Define the IPv6-only scope

An IPv6-only enterprise network is a specific architectural state where no IPv4 addresses are configured on interfaces and no native IPv4 transit exists. This is not a transitional phase like dual-stack, where both protocols run side-by-side. Instead, it is a definitive endpoint where IPv6 is the sole routing protocol for all internal traffic and external connectivity relies on translation mechanisms like NAT64 and DNS64.

Defining this scope early prevents the common pitfall of "IPv6 mostly" environments. In a mostly-IPv6 setup, some legacy systems or management interfaces still retain IPv4 addresses, creating hybrid routing tables and potential security blind spots. A true IPv6-only network eliminates this ambiguity. Every interface, from the core router to the end-user host, operates exclusively on IPv6 prefixes. This clarity simplifies firewall rules, reduces configuration drift, and ensures that your security policies are built around a single, consistent protocol stack.

The scope extends beyond just data traffic. You must also define how management, DNS, and DHCPv6 services will operate without IPv4 fallbacks. If your monitoring tools or legacy appliances require IPv4, they must be isolated in a separate, translated zone or replaced with IPv6-native equivalents. This definition sets the stage for the migration strategy: audit your current assets, deploy the necessary translation gateways, migrate hosts to IPv6-only configurations, and validate that all critical services remain accessible through the new translation layer.

For a deeper understanding of enterprise scenarios, refer to RFC 4057, which outlines various deployment models, including the IPv6-only scenario.

Audit internal IPv6 readiness

Before shifting your enterprise network to an IPv6-only architecture, you must map the current state of your infrastructure. This audit identifies which devices, applications, and services already speak IPv6 natively and which ones will require updates, patches, or replacement. Skipping this step often leads to silent failures where traffic appears to flow but critical services drop connections because they lack native IPv6 support.

Start by scanning your network for dual-stack devices. Most modern enterprise gear supports both IPv4 and IPv6, but legacy systems may be IPv4-only. Use network discovery tools to catalog every IP address assigned to your endpoints. Flag any device that fails to respond to IPv6 ping requests or lacks an IPv6 default gateway configuration. These are your primary candidates for replacement or isolation.

Next, review application dependencies. Many enterprise applications rely on hardcoded IPv4 addresses or DNS records that do not include AAAA (IPv6) records. Check your internal DNS zones to ensure they are fully populated with IPv6 records for all critical services. If an application cannot resolve or connect via IPv6, it will break in an IPv6-only environment unless you implement translation mechanisms, which adds complexity and potential latency.

Finally, validate management interfaces. Network administrators often manage devices via SSH, SNMP, or web interfaces that may still default to IPv4. Ensure your management plane is configured to accept IPv6 connections. Without this, you risk locking yourself out of critical infrastructure during the transition. Refer to the IETF RFC 7381 for detailed enterprise deployment guidelines that emphasize thorough inventorying before migration.

Deploy NAT64 and DNS64

Use this section to make the Building an IPv6-Only Enterprise Network decision easier to compare in real life, not just on paper. Start with the reader's actual constraint, then separate must-have requirements from details that are merely nice to have. A practical choice should survive normal use, maintenance, timing, and budget. If a recommendation only works in an ideal situation, call that out plainly and give the reader a fallback path.

  • Verify the basics
    Confirm the core specs, condition, and fit before comparing extras.
  • Price the downside
    Look for the repair, maintenance, or replacement cost that would change the decision.
  • Compare alternatives
    Check at least two comparable options before treating one listing as the benchmark.

Migrate subnets to IPv6-only

Moving from a dual-stack configuration to an IPv6-only environment is the most critical phase of the migration. This transition requires a disciplined, phased approach to minimize disruption. The goal is to isolate specific subnets, verify that all traffic can be handled via IPv6 or appropriate translation mechanisms, and then permanently disable IPv4 support on those segments.

1. Audit and Select Pilot Subnets

Begin by identifying a non-critical subnet for the pilot migration. Avoid servers hosting legacy applications or critical infrastructure that may have hardcoded IPv4 dependencies. Use network discovery tools to map all active devices and their current addressing schemes. Ensure that DNS records for these hosts are updated to include AAAA records before proceeding.

