Adjacent Node
Networking, explained. No BS.

IPv6

Printer friendly

What It Is

IPv6 is the current version of IP with 128-bit addresses, no broadcast, built-in neighbor discovery, and address planning that should be done by prefix, not by conserving individual host addresses. The operational shift is not just "bigger IPv4." IPv6 changes how hosts learn gateways, how addresses are assigned, how local discovery works, and how filtering should be written.

Address Types

Type Range / Example What It Means Operational Note
Global unicast 2000::/3 Internet-routable unicast Use provider or RIR-assigned space
Unique local fc00::/7, commonly fd00::/8 Private-style internal addressing Useful inside orgs, not Internet-routed
Link-local fe80::/10 Local-link communication Required on IPv6 interfaces, used for next hops
Loopback ::1/128 Local host Same role as 127.0.0.1
Unspecified ::/128 No address yet Used before address assignment
Multicast ff00::/8 One-to-many delivery Replaces broadcast behavior
Documentation 2001:db8::/32 Examples and docs Use this in public examples

Modern note: IPv6 does not have broadcast. Neighbor discovery, router discovery, and many local control-plane functions use ICMPv6 and multicast.

Address Writing

Rule Example Notes
Drop leading zeros in a hextet 2001:0db8::1 becomes 2001:db8::1 Hextets are 16-bit chunks
Compress one run of zero hextets 2001:db8:0:0:0:0:0:1 becomes 2001:db8::1 Use :: only once
Prefer lowercase hex 2001:db8::a Easier to read and compare
Show prefix length 2001:db8:10:20::/64 Prefix length matters more than a mask

Watch out: 2001:db8::1/64 describes host address 2001:db8::1 inside the 2001:db8::/64 prefix. The subnet itself is 2001:db8::/64.

Common Prefix Sizes

Prefix Common Use Notes
/128 Single host address Loopbacks, host routes, exact firewall objects
/127 Point-to-point router links Common modern choice for routed links
/126 Small link segment Sometimes seen, usually less preferred than /127
/64 Standard LAN or VLAN subnet Required for SLAAC-style host addressing
/56 Small site allocation Gives 256 /64s
/48 Site or larger enterprise allocation Gives 65,536 /64s
/32 Provider or large allocation Often seen in ISP or large org planning

Modern note: In normal LAN design, use /64 per VLAN. Do not shrink user VLANs to save addresses. IPv6 address planning should preserve clean aggregation and operational clarity.

SLAAC, DHCPv6, And Router Advertisements

Mechanism What It Provides What It Does Not Provide
RA Default gateway, prefix info, flags, timers Usually not full host config by itself
SLAAC Host creates its own address from RA prefix Central lease tracking
Stateless DHCPv6 DNS and other options Address assignment
Stateful DHCPv6 Address assignment and options Default gateway
Static Explicit address and prefix Scale or automatic renumbering

Key RA flags:

Flag Meaning Common Effect
M Managed address config Host should use DHCPv6 for address assignment
O Other config Host can use DHCPv6 for options like DNS
A Autonomous address config Prefix can be used for SLAAC
L On-link Prefix is reachable on the local link

Watch out: DHCPv6 does not hand out the default gateway like IPv4 DHCP. Hosts learn the default router from Router Advertisements.

Neighbor Discovery

IPv6 Neighbor Discovery uses ICMPv6 for functions that IPv4 handled with ARP, ICMP redirects, and some router discovery behavior.

Function IPv6 Mechanism What To Check
Resolve neighbor MAC Neighbor Solicitation and Neighbor Advertisement Neighbor cache
Find routers Router Solicitation and Router Advertisement RA source and flags
Check duplicate address Duplicate Address Detection DAD state and logs
Redirect better path ICMPv6 Redirect Whether redirects are allowed
Find link MTU Packet Too Big Firewall handling of ICMPv6

Watch out: Blocking ICMPv6 broadly breaks IPv6. Filter it deliberately, but do not treat it like optional ping traffic.

