I have an ASR that I'm using to connecting our ExpressRoutes and 10G links back to our headquarters. I'd like to add our DIA as well but I'm having a hard time finding out how to setup security on this device.  (ie, block SSH, SNMP, HTTPS from the DIA interface, etc)  Some reading indicates that I should be able to use ZONES on it but the commands are unrecognized on my unit.  Do I need an upgrade to be able to use ZONES?  Is there a different way I should be implementing security on this device?  

EQX-DA2-ASR#show rom-monitor r0

System Bootstrap, Version 15.4(2r)S, RELEASE SOFTWARE (fc1)

Copyright (c) 1994-2014  by cisco Systems, Inc.

EQX-DA2-ASR#show platform 

Chassis type: ASR1001-X           

Slot      Type                State                 Insert time (ago) 

--------- ------------------- --------------------- ----------------- 

0         ASR1001-X           ok                    1d04h         

 0/0      BUILT-IN-2T+6X1GE   ok                    1d04h         

R0        ASR1001-X           ok, active            1d04h         

F0        ASR1001-X           ok, active            1d04h         

P0        ASR1001-X-PWR-AC    ok                    1d04h         

P1        ASR1001-X-PWR-AC    ok                    1d04h         

P2        ASR1001-X-FANTRAY   ok                    1d04h         

Slot      CPLD Version        Firmware Version                        

--------- ------------------- --------------------------------------- 

0         14041015            15.4(2r)S                           

R0        14041015            15.4(2r)S                           

F0        14041015            15.4(2r)S