Sorry for the naive question; a quick reading of the cisco docs doesn't answer this question...

So I've got a router (say for the sake of argument a 4500 running IOS 15.x)

It has interfaces in 3 different subnets -- 10.0.0.1/24, 10.0.1.1/24, and 10.0.2.1/24 It also has a loopback address of 172.16.0.33

How do I make it so that SSH / SNMP and other administrative traffic works on the 172 address but doesn't work on the IP addresses I wish to only use for L3 forwarding?

Ideally this can be done by disabling the control plane access to these interfaces not just by using an ACL, but whatever, I don't actually care that much as long as it works...

Thanks!