You want to prevent all of your VTY lines from being used up, effectively locking you out of the router.

You can ensure that at least one VTY port is available to you for access at all times with the following commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 9 permit 172.25.1.1
Router1(config)#line vty 4
Router1(config-line)#access-class 9 in
Router1(config-line)#exit
Router1(config)#end
Router1#

You can also reserve a particular inbound telnet port for administrator access by assigning VTY(s) into a rotary group by using the rotary command:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 9 permit 172.25.1.1
Router1(config)#line vty 5 7
Router1(config-line)#rotary 25
Router1(config-line)#access-class 9 in
Router1(config-line)#exit
Router1(config)#end
Router1#

Receiving the dreaded “Connection Refused” message from one of your routers can be quite distressing, particularly if you’re trying to troubleshoot a serious problem. Generally, it means that other sessions have control of all of your router’s limited number of VTY lines. However, it can also mean that someone has launched a Denial of Service (DoS) attack. DoS attacks against router VTYs are simple to launch. Just sitting at a login prompt is enough to tie up a VTY line. This means that you don’t need a username or ...