🔄 IPv6 Transition
11 menit baca
Deploying IPv6 in Enterprise Networks
A step-by-step guide to deploying IPv6 in enterprise environments, covering planning, dual-stack rollout, addressing schemes, and operational readiness.
Why Enterprises Need IPv6
The question is no longer whether to deploy IPv6, but when. Drivers include:
- IPv4 exhaustion -- Acquiring new IPv4 blocks costs $30-50+ per address.
- Cloud and mobile -- Major cloud providers (AWS, Azure, GCP) are IPv6-first for new services.
- Government mandates -- US federal agencies (OMB M-21-07), EU digital infrastructure policies.
- Performance -- Some CDNs and services offer faster paths over IPv6.
Phase 1: Assessment and Planning
Inventory
Audit every device and application for IPv6 readiness:
| Category | Check | Common Issues |
|---|---|---|
| Routers/Switches | Firmware supports IPv6 | Older firmware may lack features |
| Firewalls | IPv6 rule support | Some have limited IPv6 ACLs |
| Load Balancers | Dual-stack listeners | May need firmware upgrade |
| Applications | IPv6 socket support | Hardcoded IPv4 addresses |
| Monitoring | IPv6 polling/alerting | SNMP/syslog over IPv6 |
| DNS | AAAA record support | Already universal |
Obtain Address Space
Request a /48 (or /32 for large enterprises) from your ISP or directly from your RIR. A /48 gives you 65,536 /64 subnets -- more than enough for any single site.
Phase 2: Core Infrastructure
Deploy IPv6 on the network core first, then expand outward:
- Enable dual-stack on core routers -- Add IPv6 addresses to all router interfaces.
- Configure OSPFv3 or IS-IS for IPv6 routing (or run a separate OSPFv3 instance alongside existing OSPFv2).
- Update firewall policies -- Mirror your IPv4 rules in IPv6, adding required ICMPv6 exceptions.
- Deploy DNS -- Add AAAA records for internal services alongside existing A records.
Phase 3: Access Layer Rollout
Roll out to end-user segments in stages:
Week 1-2: IT department (internal testing)
Week 3-4: One pilot floor/building
Week 5-8: Remaining corporate VLANs
Week 9-12: Guest Wi-Fi and IoT networks
For each segment:
- Configure Router Advertisements on the gateway
- Choose SLAAC + RDNSS or DHCPv6 based on your needs
- Enable RA Guard and ND Inspection on access switches
- Verify DHCP logs and address assignment
Phase 4: Applications and Services
- Update internal applications to listen on both IPv4 and IPv6
- Add AAAA records to internal DNS for key services
- Test VPN concentrators for IPv6 inside-tunnel support
- Ensure monitoring systems collect IPv6 metrics
Common Pitfalls
- Parallel security policies -- Every IPv4 firewall rule needs an IPv6 equivalent.
- Forgetting ULA -- If your ISP changes your prefix, ULA ensures internal services keep working.
- DNS PTR records -- Reverse DNS for IPv6 requires ip6.arpa delegation.
- Training -- Network staff need IPv6 training before deployment, not after.
Success Metrics
Track these to measure deployment progress:
- Percentage of subnets with IPv6 enabled
- Percentage of DNS queries returning AAAA records
- IPv6 traffic ratio (target: 50%+ within 12 months)
- Number of IPv6-related incidents (should trend to zero)