I was playing around with different ways to secure a device that does not support Control Plane Protection yet. I thought QoS might be a good way and it’s not too bad. What I want to accomplish is no management or services on the SVI/router interfaces. Management should be to a loopback only and from a trusted subnet. In this example. I only want 192.168.1.1 to be able to access 172.16.1.1. There should be no management/services allowed on the physical interfaces.

Here’s the config from the 172.16.1.1 router. We are allowing everything from 192.168.1.1 to 172.16.1.1 and blocking the rest.

object-group service UNUSED_PROTOCOLS
ahp
igmp
ipinip
nos
ospf
pcp
pim
!
class-map match-any FILTER
match access-group 100
!
policy-map DROP
 class FILTER
  DROP
!
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.255
!
interface Ethernet0/0
 ip address 10.0.0.1 255.255.255.0
!
!
router eigrp 1
network 10.0.0.0
redistribute connected
!
access-list 100 remark Allow loopback to loopback
access-list 100 deny ip host 192.168.1.1 host 172.16.1.1
access-list 100 remark Block Telnet
access-list 100 permit tcp any any eq 23
access-list 100 remark Block SSH
access-list 100 permit tcp any any eq 22
access-list 100 remark Block FTP
access-list 100 permit tcp any any eq 21
access-list 100 remark Block TFTP
access-list 100 permit udp any any eq 69
access-list 100 remark Block all other protocols not in use
access-list 100 permit object-group UNUSED_PROTOCOLS any any
!
control-plane
 service-policy input DROP

In reality it’s just as easy to create an ACL and apply it to each interface, but that is what I was trying to avoid. Since most good security policies want to log login attempts, you again would want to apply a different technique. But this config is proving a point, you can secure the control plane with just QoS!