IPv6 Address Types: Global, Link-Local, ULA, and Multicast

IPv6 Address Types: Global, Link-Local, ULA, and Multicast

You’ll see multiple IPv6 address types on the same interface for good reasons. Each type has a different scope and contract: reach neighbors on the link, number an internal network, talk to the public Internet, or deliver one stream to many receivers. If you mix those roles, you’ll get odd failures like a default route that pings but doesn’t forward or clients that resolve names yet can’t reach services.

IPv6 replaced broadcast with multicast and leaned on clear scoping rules. A typical host carries a link-local address for on-link control plus one or more unicast addresses (global or unique-local) for data. Understanding where each type is valid and how it’s formed makes routing, DNS, and security policies far easier to reason about.

Below we break down global unicast, link-local, unique local (ULA), and multicast addresses with ranges, examples, and operational guidance that match real networks.

Global Unicast (GUA)

Global unicast addresses are routable across the public Internet and live under 2000::/3, effectively 2000:: through 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff. Providers delegate aggregates (commonly /48 or /56 to sites and /32 or larger to ISPs). On any subnet that will host end systems, plan on /64 so stateless address autoconfiguration (SLAAC), neighbor discovery, and first-hop security features work as designed.

When to Use

Use GUAs wherever end-to-end Internet connectivity is required: public services, client VLANs in dual-stack designs, upstream links, and inter-site paths that traverse the public Internet. Servers that must accept inbound connections should have stable GUAs; clients typically form temporary GUAs for outbound privacy.

Operational Notes

With SLAAC, routers advertise prefixes and lifetimes and hosts derive the 64-bit interface identifier (IID). Modern stacks default to stable IIDs (not EUI-64) plus rotating temporary IIDs. If you also run DHCPv6, use it for stateful leases or ancillary options; the link-local still handles the default-router relationship. Keep one /64 per L2 segment; if you need numbered point-to-point router links, /127 is appropriate on those specific links.

Link-Local

Every IPv6 interface configures a link-local address in fe80::/10 scoped strictly to the local Layer-2 link. Routers source router advertisements (RAs) from link-local, and hosts install the default gateway as the router’s link-local next hop. Tools often append a zone index to disambiguate the interface (for example, fe80::1%eth0); that suffix isn’t part of the address itself, it’s a local hint to the OS.

When to Use

Use link-locals for first-hop tasks: default gateway, neighbor discovery, and routing adjacencies between directly connected devices. Don’t publish link-locals in DNS and don’t expect them to route beyond the segment.

Operational Notes

For static routes across an Ethernet link, point the next hop at the neighbor’s link-local rather than a GUA or ULA; the route survives renumbering and ISP changes. Enforce RA Guard so only legitimate router ports can send RAs.

Unique Local Address (ULA)

ULAs sit under fc00::/7 and are intended for private internets; in practice we use fd00::/8 (locally assigned). Generate one random 40-bit Global ID and form a /48 such as fd12:3456:789a::/48, then carve /64s per LAN. ULA replaced the old, ambiguous site-local concept and avoids collisions when networks merge.

When to Use

Use ULA to keep internal numbering independent of providers, for management planes and labs, and to dual-home subnets alongside GUAs so internal services remain reachable if public prefixes change. For private inter-site transport, carry ULA over VPNs or private WANs.

Operational Notes

Avoid stateful NAT66. If translation is unavoidable for policy reasons, prefer NPTv6 (prefix-only translation) to preserve end-to-end properties and transport checksums. Remember that temporary IIDs can apply to ULA as well; tune host policy if you want stable addressing only.

Multicast

IPv6 multicast uses ff00::/8. The address encodes flags plus a 4-bit scope that limits distribution; common scopes include 1 (interface-local), 2 (link-local), 5 (site-local, for multicast scope only), 8 (organization-local), and e (global). Two link-local groups are always present: ff02::1 (all nodes) and ff02::2 (all routers). DHCPv6 components listen on ff02::1:2. Each unicast or anycast address maps to a solicited-node multicast group in ff02::1:ff00:0/104, enabling targeted neighbor discovery instead of broadcast.

When to Use

Rely on link-local multicast for discovery and control on a LAN and enable routed multicast only for true one-to-many applications like IPTV or market-data feeds. For routed multicast, pair host signaling via MLD with a multicast routing protocol such as PIM-SM.

Operational Notes

Enable MLD snooping on switches so replication follows listeners, and constrain higher-scope multicast with ACLs. Validate that essential link-local groups for neighbor discovery and RAs are permitted on user VLANs while nonessential groups are filtered.

Design and Troubleshooting Tips

Expect multiple addresses per interface and let source-address selection do its job; policies prefer matching scope to destination and known-good paths. On client VLANs, advertise exactly one /64 per prefix type you intend to use; avoid bleeding RAs across segments. Confirm DNS delivery over IPv6 (via RA options or DHCPv6) and AAAA presence for services you intend to reach over IPv6.

Common Prefixes and Examples

Global unicast example: 2001:db8:1234:20::/64 for a user WLAN (documentation prefix shown; use your assigned space in production). Link-local example: fe80::1%eth0 as a server’s default gateway. ULA example: fd12:3456:789a:10::/64 on a management VLAN. Multicast examples: ff02::1 and ff02::2, plus a solicited-node group like ff02::1:ff2b:3c4d derived from 2001:db8::1a2b:3c4d.

Security and First-Hop Controls

Turn on RA Guard and, if you use DHCPv6, pair it with DHCPv6-Shield features. Filter unexpected higher-scope multicast at aggregation points. Remember that legitimate RAs have hop-limit 255 and originate from a router’s link-local—mismatches are a strong signal of spoofing or misconfiguration.

Address Lifetimes and Rotation

RA prefix options include preferred and valid lifetimes; when preferred hits zero, the address is deprecated for new connections but remains usable for existing ones until the valid lifetime expires. Privacy addresses rotate on a schedule (often roughly daily) while stable IIDs persist to keep inbound and policy bindings predictable.

Putting It All Together

Give each user VLAN one GUA /64 and, if you need internal resilience, a ULA /64. The router advertises both with DNS information in RAs. Clients form stable and temporary addresses for each prefix and join the required link-local multicast groups. The default gateway is always the router’s link-local, not its GUA. On inter-router links, number with /127 where appropriate and run dynamic routing or static routes that point to link-local next hops. Keep first-hop protections on and verify DNS reachability end-to-end over IPv6, not just IPv4.

IPv6 Address Types and Scopes (FAQ)

Use a browser-based IPv6 Test that checks DNS resolution, HTTP reachability, and fallback so you see whether AAAA answers actually work end to end.

IPv6 hosts learn the default router from its link-local address in RAs and use that link-local as the next hop, which stays valid through prefix changes and renumbering.

Choose ULA for internal-only services, management networks, or when you want addressing to persist through ISP changes; you can dual-home subnets with both ULA and GUA safely.

Open a one-click checker such as What Is My IP Address; it will echo the IPv6 and IPv4 addresses your requests present to remote sites.

No; neighbor discovery and RAs use link-local multicast without special routing. You only need MLD and PIM when you carry multicast traffic between subnets.

Use a web-based DNS Lookup Tool and query type AAAA to confirm the IPv6 record alongside A, MX, and other types.

No; hosts expect /64 on segments that support SLAAC and neighbor discovery efficiently, while /127 is reserved for point-to-point router links.

No; link-locals don’t route and are ambiguous without a local zone index, so keep them out of DNS and use GUA or ULA for names.