IPv6 enviroment on XGS

When you say "dual stack" and mention the WAN GW, I assume your ISP offers IPv6 and you're not just doing dual-stack internally and IPv4 externally, correct?

One thing to think about is how your ISP offers IPv6. Does it do IPv6-PD, or do they assign you a static IPv6 or something else? (Keep in mind that you'll get a /64 IPv6 for your XGS and ALSO a /56 (or whatever) for the PD that you then allocate amongst your subnets.)

If you're using SLAAC internally, IPv6 addresses will change and you have no control over them, so you might want to think through subnets -- since they're much easier and lower opportunity cost in IPv6. For example, the AppleTV is on its own subnet (and VLAN) so that you can have different TLS decryption and other policies/rules for it. It's much more difficult in IPv6 to aim specific things at specific clients than it is in IPv4 (with DHCP and reserved IPs). Unless you do DHCP6, which eliminates some of the benefits of SLAAC.

You might also turn on IPv6 segment-by-segment. Maybe on one VLAN/interface and not others, and so on, to build a comfort level. There are two separate firewall rules tables (IPv6 and IPv4) and the thrust of IPv6 is to be more subnet-centric and less client-centric than IPv4.

Also, if you're doing DDNS -- this would apply if you're trying to reach your home network from the internet --  make sure your DNS service supports simultaneous IPv4 and IPv6. (Google DNS did not. They sold recently to Squarespace, which doesn't do DDNS at all.)

When you say "dual stack" and mention the WAN GW, I assume your ISP offers IPv6 and you're not just doing dual-stack internally and IPv4 externally, correct?

One thing to think about is how your ISP offers IPv6. Does it do IPv6-PD, or do they assign you a static IPv6 or something else? (Keep in mind that you'll get a /64 IPv6 for your XGS and ALSO a /56 (or whatever) for the PD that you then allocate amongst your subnets.)

If you're using SLAAC internally, IPv6 addresses will change and you have no control over them, so you might want to think through subnets -- since they're much easier and lower opportunity cost in IPv6. For example, the AppleTV is on its own subnet (and VLAN) so that you can have different TLS decryption and other policies/rules for it. It's much more difficult in IPv6 to aim specific things at specific clients than it is in IPv4 (with DHCP and reserved IPs). Unless you do DHCP6, which eliminates some of the benefits of SLAAC.

You might also turn on IPv6 segment-by-segment. Maybe on one VLAN/interface and not others, and so on, to build a comfort level. There are two separate firewall rules tables (IPv6 and IPv4) and the thrust of IPv6 is to be more subnet-centric and less client-centric than IPv4.

Also, if you're doing DDNS -- this would apply if you're trying to reach your home network from the internet --  make sure your DNS service supports simultaneous IPv4 and IPv6. (Google DNS did not. They sold recently to Squarespace, which doesn't do DDNS at all.)