Secure the control plane with QoS

I was playing around with different ways to secure a device that does not support Control Plane Protection yet. I thought QoS might be a good way and it’s not too bad. What I want to accomplish is no management or services on the SVI/router interfaces. Management should be to a loopback only and from a trusted subnet. In this example. I only want 192.168.1.1 to be able to access 172.16.1.1. There should be no management/services allowed on the physical interfaces.

qos-plane

Here’s the config from the 172.16.1.1 router. We are allowing everything from 192.168.1.1 to 172.16.1.1 and blocking the rest.

In reality it’s just as easy to create an ACL and apply it to each interface, but that is what I was trying to avoid. Since most good security policies want to log login attempts, you again would want to apply a different technique. But this config is proving a point, you can secure the control plane with just QoS!