2. Deploy Translation or Dual-Stack Transition

Since the internet still relies heavily on IPv4, you must decide how the IPv6-only subnet will communicate with IPv4 resources. Options include NAT64/DNS64 for stateless translation or SIIT for stateless IP/ICMP translation. Configure your border routers and firewalls to handle these translations transparently. This step ensures that users in the pilot subnet can still access external IPv4 services while internal traffic remains IPv6-only.

3. Disable IPv4 on the Subnet

Once translation is verified and stable, begin disabling IPv4 on the switches and routers within the pilot subnet. Start with end-user devices, then move to access layer switches. Monitor logs closely for any connectivity failures. If issues arise, pause the migration and review the translation logs to identify missing IPv4 routes or blocked ports.

4. Validate and Expand

Conduct a comprehensive validation of the pilot subnet. Check latency, packet loss, and application performance compared to the dual-stack baseline. If the pilot is successful, expand the migration to other subnets in a similar phased manner. Document each step and update your network diagrams to reflect the new IPv6-only topology.

Handle legacy device exceptions

Even in a strict IPv6-only enterprise, some legacy systems will not support native IPv6. These outliers require isolation or translation rather than forcing a network-wide downgrade to dual-stack. The goal is to maintain an IPv6-only core while providing controlled access for legacy infrastructure.

Isolate with dedicated VLANs

Segregate legacy devices into isolated VLANs. This prevents them from disrupting the native IPv6 routing table or consuming IPv6 address space. Treat these VLANs as distinct zones with strict firewall policies.

Deploy translation proxies

For legacy systems that must communicate with IPv6 services, deploy protocol translation proxies. These gateways translate between IPv4 and IPv6, allowing legacy applications to function without native IPv6 support. This approach aligns with NIST NCCoE guidance on secure IPv6-only implementation for dual-stack and IPv4-only services [src-serp-6].

Validate connectivity

Test connectivity from the legacy VLAN to the IPv6 core. Ensure that translation proxies are functioning correctly and that no IPv4 traffic is leaking into the native IPv6 routing paths. Regular audits should confirm that these exceptions remain contained.

Validate connectivity and security

Before declaring the migration complete, you must verify that the IPv6-only enterprise network behaves as expected under real-world conditions. This phase focuses on three critical areas: internal routing stability, external reachability through NAT64, and the enforcement of security policies on native IPv6 traffic.

Test internal routing

Confirm that all internal subnets are advertising IPv6 prefixes correctly. Use ping6 and traceroute6 to verify end-to-end connectivity between critical servers, workstations, and management interfaces. Ensure that DHCPv6 or SLAAC is handing out addresses without fallback to IPv4.

Verify NAT64 and DNS64

External access relies on NAT64/DNS64 to translate IPv6 client requests to IPv4 destinations. Test connectivity to well-known IPv4-only services (e.g., major public APIs or legacy SaaS tools). If these fail, check your NAT64 gateway logs for translation errors and verify that DNS64 is correctly synthesizing AAAA records from A records.

Audit security policies

Firewall rules often lag behind migration. Review your next-generation firewalls and intrusion detection systems to ensure they are inspecting IPv6 traffic, not just dropping it. Validate that your IPv6-only enterprise security posture includes proper rate limiting and that no unintended IPv4 fallback paths exist.

Common ipv6-only migration: what to check next

Transitioning to an IPv6-only enterprise environment requires precise planning. The following questions address the core mechanics of the migration, focusing on the sequence of auditing, deploying, and validating your infrastructure.

For authoritative technical definitions, refer to the IETF draft on IPv6-only operations. This document outlines the requirements for networks that do not provide IPv4 transit.

Work through IPv6-Only Subnets

1
Gather what you need
Confirm the materials, tools, account access, or setup pieces for IPv6-Only Subnets before changing anything.
2
Work in order
Complete one step at a time and verify the result before moving on. Most failed guides get confusing when two changes happen at once.
3
Check the finished result
Compare the outcome with the expected shape, connection, texture, or behavior, then adjust only the part that is actually off.