would like to ask the question in a different way since i got no feedback:
If the machines connected to my 7600 all have a static IPv6 address configured, and either have a static default route, or learn default via iBGP or OSPFv3, is rogue RA still a problem in such a case, or is it only an issue when using SLAAC ?
If the RA is in a Fragmented packet or if the RA has some Extention Header, the switch is not able to recognize it!
The question is why should we have fragmented RA or Extension Headers in a RA?
I don't see any need for that but it is supposed to be supported by RFC and then permitted.
Now you can filter it, I will not tell and your RA Guard will work again!
Normally most ND packet MUST have the Hop Limi set to 255 to be valid which is a good protection as it is impossible to send a ND packet from a remote network and I thought that Rogue RA was not as dangerous because of this.
But I just notices on an old capture of a RA I took from my ISP that their RA have a Hop Limit of 64 !
This RA is fully analyzed in my latest IPv6 Tutorial Release on PAge 15 if you click on the RA Capture:
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...