IPV6 in enterprise best practices/white papaers

Eugeniu Patrascu eugen at imacandi.net
Mon Jan 28 15:27:16 UTC 2013

On Sat, Jan 26, 2013 at 11:26 AM, Pavel Dimow <paveldimow at gmail.com> wrote:
> Hi,
> I have read many of those ipv6 documents and they are great but I
> still luck to find something like "real word" scenario.
> What I mean is that for example I want to start implementation of ipv6
> in my enterprise according to mu knowledge so far
> my first step is to create address plan, then implement security on
> routers/switches then on hosts, and after that I can start to create
> AAAA record and PTR recors in DNS and after that I should configure my
> dhcp servers and after all has been done I can test ipv6 in LAN and
> after that I can start configure bgp with ISP.
> Is this correct procedure? Any thoughts? If all is correct I have a
> few questions..
> Regarding DNS, if I give a /64 to host using SLAAC or DHCP how do I
> maintain PTR for this /64? I should use DDNS?
> What do you use in your enterprise SLAAC or DHCP? If SLAAC why not DHCP?
> Any other hints/tips?

As being personally involved deploying IPv6 on an enterprise network,
here's how I did it (keeping in mind the fact that we have our own

- get a /48 PI from the local LIR
- configure the border routers to announce the prefix and do
connectivity tests (ping Google/Facebook addresses using an IPv6
address from our own /48 - loopback on the router)
- configure IPv6 addresses on internal router and do connectivity tests again
- configure firewall interfaces with IPv6 addresses and again connectivity tests
- configure IPv6 firewall rules (mostly a mirror of the IPv4 rulesets)
- configure IPv6 address on DMZ servers (actually the first one
configured were the DNS servers)
- do connectivity tests again
- publish IPv6 records for the DNS servers and for the domain and run
ping/telnet 80 tests from another ipv6 enabled network to check that
everything is OK.
- publish AAAA records for all the hosts in the DMZ and making sure
all the services available on IPv4 were also available on IPv6
- did the same for the servers in the "Server network"
- last stept was to enable IPv6 on the nework that served the users
using RA with the stateful configuration bit set on the firewall and
DHCPv6 to serve up DNS servers for IPv6

Yes, I know there are a lot of connectivity tests but it allowed me to
check that routing was working and ports were open on the firewall as
expected as I got deeper and deeper down the rabbit hole :)

PTRs are only enabled/published for servers and user networks, but
it's not announced on the internet.

It's working fine since August-September of 2011 without issues in a
dual stack environment.
I thought about running pure IPv6 inside and do 6to4, but it's too
much of a headache, not to mention that not all the internal equipment
knows about IPv6 - L2 switches, some terminal servers and so on.

If you're not sure about things, do it on the equipment with the
lowest operational impact and see how that goes.


More information about the NANOG mailing list