Hi all

When I'm using catalyst or other with IOS-XE, I use local policy to restrict sw to be trace route by traceroute.

Just like below 

ip access-list extended BLOCK_TRACE
permit icmp any any time-exceeded
permit icmp any any port-unreachable
permit icmp any any echo-reply

ip local policy route-map BLOCK_TRACE

route-map BLOCK_TRACE permit 10
match ip address BLOCK_TRACE
set interface Null0

But in N9K I cannot found there is local policy and I just try to use acl and applied to interface instead like below

ip access-list BLOCK_TRACE

10 deny icmp any X.X.X.X/32
20 deny udp any X.X.X.X/32
30 permit ip any any

interface XXX
no shutdown
ip access-group BLOCK_TRACE in
no ip redirects
ip address X.X.X.X/32

It can be block all ping and trace which directly to the IP (e.g. ping X.X.X.X or tracert X.X.X.X)

but it still cannot be work like local policy (fail when ping to LAN side IP ping 10.1.1.1)

1-9. ....

10. X.X.X.X

11. 10.1.1.1

X.X.X.X still can be shown in traceroute. How can I config in nexus such that I can get the same effect with local policy.