I'd like to block traffic to my routers from outside my network; but still to allow my routers to traceroute/ping to hosts outside my network; and reply to traceroutes sourced outside the network.
Is there a way to force ICMP replies to come from a particular IP address? For example, something like "ip icmp source-interface loopback2", where the ICMP messages generated by my routers would come from a source IP that I can specify? That would help to hide interface IPs from casual miscreants.
Alternatively, I could try to block all packets entering my network with destination IPs of my internal links. But that would block replies from simple outbound pings and traceroutes from router CLI sessions. If there were a way to bind locally-sourced ping and traceroute to a particular source IP on each router, then that would also be helpful.
Perhaps blocking at the network edge is not productive, and I should be using Control Plane Policing for this? Router platform is mix of VXR and 3BXL.