Secure the control plane with QoS

I was playing around with different ways to secure a device that does not support Control Plane Protection yet. I thought QoS might be a good way and it’s not too bad. What I want to accomplish is no management or services on the SVI/router interfaces. Management should be to a loopback only and from a trusted subnet. In this example. I only want to be able to access There should be no management/services allowed on the physical interfaces.


Here’s the config from the router. We are allowing everything from to and blocking the rest.

object-group service UNUSED_PROTOCOLS
class-map match-any FILTER
match access-group 100
policy-map DROP
 class FILTER
interface Loopback0
 ip address
interface Ethernet0/0
 ip address
router eigrp 1
redistribute connected
access-list 100 remark Allow loopback to loopback
access-list 100 deny ip host host
access-list 100 remark Block Telnet
access-list 100 permit tcp any any eq 23
access-list 100 remark Block SSH
access-list 100 permit tcp any any eq 22
access-list 100 remark Block FTP
access-list 100 permit tcp any any eq 21
access-list 100 remark Block TFTP
access-list 100 permit udp any any eq 69
access-list 100 remark Block all other protocols not in use
access-list 100 permit object-group UNUSED_PROTOCOLS any any
 service-policy input DROP

In reality it’s just as easy to create an ACL and apply it to each interface, but that is what I was trying to avoid. Since most good security policies want to log login attempts, you again would want to apply a different technique. But this config is proving a point, you can secure the control plane with just QoS!