We're a very small ISP with one PoP that is getting an ASR-1002X to replace an aging 7206 w/NPE-G2.

I'm trying to wrap my head around how to achieve some separation between management access and customer traffic.  We're basically self-contained in one cabinet at a colo facility, and the only existing "management" network is just a dumb switch connected to the internal interfaces of all the servers - this is used for backend db access, backups, and other "management" tasks, but it is totally isolated from the larger internet.  The VXR currently does not even have an interface on that network.  Our current protection is simply a bunch of ACLs to restrict snmp/ssh to a handful of IPs (admin workstations, monitoring server).

On running through the initial setup of the ASR1K, I noticed that it has a dedicated management interface and that a VRF instance is setup and this interface is placed in that VRF.  That is I assume what's noted in this document:

http://www.cisco.com/c/en/us/support/docs/routers/asr-1000-series-aggregation-services-routers/116093-configure-vrf-00.html

Looking at an older, non-ASR1K specific document, I note that VRFs aren't even discussed:

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

In a small deployment where we don't have a full-on management network, does it make any sense to do anything beyond the recommendations in the second link (ACL management protocols, ACL the control plane, and rate-limit things as appropriate)?

I feel like putting that management interface and a VRF on our current internal network doesn't give me a big win and it makes things all the more fragile/complicated when something goes awry and I need to reach the router.

Any opinions on that?

Lastly, is the Best Practices guide I linked to above current enough?  It was published in 2011, not sure if later versions of IOS introduce any new features that would obsolete that document.