★★☆Intermediate🔀 Routing & Switching

IPv6DHCPv6SLAACDual-StackCiscoEnterprise

IPv6 Enterprise Deployment: Dual-Stack, DHCPv6, SLAAC, and Migration Strategies

March 13, 2026·20 min read

Overview

IPv4 address exhaustion is not a future concern — IANA allocated its last /8 blocks to the RIRs in 2011. ARIN, the North American registry, exhausted its free pool in 2015. Today, organisations obtaining new IPv4 space pay market rates that can exceed $50 per address. Meanwhile, every major cloud provider — AWS, Azure, GCP — now charges for public IPv4 addresses and offers native IPv6 as a first-class citizen across their platforms.

Regulatory pressure is growing too. The US federal government mandated IPv6 on all agency external services by 2025. The EU's NIS2 directive and related frameworks increasingly treat IPv6 readiness as an infrastructure maturity indicator. Google's own telemetry shows IPv6 traffic exceeding 40% of its total traffic as of early 2026 — up from 25% just four years ago. Major CDNs including Cloudflare and Fastly report similar figures.

The most common barrier to enterprise IPv6 deployment is not technical — it is organisational inertia and the myth that IPv6 is complex. For engineers already comfortable with IPv4 routing, subnetting, and ACLs, the concepts translate directly. The safe migration path is dual-stack: run IPv4 and IPv6 simultaneously, letting IPv6 traffic flow natively while IPv4 continues uninterrupted. There is no forced cutover, no downtime window, and no hosts left behind.

IPv6 Address Architecture

Address Types

Type	Prefix	Scope	Use Case
Global Unicast	2000::/3	Global (internet-routable)	All public-facing hosts and infrastructure
Link-Local	FE80::/10	Single link only	Neighbour Discovery, routing protocol adjacencies, FHRP
Unique Local	FC00::/7 (FD00::/8 in practice)	Organisation-wide	Internal-only addressing, equivalent to RFC 1918
Multicast	FF00::/8	Link or global	Routing protocols, NDP, DHCPv6 relay, video
Loopback	::1/128	Host	Local loopback only — equivalent to 127.0.0.1
Unspecified	::/128	N/A	Source address during DAD; never routed

Prefix Sizing Rules

Unlike IPv4 where subnet sizes vary widely, IPv6 has strong conventions:

/48 — allocated to a single site (campus, data centre, branch). Contains 65,536 possible /64 subnets
/64 — always used for LAN subnets. Required for SLAAC and EUI-64 to function. Never subnet a /64 further in production
/127 — used for point-to-point links (RFC 6164). Replaces the old practice of /64 on P2P links which was vulnerable to Neighbour Cache exhaustion attacks
/128 — used for loopback interfaces and host-specific routes

EUI-64 vs Privacy Addresses

EUI-64 generates the Interface Identifier (last 64 bits) from the host's MAC address by inserting FF:FE in the middle and flipping the 7th bit. Example: MAC 00:11:22:AA:BB:CC → IID 0211:22FF:FEAA:BBCC.

EUI-64 is predictable and useful on infrastructure devices (routers, switches) where stable addressing is desirable. It is not suitable for end-user hosts — it reveals the hardware MAC address and allows cross-network tracking.

Privacy Extensions (RFC 4941) generate random, temporary IIDs on end-user operating systems. Enabled by default on Windows, macOS, and most Linux distributions. Infrastructure devices should use EUI-64 or manually configured addresses.

Enterprise Address Planning

Layer	Prefix Length	Example	Notes
ISP Allocation	/32	2001:db8::/32	Received from RIR via ISP
Enterprise Site	/48	2001:db8:a100::/48	One /48 per physical site
VLAN / Segment	/64	2001:db8:a100:0010::/64	One /64 per VLAN; VLAN ID in 4th hextet
P2P Links	/127	2001:db8:a100:ff01::/127	Use high-numbered subnets for infrastructure
Loopbacks	/128	2001:db8:a100:ffff::1/128	One /128 per router loopback

Diagram 1 — Enterprise IPv6 Prefix Hierarchy

Dual-Stack Architecture

Dual-stack is the simplest and most interoperable IPv6 migration strategy. Every interface, every link, and every routing process carries both address families simultaneously. There are no tunnels, no translation, and no protocol dependencies between the two stacks — they run in parallel, completely independently.

