...

Basics

IPv6-only VLAN

A new dedicated VLAN was created on our Cisco 3750X for IPv6-only systems, so that building, testing and configuring would not interfere with any production networks. Configuring this VLAN with only IPv6 allows to use simpler IP This IPv6-only VLAN allows us to start from scratch using only two IPv6 Access Control Lists (ACLs), and start from scratch:

interface Vlan9
 description IPv6_only_Servers
 no ip address
 no ip proxy-arp
 ipv6 address 2001:610:148:BAD::1/64
 ipv6 nd prefix 2001:610:148:BAD::/64
 ipv6 traffic-filter ipv6_only_servers_out in
 ipv6 traffic-filter ipv6_only__servers_in out
end

I started out with IPv6 ACLs that disallow everything by default, then started configuring the server, monitor the log files for any dropped traffic, and then open up specific thingsgradually opened up the necessary things.

Addressing

Obviously, the first thing to do is to uncheck IPv4 in the interface configuration . For IPv6 addressing I choose autoconfigured EUI64, no privacy extensions. The reason is that this is a server, and it will not be used for any web browsing activities. Static addresses also help configuring the (empty) IP ACLs. The idea is that during configuration and testing the IPv6 ACLs will be constructed, based on stuff that does not work. Eventually, when everything works, it might be an option to use privacy extensions.

...