Controlling Telnet and SSH Access with ACLs
When an external user connects to a router or switch using Telnet or SSH, IOS uses a vty line to represent that user connection. IOS can apply an ACL to those inbound connections by applying an ACL to the vty line, filtering the addresses from which IPv4 hosts can telnet or SSH into the router or switch.
For example, imagine that all the network engineering staff uses subnet 10.1.1.0/24, and only those devices are supposed to be able to telnet into any of the Cisco routers in a network. In such a case, the configuration shown in Example 23-9 could be used on each router to deny access from IP addresses not in that subnet.