Design Principles

Same physical infrastructure — no separate hardware for IPv6. Add IPv6 addresses to existing interfaces alongside IPv4.
Separate routing instances — OSPFv2 handles IPv4, OSPFv3 handles IPv6 (or a single OSPFv3 instance with address-family configuration on IOS-XE).
BGP dual-stack — one BGP session can carry both IPv4 and IPv6 NLRI using separate address-families. No need for separate BGP peers for IPv6.
DNS is critical — hosts will prefer IPv6 (Happy Eyeballs RFC 8305) if both A and AAAA records exist. Ensure DNS infrastructure is reachable over IPv6 from day one.
Firewall policy parity — every IPv4 ACL or firewall rule must have an IPv6 equivalent. Forgetting to write IPv6 ACLs leaves the IPv6 path completely open.

Interface Configuration

! Enable IPv6 routing globally — required before any IPv6 config
R1(config)# ipv6 unicast-routing
R1(config)# interface GigabitEthernet0/0
R1(config-if)# description Uplink to Core — Dual-Stack
R1(config-if)# ip address 10.0.1.1 255.255.255.252
R1(config-if)# ipv6 address 2001:db8:a100:ff01::1/127
R1(config-if)# ipv6 address FE80::1 link-local
! Link-local can be manually set for readability
R1(config)# interface GigabitEthernet0/1
R1(config-if)# description LAN VLAN 10 — Dual-Stack
R1(config-if)# ip address 10.10.10.1 255.255.255.0
R1(config-if)# ipv6 address 2001:db8:a100:0010::1/64
R1(config-if)# ipv6 nd prefix 2001:db8:a100:0010::/64
! Loopback — /128 for IPv6
R1(config)# interface Loopback0
R1(config-if)# ip address 10.255.255.1 255.255.255.255
R1(config-if)# ipv6 address 2001:db8:a100:ffff::1/128

Diagram 2 — Dual-Stack Network Topology

DHCPv6 Stateful vs Stateless vs SLAAC

IPv6 offers three distinct mechanisms for address assignment — more options than IPv4, but each serves a specific purpose. The choice is controlled by two flags in the Router Advertisement: the M flag (Managed Address Configuration) and the O flag (Other Configuration).

SLAAC — Stateless Address Autoconfiguration

The router sends a Router Advertisement (RA) containing the /64 prefix. The host generates its own 64-bit Interface Identifier (using EUI-64 or a privacy random value) and combines it with the prefix. No server required — no state maintained anywhere.

M=0, O=0 → Pure SLAAC
Host self-generates the full /128 address
Default gateway learned from RA source (link-local of the router)
DNS must be provided by RDNSS option in the RA (RFC 8106) — or by DHCPv6

DHCPv6 Stateless

The router RA provides the prefix for SLAAC address generation but sets O=1 to signal that other configuration (DNS, NTP, domain name) should be obtained from a DHCPv6 server. No address assignment happens via DHCPv6 — the server only provides options.

M=0, O=1 → SLAAC for address + DHCPv6 for options only
DHCPv6 server does not track address bindings
Scales well — server has no per-client state

DHCPv6 Stateful

The router RA sets M=1. Hosts contact the DHCPv6 server for a full address assignment. The server maintains a binding table (like DHCPv4 leases). Full control over address assignment, logging, and lease duration.

M=1 → DHCPv6 provides address + options
Server tracks every client binding
Required when you need to know which host has which IPv6 address (compliance, security logging)

RDNSS in RA (RFC 8106)

RFC 8106 allows DNS server addresses and domain search lists to be embedded directly in Router Advertisements. This means pure SLAAC deployments can provide DNS without DHCPv6 at all:

R1(config)# interface GigabitEthernet0/1
R1(config-if)# ipv6 nd ra dns server 2001:db8:a100::53 lifetime 3600
R1(config-if)# ipv6 nd ra dns search-list corp.example.com lifetime 3600
# Hosts supporting RFC 8106 will use this DNS — no DHCPv6 needed
# Windows 10/11, macOS 10.7+, Android 8+, Linux kernel 3.17+ all support it

Diagram 3 — DHCPv6 and SLAAC Flow

DHCPv6 Stateful Server Configuration

! Cisco IOS DHCPv6 stateful pool
R1(config)# ipv6 dhcp pool VLAN10-POOL
R1(config-dhcpv6)# address prefix 2001:db8:a100:0010::/64 lifetime 86400 3600
R1(config-dhcpv6)# dns-server 2001:db8:a100::53
R1(config-dhcpv6)# domain-name corp.example.com
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ipv6 dhcp server VLAN10-POOL
! Set M=1 in RA to tell hosts to use DHCPv6 for address
R1(config-if)# ipv6 nd managed-config-flag
! Set O=1 as well (implied by M=1 but explicit is clearer)
R1(config-if)# ipv6 nd other-config-flag

RA Guard

Router Advertisement Guard prevents rogue RA attacks — a significant IPv6 threat where a host or compromised device sends forged RAs, claiming to be a router and redirecting traffic through itself. Without RA Guard, any host can send an RA and become the default gateway for every device on the segment.

