Hi all
When I'm using catalyst or other with IOS-XE, I use local policy to restrict sw to be trace route by traceroute.
Just like below
ip access-list extended BLOCK_TRACE
permit icmp any any time-exceeded
permit icmp any any port-unreachable
permit icmp any any echo-reply
ip local policy route-map BLOCK_TRACE
route-map BLOCK_TRACE permit 10
match ip address BLOCK_TRACE
set interface Null0
But in N9K I cannot found there is local policy and I just try to use acl and applied to interface instead like below
ip access-list BLOCK_TRACE
10 deny icmp any X.X.X.X/32
20 deny udp any X.X.X.X/32
30 permit ip any any
interface XXX
no shutdown
ip access-group BLOCK_TRACE in
no ip redirects
ip address X.X.X.X/32
It can be block all ping and trace which directly to the IP (e.g. ping X.X.X.X or tracert X.X.X.X)
but it still cannot be work like local policy (fail when ping to LAN side IP ping 10.1.1.1)
1-9. ....
10. X.X.X.X
11. 10.1.1.1
X.X.X.X still can be shown in traceroute. How can I config in nexus such that I can get the same effect with local policy.