Proper authentication model


2) An OpenBSD bastion host(s), where the NOC would ssh in, get
authenticated from TACACS+ or ssh certs, and then just telnet from
there all day,

[...] (and s/telnet/ssh as has been suggested already)

3) Or just an IOS based bastion router that also runs ssh,


When crafting the ACL that restricts what source IP{,v6} addresses may
ssh to the router, you may want to include each router's neighbors by
both their loopback and any interface addresses that might source a
packet (if your security policy permits it). Having all your loopbacks and
internal interfaces in a small number of prefixes dedicated to the
task can help you craft a more-maintainable ACL.

The motivation for doing this is that if dynamic routing melts down,
you may find that using PMR to ssh from router to router is
helpful. If you find yourself in a situation where you're using PMR,
you may also need to turn off "ip ssh source-interface Loopback0" if
you have it turned on - if dynamic routing has melted to the point
where routers don't know each others' loopbacks, sourcing an ssh
packet from a loopback won't get you far. If you use TACACS for AAA,
plan in advance to have at least one login on the router with local
credentials so that you can get in when TACACS is broken.