You can create an ACL (access-group) and apply it to your interface
-Create a netdestination to the network you want to allow to reach the controller and also a netdestination for the controller IP
netdestination ACCESS
network 10.10.0.0 255.255.0.0
netdestination CONTROLLER-IPS
network 172.16.0.0 255.255.0.0
ip access-list session CONTROLLER-PROTECTION-ACL
alias ACCESS alias CONTROLLER-IPS svc-ssh permit
alias ACCESS alias CONTROLLER-IPS svc-https permit
alias ACCESS alias CONTROLLER-IPS svc-icmp permit
alias CONTROLLER-IPS alias ACCESS any permit
any alias CONTROLLER-IPS-DEST-B svc-ssh deny
any alias CONTROLLER-IPS-DEST-B svc-https deny
any alias CONTROLLER-IPS-DEST-B svc-icmp deny
any any any permit
Apply it to the interface
interface gig 0/0/2
ip access-group "CONTROLLER-PROTECTION-ACL" session