Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

New IPv6 deployment design

Hello everyone,

I'm going to implement IPv6 and for the past few weeks I've been looking for designs, documentation and tips to make the best of it and take full advantage of IPv6. However, even Cisco's documentation is based mostly on IPv4 and IPv6 is mentioned just as additional option. Also my experiences are mostly with IPv4 and therefore I would greatly appreciate advice, tips and recommendation specifically on design and best practices.

Though I need to keep some IPv4 in place just to have interoperability with those who don't have IPv6, I could use IPv6 only as I'm fully IPv6 'ready'.

The requirements are very simple and straightforward - all is based on ASA 5520 with two external and two internal interfaces and good 90% of traffic is VPN. On the external interfaces I need some 200 site-to-site VPN connections mostly with Cisco 800 series, around 400 remote-access VPN connections and access to DMZ with email server. On the internal interfaces I've got all the servers, all internet/web traffic should go through proxy.

external/VPN <---->  \

external/VPN <---->   - ASA 5520 = SG300 - internal servers

management <---->  /                        |

                                          DMZ / external servers

All internal servers and communication can use IPv6 only, the management IP address is IPv4, the external server can have IPv4 as well as IPv6 because not everyone is on IPv6, backup IPv4 VPN in case someone will have to connect through ISP without IPv6 support.

In IPv4 world I would keep the ASA 5520 routed mode, all internal traffic with private address ranges and NAT/proxy if external access required. However, not sure if that is the best for IPv6 as well, therefore I would appreciate any suggestions, recommendations and configuration tips.

Many thanks,


Everyone's tags (5)

New IPv6 deployment design


See below an excellent White Paper on what Enterprises should do about IPv6

As recommended in this document I suggest that you purchase a global Internet routeable IPv6 address block from your ISP. Assign these addresses to your internal network.

If you still need to support legacy IPv4 then configure your devices for dual stack. See below

See below a quick guide for configuring IPv6 on your ASA firewall.

Don't forget to rate all posts that are helpful.

Community Member

New IPv6 deployment design

hi Dan,

I highly recommend this IPv6 Internet edge design guide:

Keep in mind that there's currently no NAT66, so for now there's no NAT to translate between public & private IPv6 addresses like how most are used to.

Whether you use provider assigned, or provider independent IPv6 blocks, you'll need to carefully design the ACL's to protect your network.



CreatePlease to create content