RA Guard is configured on the switch, not the router. Access ports that connect to end hosts are configured to drop all RA messages. Only uplink ports facing legitimate routers are allowed to forward RAs.

! Define RA Guard policy for host-facing access ports
SW1(config)# ipv6 nd raguard policy HOST-PORTS
SW1(config-nd-raguard)# device-role host
! Define policy for router-facing uplink ports
SW1(config)# ipv6 nd raguard policy ROUTER-PORTS
SW1(config-nd-raguard)# device-role router
! Apply to access interfaces (all host-facing ports)
SW1(config)# interface range GigabitEthernet1/0/1 - 48
SW1(config-if-range)# ipv6 nd raguard attach-policy HOST-PORTS
! Apply to uplink
SW1(config)# interface GigabitEthernet1/0/49
SW1(config-if)# ipv6 nd raguard attach-policy ROUTER-PORTS
! Verify
SW1# show ipv6 nd raguard policy HOST-PORTS

Also consider: DHCPv6 Guard (prevents rogue DHCPv6 servers), IPv6 Source Guard (prevents source address spoofing), and IPv6 Binding Integrity Guard — together these form the IPv6 First-Hop Security suite on Catalyst switches.

IPv6 ACLs

IPv6 ACLs on Cisco IOS use named ACLs only — there are no numbered IPv6 ACLs. The syntax is similar to IPv4 extended named ACLs but with critical differences around ICMPv6.

ICMPv6 Must Be Explicitly Permitted

IPv6 Neighbour Discovery Protocol (NDP) — the equivalent of ARP — uses ICMPv6 messages. If you write a deny-all IPv6 ACL without explicitly permitting ICMPv6 ND messages, hosts will lose the ability to resolve MAC addresses and the network will stop functioning entirely.

The two critical ND message types to permit:

nd-ns (Neighbour Solicitation, ICMPv6 type 135) — equivalent of ARP request
nd-na (Neighbour Advertisement, ICMPv6 type 136) — equivalent of ARP reply

R1(config)# ipv6 access-list INBOUND-V6
! Permit established return traffic
R1(config-ipv6-acl)# permit tcp any any established
! Permit DNS responses
R1(config-ipv6-acl)# permit udp any any eq 53
! Permit ICMPv6 — critical for NDP and path MTU discovery
R1(config-ipv6-acl)# permit icmp any any nd-ns
R1(config-ipv6-acl)# permit icmp any any nd-na
R1(config-ipv6-acl)# permit icmp any any echo-reply
R1(config-ipv6-acl)# permit icmp any any packet-too-big
R1(config-ipv6-acl)# permit icmp any any time-exceeded
R1(config-ipv6-acl)# permit icmp any any parameter-problem
! Permit router advertisements from link-local only
R1(config-ipv6-acl)# permit icmp FE80::/10 any router-advertisement
! Explicit deny with log
R1(config-ipv6-acl)# deny ipv6 any any log
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ipv6 traffic-filter INBOUND-V6 in

Key difference from IPv4: In IPv4, ARP operates at Layer 2 and passes through ACLs unchecked. In IPv6, NDP uses ICMPv6 at Layer 3 — so your ACL will block ND if you forget to permit it. The implicit deny at the end of every IPv6 ACL will silently kill neighbour resolution.

OSPFv3 for IPv6

OSPFv3 is the IPv6-capable version of OSPF, defined in RFC 5340. On Cisco IOS-XE, the preferred implementation is OSPFv3 with address-families, which allows a single OSPFv3 process to carry both IPv4 and IPv6 routes — eliminating the need to run OSPFv2 and OSPFv3 as separate processes.

