[...]
2) An OpenBSD bastion host(s), where the NOC would ssh in, get authenticated from TACACS+ or ssh certs, and then just telnet from there all day,
[...] (and s/telnet/ssh as has been suggested already)
3) Or just an IOS based bastion router that also runs ssh,
[...] When crafting the ACL that restricts what source IP{,v6} addresses may ssh to the router, you may want to include each router's neighbors by both their loopback and any interface addresses that might source a packet (if your security policy permits it). Having all your loopbacks and internal interfaces in a small number of prefixes dedicated to the task can help you craft a more-maintainable ACL. The motivation for doing this is that if dynamic routing melts down, you may find that using PMR to ssh from router to router is helpful. If you find yourself in a situation where you're using PMR, you may also need to turn off "ip ssh source-interface Loopback0" if you have it turned on - if dynamic routing has melted to the point where routers don't know each others' loopbacks, sourcing an ssh packet from a loopback won't get you far. If you use TACACS for AAA, plan in advance to have at least one login on the router with local credentials so that you can get in when TACACS is broken. Stephen