Cisco LIVE! mentions RA attacks as the single largest IPv6-related attack pattern seen in a local LAN. RA Guard is intended to protect against this, and while it works well its also not fragment-friendly. To protect against fragments sneaking things by RA Guard, IOS and IOS XE recommend implementing an inbound PACL that denies all IPv6 packets that don't have enough information to validate Router Advertisements:
ipv6 access-list RAGUARD-PACL
deny ipv6 any any undetermined-transport
permit ipv6 any any
However, NX-OS command syntax (OS version 9.3(7) on a 9372PX-E) does not seem to have this. What is the Nexus recommendation to protect against fragments bypassing RA Guard?
weylin