Cisco docs state IPv6 is disabled, but my 3850 running 16.3 is responding to the link local FE80:: packets and the SVI's have IPv6 neighbor discovery configured.  See table 38-1 in the doc for 3850 IPv6 defaults.

The docs also state: "The switch uses stateless autoconfiguration to manage link, subnet, and site addressing changes, such as management of host and mobile IP addresses. A host autonomously configures its own link-local address, and booting nodes send router solicitations to request router advertisements for configuring interfaces."

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swipv6.html

Show run all for interface vlan 100 reveals some IPv6 protocols.

interface Vlan100
...deleted
 ipv6 nd reachable-time 0
 ipv6 nd ns-interval 0
 ipv6 nd dad attempts 1
 ipv6 nd dad loopback detect

"A value of 135 in the Type field of the ICMP packet header identifies a neighbor solicitation message. Neighbor solicitation messages are sent on the local link when a node wants to determine the link-layer address of another node on the same local link (see the figure below). When a node wants to determine the link-layer address of another node, the source address in a neighbor solicitation message is the IPv6 address of the node sending the neighbor solicitation message. The destination address in the neighbor solicitation message is the solicited-node multicast address that corresponds to the IPv6 address of the destination node. The neighbor solicitation message also includes the link-layer address of the source node."

"No IPv6 enable" isn't going to do much good if the switch isn't configured for IPv6.  Or will it.  I will have to do some testing with wireshark to determine if that configuration on an SVI will work. 

Anyone have any other ideas on how to disable the switch from responding to potential nefariously crafted FE80:: traffic?

thanks, Tammy