You want to restrict Telnet access to the router to allow only particular workstations.

You can restrict which IP addresses can access the router as follows:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router1(config)#access-list 99 deny any log               
Router1(config)#line vty 0 4
Router1(config-line)#access-class 99 in
Router1(config-line)#exit
Router1(config)#end
Router1#

This example uses a standard access-list. You can also use extended access-lists in an access-class statement. But because you already know the TCP port numbers, as well as the source and destination IP addresses, extended access-lists don’t give much extra functionality.

Telnet is an inherently insecure protocol because it sends passwords over the network in clear text. We highly recommend using access-class statements to help to ensure that only authorized users can access router VTYs. These access-class statements do not secure the Telnet protocol itself, but they will prevent unauthorized users from receiving a router login prompt. Even if someone manages to sniff your router passwords, this will make them virtually useless.

For increased security, limit the permitted hosts to a few network management servers. This will force legitimate users to follow a two-stage authentication process to access your routers. They will need to authenticate their session on ...