Another way of doing this is to build a firewall filter and applying the lo0.0
In this way it is most like an access-class on a IOS device
Ensure that after accepting ssh traffic from the permitted prefixes and denying ssh from all other addresses, ensure that the default term is accept as you will block other traffic such as routing protocols
Here is an example
[edit policy options]
prefix-list mgmtaddress {
192.168.50.0/24;
10.1.5.87/32;
}
[edit firewall]
filter mgmt-filter {
term accept-ssh {
from {
source-prefix-list {
mgmtaddress;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term deny-ssh {
from {
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
term default-accept {
then accept;
}
}
[edit interfaces]
lo0 {
unit 0 {
family inet {
filter {
input mgmt-filter;
}
}
}
}
I don't think you even need to IP the Loopback interface
And once again note the default accept all. You can carry on and lock it down with additional terms, perhaps accepting OSPF/BGP traffic from only certain IP addresses to prevent DDoS etc