If you order business internet from a competent ISP, they will hand you a /48 IPv6 prefix. That gives you 65,536 LAN segments. If you order residential internet, you might get a /56 (256 LANs), a /60 (16 LANs), or — if the ISP is being stingy — just a /64 (which is one LAN, and breaks internal subnetting entirely).

This article explains how IPv6 prefix delegation works, what each size means for your network design, and why "just give us a /64" is the wrong answer regardless of how small your network feels.

The IPv6 hierarchy you need to know

PrefixLANs (/64s)Typical use
/324.3 billionISP allocation
/4865,536Business site, RFC 6177 recommended minimum
/56256Generous residential
/6016Typical residential
/641Single LAN segment

An ISP gets a /32 from the regional internet registry (4 billion /64 LANs, enough for millions of customers). They subdivide it: /48 for businesses, /56 or /60 for residential. Every customer ends up with multiple /64 LANs out of their allocation.

Why /64 is never enough

Engineers coming from IPv4 sometimes think "I only have one LAN at home, so why do I need more than one /64?" The answer is multifaceted:

Guest networks

If you want a separate Wi-Fi for guests/IoT/kids isolated from your main LAN, each isolated network is a separate /64. With only one /64, you cannot subnet at all.

VLANs

Every VLAN is its own broadcast domain, which in IPv6 terms means its own /64. Office networks routinely have 5-20 VLANs.

VPN clients

If you run a VPN server (WireGuard, OpenVPN), connected clients need their own /64 for proper routing back home. With only one /64 you have to NAT or proxy.

Site-to-site routing

Two offices connecting over IPv6 each need their own /64 LANs plus a transit /64. Three sites = at least 6 /64s.

Future proofing

IPv6 is going to be the dominant protocol for the next 50+ years. Get the right allocation now or you will be re-numbering later.

DHCPv6 prefix delegation (DHCPv6-PD)

The standard mechanism by which an ISP hands a prefix to a customer is DHCPv6 Prefix Delegation, defined in RFC 3633. The process:

  1. Your router boots up and sends a DHCPv6 Solicit message with IA_PD (Identity Association for Prefix Delegation).
  2. The ISP's DHCPv6 server responds with a prefix allocation (e.g., 2001:db8:abcd::/56).
  3. Your router automatically subdivides this into /64s for each connected LAN segment.
  4. Internal devices receive their /64 prefix via Router Advertisement and configure themselves via SLAAC.

The whole process takes seconds and requires no manual configuration. The customer just sees their devices come online with IPv6 addresses.

What good routers do automatically

Modern consumer and SMB routers that support DHCPv6-PD do this without configuration:

  • Request a prefix from the ISP (preferring /48, accepting /56 or /60).
  • Subdivide the prefix into /64s for each LAN segment (main LAN, guest, IoT, VLAN-N).
  • Announce each /64 via Router Advertisement on the appropriate interface.
  • Allow hosts to self-configure via SLAAC.
  • Update firewall rules to allow IPv6 traffic with appropriate restrictions.

Examples of routers that handle this correctly: anything running OpenWrt, OPNsense, pfSense, MikroTik RouterOS, Cisco IOS XE, Ubiquiti UniFi. Many ISP-provided modems do not support DHCPv6-PD properly — request a /48 in bridge mode or replace the modem.

How to allocate inside your /48

With a /48, you have 65,536 /64 LANs. A reasonable subdivision uses the 16 bits between the /48 and /64 as a structured hierarchy:

2001:db8:abcd::/48                       Your allocation
+-- 2001:db8:abcd:0000::/52    Headquarters (16 /56s)
|   +-- 2001:db8:abcd:0000::/56    HQ building 1 (256 /64s)
|   |   +-- 2001:db8:abcd:0000::/64    Floor 1 default LAN
|   |   +-- 2001:db8:abcd:0001::/64    Floor 1 VLAN guest
|   |   +-- ... up to 0x00ff
|   +-- 2001:db8:abcd:0100::/56    HQ building 2
+-- 2001:db8:abcd:1000::/52    Branch offices (16 sites)
+-- 2001:db8:abcd:2000::/52    Data center
+-- 2001:db8:abcd:f000::/52    Reserved

Structured allocation makes routing tables shorter (summary routes), troubleshooting easier (you can identify a site from its prefix), and growth predictable.

What to do if your ISP only offers /64

Some residential ISPs hand out /64s with no PD support. This is technically a deployment, but it severely limits what you can do internally. Options:

  1. Push back. RFC 6177 says ISPs should give residential customers at least /56 and businesses at least /48. Cite it. Some ISPs change practice when customers ask.
  2. Use a Hurricane Electric tunnel. Free /48 over an IPv6-in-IPv4 tunnel from tunnelbroker.net. Adds latency, but gives you a proper allocation.
  3. Use ULA (fd00::/8) internally. Combine with the single /64 from your ISP for external traffic. You lose end-to-end addressing for the multiple LANs, but can keep IPv6 working internally. See our IPv6 fundamentals article for ULA details.
  4. Switch ISP. The strongest signal you can send.

Cloud IPv6 prefix patterns

Cloud providers handle IPv6 prefix sizing differently from on-premises:

ProviderVPC IPv6 prefixSubnet IPv6 prefix
AWS/56/64 (one per subnet)
Azure/56 (default), expandable to /48/64
GCP/48 (custom mode)/64

AWS hands you a /56 from their allocation; you cannot bring your own. Each AWS subnet uses a /64 from that /56, giving you up to 256 subnets per VPC.

Common prefix delegation mistakes

  • Subnetting a /64 into smaller pieces. Breaks SLAAC. Every LAN must be exactly /64. If you need more LANs, get a shorter prefix.
  • Hardcoding the ISP-assigned prefix. ISPs may rotate prefixes (especially residential). Use prefix delegation so your router adapts.
  • Forgetting to firewall the delegated prefix. By default, devices behind your router get publicly routable IPv6. Set up stateful firewall rules to block unsolicited inbound — most routers do this automatically.
  • Mixing /64 RA prefixes from your ISP and ULA. Sometimes works, sometimes breaks. Pick one source of truth per LAN; use SLAAC for global addresses and explicit static config for ULA if needed.

Key takeaways

  • Business ISPs should give you a /48 (65,536 LANs). Residential should be /56 (256 LANs) or at least /60 (16 LANs).
  • A single /64 is one LAN. You cannot subnet it; you cannot run multiple isolated networks.
  • Prefix delegation works automatically with DHCPv6-PD. Modern routers handle the entire process.
  • Cloud providers hand out /56 (AWS, Azure) or /48 (GCP) per VPC; each subnet uses a /64 from that.
  • If your ISP only gives /64, push back, use a Hurricane Electric tunnel, or change ISPs.