Key Differences from OSPFv2

OSPFv3 runs per-link (not per-network). The network statement under router ospfv3 is not used — instead, ospfv3 is configured directly on each interface.
All OSPFv3 neighbour adjacencies use link-local addresses as the source and next-hop. You must ensure link-locals are configured (they are automatic when ipv6 address is added to an interface).
Router ID must be manually set — OSPFv3 requires a 32-bit Router ID in IPv4 dotted-decimal format.

OSPFv3 Dual-Stack Configuration

! OSPFv3 with address-families — single process for both IPv4 and IPv6
R1(config)# router ospfv3 1
R1(config-router)# router-id 10.255.255.1
R1(config-router)# address-family ipv4 unicast
R1(config-router-af)# passive-interface default
R1(config-router-af)# no passive-interface GigabitEthernet0/0
R1(config-router)# address-family ipv6 unicast
R1(config-router-af)# passive-interface default
R1(config-router-af)# no passive-interface GigabitEthernet0/0
! Enable OSPFv3 on interfaces — applies to both address-families
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ospfv3 1 ipv4 area 0
R1(config-if)# ospfv3 1 ipv6 area 0
R1(config)# interface Loopback0
R1(config-if)# ospfv3 1 ipv4 area 0
R1(config-if)# ospfv3 1 ipv6 area 0
! Verification
R1# show ospfv3 neighbor
R1# show ospfv3 database
R1# show ipv6 route ospf

BGP IPv6

BGP dual-stack uses a single BGP session between peers but separates IPv4 and IPv6 routing information into distinct address-families. RFC 4760 defines Multiprotocol BGP (MP-BGP) which enables this.

R1(config)# router bgp 65001
R1(config-router)# bgp router-id 10.255.255.1
R1(config-router)# bgp log-neighbor-changes
! IPv4 peer (existing config, unchanged)
R1(config-router)# neighbor 10.0.0.2 remote-as 65002
R1(config-router)# neighbor 10.0.0.2 description Core-R2 IPv4
! IPv6 peer — uses IPv6 address of the peer
R1(config-router)# neighbor 2001:db8:a100:ff00::2 remote-as 65002
R1(config-router)# neighbor 2001:db8:a100:ff00::2 description Core-R2 IPv6
! IPv4 address-family
R1(config-router)# address-family ipv4 unicast
R1(config-router-af)# neighbor 10.0.0.2 activate
R1(config-router-af)# network 10.10.0.0 mask 255.255.0.0
! IPv6 address-family
R1(config-router)# address-family ipv6 unicast
R1(config-router-af)# neighbor 2001:db8:a100:ff00::2 activate
R1(config-router-af)# neighbor 2001:db8:a100:ff00::2 next-hop-self
R1(config-router-af)# network 2001:db8:a100::/48
R1(config-router-af)# redistribute connected
! Verification
R1# show bgp ipv6 unicast summary
R1# show bgp ipv6 unicast neighbors 2001:db8:a100:ff00::2 received-routes

Phased Migration Plan

Phase	Scope	Key Tasks	Risk	Rollback
Phase 1 — Infrastructure IPv6	Core and distribution routers, WAN links	Enable ipv6 unicast-routing; add /127 on P2P links; configure loopbacks /128; enable OSPFv3 AF; verify routing table	Low — IPv4 untouched; IPv6 runs in parallel	Remove ipv6 address statements and OSPFv3 interface config
Phase 2 — Dual-Stack Access	Access layer switches, VLANs, SVIs	Add IPv6 /64 to SVIs; configure RA with SLAAC or DHCPv6; enable RA Guard on access ports; deploy RDNSS or DHCPv6 for DNS	Medium — hosts will auto-configure IPv6 and may prefer it for some traffic	Remove ipv6 address from SVIs; disable ipv6 nd on interfaces
Phase 3 — IPv6 Routing and Policy	All routing protocols, BGP peering, firewalls	Extend OSPFv3 to all areas; configure iBGP dual-stack; write IPv6 ACL mirrors of all IPv4 policies; update firewall rules; test with IPv6-only traffic	Medium — policy gaps between IPv4 and IPv6 can create security exposures	Deactivate BGP IPv6 address-family; revert ACLs
Phase 4 — Application Readiness	DNS, load balancers, applications, monitoring	Add AAAA records to DNS for all dual-stack services; update load balancer VIPs with IPv6; test Happy Eyeballs; update NMS/SNMP to poll IPv6 addresses; validate syslog and NetFlow over IPv6	Medium — application behaviours may differ over IPv6; test thoroughly before production	Remove AAAA DNS records to redirect traffic to IPv4
Phase 5 — Selective IPv4 Deprecation	Internal-only services where IPv6 adoption is 100%	Identify services with 100% IPv6 client reach; remove IPv4 addresses selectively; monitor for fallback; reclaim IPv4 space for re-use or de-registration	High — any missed IPv4-only clients will lose access; validate exhaustively before deprecating	Re-add IPv4 addresses and update DNS A records

