Depending on the hardware you're talking about you should take different considerations.
For instance Cisco provides a dedicated set of port/RAM and flash for OOB access on SUP2T, so you would be able to access to your device even when RP hangs. OTOH, in some Juniper boxes, the management port is attached directly to the RE and so you should easily hang your router from there.
That said, I would recommend you to put a management CPE between your devices and your OOB internet access and set up a GRE tunnel between it and your central management server.
R1(config)#access-list 1
R1(config)#Deny 20.1.1.1
R1(config)#Permit any
R1(config)# int s0/0
R1(config-if)#ip access-group 1 in
When i try to ping 10.1.1.1 it returns U.U.U
-----> Which means destination host unreachable.
The only thing you can do is add no ip unreachables
to Serial0/0. This would make pings simply timeout instead of receiving an ICMP admin prohibited message when packets are denied on the serial interface.
Examples:
The following examples illustrate what happens:
- When ROUTER1 pings ROUTER2:Gi0/0, and ROUTER2 denies ROUTER1 via acl 166;
ip unreachables
is configured on Gi0/0
- When ROUTER1 pings ROUTER2:G0/0, and ROUTER2 denies ROUTER1 via acl 166;
no ip unreachables
is configured on Gi0/0
With ip unreachables
(which is the default) on the interface
On the router with the ACL...
ROUTER2#sh runn | i access-list 166
access-list 166 deny ip host 192.0.2.111 any
access-list 166 permit ip any any
ROUTER2#sh runn int gi0/0
!
interface GigabitEthernet0/0
ip address 192.0.2.29 255.255.255.0
ip access-group 166 in
no ip redirects
no ip proxy-arp
And on the host being blocked...
ROUTER1#debug ip icmp
ROUTER1#ping 192.0.2.29 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.29, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.111
U.U.U
Success rate is 0 percent (0/5)
ROUTER1#sh log | i administrat
Jan 16 11:02:29.251 CST: ICMP: dst (192.0.2.111) administratively
prohibited unreachable rcv from 192.0.2.29
Jan 16 11:02:31.255 CST: ICMP: dst (192.0.2.111) administratively
prohibited unreachable rcv from 192.0.2.29
Jan 16 11:02:33.263 CST: ICMP: dst (192.0.2.111) administratively
prohibited unreachable rcv from 192.0.2.29
With no ip unreachables
Adding no ip unreachables
on ROUTER2...
ROUTER2#conf t
ROUTER2(config)#int gi0/0
ROUTER2(config-if)#no ip unreach
Now the pings fail silently...
ROUTER1#ping 192.0.2.29 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.29, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.111
.....
Success rate is 0 percent (0/5)
ROUTER1#
Best Answer
You don't "need to."
Some reasons for doing so are it gives you hit counts when you type "show access-list x," and you can add the logging command (deny ip any any log).
The biggest difference is that routers use wildcard masks, while ASAs use normal masks.
Yes, along with ICMP, ESP, OSPF and others.