This is the first in what will no doubt be a many part series on deploying IPv6. This is a problem I have had to overcome recently, and still to this day I battle with the implementation subtleties. If you find yourself in my shoes, I hope you find this helpful.

So, firstly, you need to consider your architecture. Mine, I am reliably told is totally wrong.

I use ASAs as routers in the campus. Why? Cos shut up - that’s why! I like to maintain user group segmentation, and I also like to maintain security policy quite tightly. Therefore I put all users in VLANs managed by 802.1x, and all those VLANs gateway on an ASA trunk subinterface. I then provide an appropriately sized routed L3 subnets from a site specific IPv4 /21 and have ACLs as access-groups. Voila - policy is maintained at the gateway border.