IPv6 Planning & Segmentation — addressing, security and automation
IPv6 planning means a hierarchical prefix plan, segmentation rules and choosing configuration mechanisms (SLAAC/DHCPv6). We tie this to IPAM, ip6.arpa DNS, controlled publishing and IaC automation so rollout is predictable and auditable.
Why IPv6 — benefits and risks
Address space
/48 or /56 per site simplifies growth, isolation and /64 delegations per segment.
Hierarchy & aggregation
Prefix aggregation reduces route count, improves convergence and simplifies policy.
No NAT, better telemetry
IPv6 removes many NAT issues and enables policies based on prefixes.
IPv6 planning — addressing & prefixes
Plan structure
- ✓/48 per business unit or site; /56 and /64 delegations for segments.
- ✓Naming & labels in IPAM (tags for VRF/VLAN/region).
Documentation
- ✓Plan template (prefix, owner, purpose, headroom).
- ✓Dependency map with DNS and network policies.
Reverse DNS
- ✓
ip6.arpazones, delegations and automatic updates from IPAM. - ✓TTL and publishing rules for PTR records.
IPv6 segmentation — VLAN, VRF & policies
VLAN/VRF
Separate broadcast domains, inter-VRF routing. /64 per segment, route control and ACLs.
ACL/Firewalls
Policies based on prefixes and address groups. Avoid “allow any” — define minimal port sets.
Campus & DC
EVPN/VXLAN and application segmentation. Map segments to RBAC in access systems.
SLAAC, DHCPv6 & ip6.arpa DNS
SLAAC
Autoconfiguration via Router Advertisements (RA). Simple for edge networks; protect control plane with RA Guard.
DHCPv6
Central address & option management when you need inventory. Strong IPAM integration.
Hybrid
SLAAC for hosts + DHCPv6 for options (DNS, NTP). Sync to DNS and reverse zones.
IPv6 security: RA/NDP Guard, ULA vs GUA
RA Guard / ND Inspection
Block rogue RAs and spoofing. L2 filters and NDP anomaly logging.
ULA & GUA
ULA for internal, GUA for public-facing services. Clear DNS publishing and translation rules.
Telemetry
Flow logs, NetFlow/IPFIX for IPv6, alerts for abuse and unused prefixes.
Dual-stack, NAT64/DNS64 and migration path
Dual-stack
Run IPv6 alongside IPv4. Enable segments & services gradually, track adoption metrics.
NAT64/DNS64
IPv6-only clients to IPv4 resources. Control DNS64 synthesis & an exceptions list.
Tests & KPIs
Test paths, error budgets, rollback. KPIs: availability, latency, share of IPv6 traffic.
IPv6 automation in IPAM: IaC & GitOps
Keep prefix plans, delegations and DNS declarative. Changes are reviewed, versioned and tested in pipelines.
IPAM API
Provision /64 per segment, sync PTR, inventory VRF/VLAN. Webhooks on publish.
Terraform/Ansible
IPAM providers, VLAN/VRF modules, prefix-conflict validation and integration tests.
GitOps
Pull request → review → publish. Change history, audit and fast rollback.
Standards & docs: RFC 8200 (IPv6), RFC 4291 (Addressing), RFC 4862 (SLAAC), RFC 8415 (DHCPv6), NIST — IPv6 Guidelines.
FAQ — IPv6 planning & segmentation
What prefix per site: /48 or /56?
SLAAC or DHCPv6 — what to choose?
How to protect L2 for IPv6?
Is dual-stack required?
How to automate /64 delegations?
Need an IPv6 addressing & segmentation plan?
Free 20-min consultation — we’ll map prefixes, segments and a migration path (dual-stack/NAT64).