-local next hop, so include the outgoing interface.
- RA behavior varies by interface type and platform defaults. Verify what the interface is actually advertising.
Commands
ip -6 addr show
ip -6 route show
ip -6 neigh show
ping -6 2001:db8::1
traceroute6 2001:db8::1show ipv6 interface brief
show ipv6 route
show ipv6 neighbors
show ipv6 routers
show ipv6 nd interfaceExpected clues:
- Interface has a link-local address and expected global or ULA address.
- Default route points to a link-local next hop.
- Neighbor entries resolve to MAC addresses.
- Router Advertisements match the intended prefix and flags.
- ICMPv6 is not blocked in ways that break ND or PMTUD.
Watch Out
- Do not use IPv4 habits to size IPv6 LANs. /64 per VLAN is normal.
- Do not block all ICMPv6 at the firewall.
- Do not assume DHCPv6 works the same as IPv4 DHCP.
- Do not use
2001:db8::/32in production. It is documentation space. - Do not rely on scanning as your primary asset discovery method. IPv6 space is too large.
- Do not ignore IPv6 if it is enabled by default on endpoints. Unmanaged IPv6 is still production traffic.
References
- RFC 8200: Internet Protocol, Version 6 Specification
- RFC 4291: IP Version 6 Addressing Architecture
- RFC 4861: Neighbor Discovery for IPv6
- RFC 4862: IPv6 Stateless Address Autoconfiguration
- RFC 8415: DHCPv6
- RFC 4193: Unique Local IPv6 Unicast Addresses
- RFC 8981: Temporary Address Extensions for SLAAC
- Cisco IOS XE IPv6 Configuration Guide: Implementing IPv6 Addressing and Basic Connectivity