AP IPv6 Neighbor Snooping

About this task

IPv6 snooping bundles layer 2 IPv6 hop security features, such as IPv6 ND inspection, IPv6 address gleaning and IPv6 device tracking. When IPv6 ND is configured on a device, packet capture instructions redirect the ND protocol and DHCP for IPv6 traffic up to the controller for inspection.

A database of connected IPv6 neighbors is created from the IPv6 neighbor snoop. The database is used by IPv6 to validate the link layer address, IPv6 address and prefix binding of the neighbors to prevent spoofing and potential redirect attacks.

Access Points listen to IPv6 formatted network traffic and forward IPv6 packets to radios on which the interested hosts are connected.

To review IPv6 neighbor snooping statistics:

Procedure

  1. Select the Statistics menu from the Web UI.
  2. Expand the System node from the navigation pane (on the left-hand side of the screen).
    The System node expands to display the RF Domains created within the managed network.
  3. Expand an RF Domain node, select a controller or service platform, and select one of its connected access points.
    The Access Point's statistics menu displays in the right-hand side of the screen, with the Health tab selected by default.
  4. Expand the Firewall menu.
  5. Select IPv6 Neighbor Snooping.
    The Statistics > AP > Firewall > IPv6 Neighbor Snooping screen displays in the right-hand pane.
    Click to expand in new window
    GUID-3A358B1D-9ED0-4E91-B237-584CC97DD176-low.png
    This screen displays the following information:
    MAC Address Displays the hardware encoded MAC address of an IPv6 client reporting to the controller or service platform.
    Node Type Displays the NetBios node type from an IPv6 address pool from which IP addresses can be issued to requesting clients.
    IPv6 Address Displays the IPv6 address used for DHCPv6 discovery and requests between the DHCPv6 server and DHCP clients.
    VLAN Displays the controller or service platform virtual interface ID used for a new DHCPv6 configuration.
    Mint Id Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure communications at the transport layer. Using MiNT, a device can be configured to only communicate with other authorized (MiNT enabled) devices of the same model.
    Snoop Id Lists the numeric snooping session ID generated when Access Points listen to IPv6 formatted network traffic and forward IPv6 packets to radios.
    Time Elapsed Since Last Update Displays the amount of time elapsed since the DHCPv6 server was last updated.
  6. Select Clear Neighbors to revert the counters to zero and begin a new data collection.
  7. Select Refresh to update the screen‘s counters to their latest values.