Firewall groups for IPv6 and dual-stack networks

Firewall groups for IPv6 and dual-stack networks are assigned on a per-network basis.  The entire IPv6 network will have only one firewall group. If more than one firewall group is required, the necessary networks will be made available.

Networks that have both IPv4 and IPv6 address allocations (dual-stack networks) will need to need to have both address blocks placed in the same firewall group.  This ensures that every system on the network has the same network exposure both IP stacks.  In other words, this ensures that the the systems on the network are exposed to the Internet the same way for both IPv4 and IPv6 addresses.

Link-local and other auto-configured IPv6 addresses

Most hosts on an IPv6 network will have multiple IPv6 addresses.  Some of those addresses will be link-local and will only be used on the local subnet.  If the network is configured for "stateless" IPv6 autoconfiguration, it will also have one or more IPv6 addresses that are dynamically assigned.  All of these dynamically assigned addresses will be part of the same IPv6 address block, and therefore receive the same campus firewall protections as any other address on that network.

For more information on IPv6 autoconfiguration options, please see Requesting DHCP for Networks.

Are there any "private" IPv6 networks?

There is not an IPv6 equivalent to RFC 1918 IP space (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8) so all IPv6 space is "public". However, just like for IPv4 networks, IT Pros can request that an IPv6 network not be accessible from the Internet (the "fully-closed" firewall group) or that the network not have any Internet access at all, even for outbound connections.