I was playing around with different ways to secure a device that does not support Control Plane Protection yet. I thought QoS might be a good way and it’s not too bad. What I want to accomplish is no management or services on the SVI/router interfaces. Management should be to a loopback only and from a trusted subnet. In this example. I only want 192.168.1.1 to be able to access 172.16.1.1. There should be no management/services allowed on the physical interfaces.
Here’s the config from the 172.16.1.1 router. We are allowing everything from 192.168.1.1 to 172.16.1.1 and blocking the rest.
object-group service UNUSED_PROTOCOLS ahp igmp ipinip nos ospf pcp pim ! class-map match-any FILTER match access-group 100 ! policy-map DROP class FILTER DROP ! ! interface Loopback0 ip address 172.16.1.1 255.255.255.255 ! interface Ethernet0/0 ip address 10.0.0.1 255.255.255.0 ! ! router eigrp 1 network 10.0.0.0 redistribute connected ! access-list 100 remark Allow loopback to loopback access-list 100 deny ip host 192.168.1.1 host 172.16.1.1 access-list 100 remark Block Telnet access-list 100 permit tcp any any eq 23 access-list 100 remark Block SSH access-list 100 permit tcp any any eq 22 access-list 100 remark Block FTP access-list 100 permit tcp any any eq 21 access-list 100 remark Block TFTP access-list 100 permit udp any any eq 69 access-list 100 remark Block all other protocols not in use access-list 100 permit object-group UNUSED_PROTOCOLS any any ! control-plane service-policy input DROP
In reality it’s just as easy to create an ACL and apply it to each interface, but that is what I was trying to avoid. Since most good security policies want to log login attempts, you again would want to apply a different technique. But this config is proving a point, you can secure the control plane with just QoS!