One of the nice features in the Cisco ASR 1k line is the use of a dedicated management interface. On first glance at the chassis it looks like any other regular Gigabit interface, however it can be used for management traffic only. Essentially the interface is in it’s own VRF and can’t be placed in any other (ie. the Global VRF) providing separation at the control plane. You could then configure an IP on the interface, plug it into the Management VLAN on your network and disable SSH/Telnet on your public interfaces for ultimate security.
All very nice but what happens when you want to TFTP a new image onto the router from your TFTP server thats inside your management VRF? The usual copy tftp flash command will fail as (by default) it will look in the ASR’s global routing table to establish connectivity. You can change this with the following config:
#ip tftp source-interface gigabitethernet 0
More info on using the Management Interface here:
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/configuration/guide/chassis/asrswcfg/Management_Ethernet.html