Planning Pattern

Layer Example Reason
Organization 2001:db8:1000::/40 Large aggregate
Region 2001:db8:1010::/44 Summarize regionally
Site 2001:db8:1012::/48 Standard site boundary
Function 2001:db8:1012:1000::/52 Users, servers, infrastructure, guest
VLAN 2001:db8:1012:1010::/64 One routed segment
Host 2001:db8:1012:1010::25/64 Actual interface address

Design note: Leave gaps between regions, sites, and functions. IPv6 gives you enough space to make routing, firewall policy, and documentation clean.

Security Notes

Topic Modern Guidance Why It Matters
RA Guard Use on access ports where supported Limits rogue default gateways
DHCPv6 Guard Use where DHCPv6 is controlled Limits unauthorized DHCPv6 servers
First-hop security Validate platform support Some features can be bypassed on old gear
Extension headers Filter carefully at edges Some paths handle them inconsistently
Temporary addresses Expect changing client source IPs Affects logs and allowlists
ULA plus GUA Plan intentionally Avoid accidental split-brain policy
NAT66 Avoid as a default design IPv6 should not need NAT for normal reachability

Modern note: IPv6 security is not "no NAT means unsafe." The firewall policy still controls reachability. NAT was never a security boundary by itself.

Troubleshooting

Symptom Check Likely Cause
Host has address but no Internet RA default route, firewall, DNS Missing or blocked RA, wrong edge policy
Host has only link-local RA presence, DHCPv6 state, switch guards No usable prefix advertised
Neighbor stuck incomplete Neighbor cache, L2 path, multicast handling ND messages not passing
Works by IP, fails by name DNS records, resolver address, DHCPv6 or RA DNS options DNS config issue
Large transfers fail Path MTU, ICMPv6 Packet Too Big ICMPv6 filtered
Wrong source address used Address selection, temporary address settings Multiple IPv6 addresses on host
VPN or peering conflict Prefix plan, ULA generation Overlapping ULA or poor allocation

Cisco IOS/IOS-XE Examples

Basic routed interface:

ipv6 unicast-routing
!
interface GigabitEthernet1/0/1
 description Routed link to DIST-01
 no switchport
 ipv6 address 2001:db8:100:10::1/127
 no shutdown

SVI with a /64 user VLAN:

ipv6 unicast-routing
!
interface Vlan20
 description CORP-WIRED-USERS
 ipv6 address 2001:db8:100:20::1/64
 ipv6 nd ra interval 30
 no shutdown

Static default route using a link-local next hop:

ipv6 route ::/0 GigabitEthernet1/0/1 fe80::2

Notes:

  • Use /64 for normal LAN and VLAN segments.
  • Use /127 for point-to-point routed links when both sides support it.
  • Default routes often point to a link-local next hop, so include the outgoing interface.
  • RA behavior varies by interface type and platform defaults. Verify what the interface is actually advertising.

Commands

ip -6 addr show
ip -6 route show
ip -6 neigh show
ping -6 2001:db8::1
traceroute6 2001:db8::1
show ipv6 interface brief
show ipv6 route
show ipv6 neighbors
show ipv6 routers
show ipv6 nd interface

Expected clues:

  • Interface has a link-local address and expected global or ULA address.
  • Default route points to a link-local next hop.
  • Neighbor entries resolve to MAC addresses.
  • Router Advertisements match the intended prefix and flags.
  • ICMPv6 is not blocked in ways that break ND or PMTUD.

Watch Out

  • Do not use IPv4 habits to size IPv6 LANs. /64 per VLAN is normal.
  • Do not block all ICMPv6 at the firewall.
  • Do not assume DHCPv6 works the same as IPv4 DHCP.
  • Do not use 2001:db8::/32 in production. It is documentation space.
  • Do not rely on scanning as your primary asset discovery method. IPv6 space is too large.
  • Do not ignore IPv6 if it is enabled by default on endpoints. Unmanaged IPv6 is still production traffic.

References