One of the nice features in the Cisco ASR 1k line is the use of a dedicated management interface. On first glance at the chassis it looks like any other regular Gigabit interface, however it can be used for management traffic only. Essentially the interface is in it’s own VRF and can’t be placed in any other (ie. the Global VRF) providing separation at the control plane. You could then configure an IP on the interface, plug it into the Management VLAN on your network and disable SSH/Telnet on your public interfaces for ultimate security.