Troubleshooting

Verification Commands

! Interface and neighbour state
R1# show ipv6 interface GigabitEthernet0/1
R1# show ipv6 interface brief
R1# show ipv6 neighbors
R1# show ipv6 neighbors detail
! Routing table
R1# show ipv6 route
R1# show ipv6 route ospf
R1# show ipv6 route bgp
! OSPFv3
R1# show ospfv3 neighbor
R1# show ospfv3 interface GigabitEthernet0/0
R1# show ospfv3 database
! DHCPv6
R1# show ipv6 dhcp binding
R1# show ipv6 dhcp pool
! RA and NDP debug
R1# debug ipv6 nd
R1# debug ipv6 dhcp

Common Issues and Resolutions

Issue: Hosts not receiving RA / not autoconfiguring

R1# show ipv6 interface GigabitEthernet0/1 | include RA|suppress
! If output shows "ND RAs are suppressed" — fix:
R1(config-if)# no ipv6 nd suppress-ra
! Verify RA Guard is not blocking on the switch:
SW1# show ipv6 nd raguard policy HOST-PORTS
! Send a manual RA immediately:
R1# ipv6 nd ra solicited GigabitEthernet0/1

Issue: Duplicate Address Detection (DAD) failure

A host is choosing an address already in use on the link. The host sends a Neighbour Solicitation for the tentative address and receives a Neighbour Advertisement back — meaning the address is taken. The host marks the address as duplicate and stops using it.

R1# debug ipv6 nd
! Look for "DAD: Address 2001:db8:... is duplicate" messages
! Common cause: two devices with same MAC (cloned VMs)
! Or: static IPv6 address misconfiguration — same /128 on two hosts
R1# show ipv6 neighbors | include 2001:db8
! Check which MAC is associated with the conflicting address

Issue: OSPFv3 neighbour stuck in EXSTART

R1# show ospfv3 neighbor
! If state is EXSTART — MTU mismatch is the most common cause
R1(config-if)# ipv6 mtu 1500
! Or suppress MTU checking (not recommended in production):
R1(config-if)# ospfv3 1 ipv6 mtu-ignore
! Also verify Router ID is set — OSPFv3 will not form adjacencies without it
R1# show ospfv3 | include Router ID

Issue: IPv6 traffic working but no internet (routing not propagated)

R1# show ipv6 route
! Check for ::/0 default route
! If missing, check BGP or static default:
R1(config)# ipv6 route ::/0 2001:db8:a100:ff00::2
! Or redistribute via BGP:
R1# show bgp ipv6 unicast | include 0.0.0.0|::/0

Issue: RA Guard blocking legitimate router RAs

SW1# show ipv6 nd raguard policy
! Verify uplink port has ROUTER-PORTS policy, not HOST-PORTS
SW1# show run interface GigabitEthernet1/0/49 | include raguard
! Correct if wrong policy applied to uplink

Issue: Hosts prefer IPv4 even though IPv6 is available

This is usually a DNS issue — the DNS server is not returning AAAA records, or the application does not support IPv6.

# On a Linux host — check AAAA resolution:
# dig AAAA corp-app.example.com
# If no AAAA record exists, hosts will use IPv4 (Happy Eyeballs fallback)
# On Windows — check IPv6 preference:
# netsh interface ipv6 show prefixpolicies
# Ensure ::1/128 and 2001:db8::/32 have higher precedence than 0.0.0.0/0

Key Takeaway: IPv6 enterprise deployment is not a one-day project — it is a phased, methodical addition to the existing network. The dual-stack model means you carry IPv4 and IPv6 simultaneously with zero forced cutover. Start with infrastructure links where risk is lowest, validate routing and reachability at each phase, and ensure firewall policy parity before enabling IPv6 on end-user segments. The two most common production issues are forgotten ICMPv6 ACL entries killing NDP, and RA Guard misconfiguration blocking legitimate router advertisements. Get those right and the rest follows naturally.