7.3. Configure and apply ACLs to limit telnet and SSH access to the router using (including: SDM/CLI)
You'll probably have a difficult time trying to stop users from telnetting to a large router because any active interface on a router is fair game for VTY access. You could try to create an extended IP access list that limits Telnet access to every IP address on the router. But if you did that, you'd have to apply it inbound on every interface, and that really wouldn't scale well to a large router with dozens, even hundreds, of interfaces, would it? Here's a much better solution: Use a standard IP access list to control access to the VTY lines themselves.
Why does this work? Because when you apply an access list to the VTY lines, you don't need ...
Get CCNA®: Cisco® Certified Network Associate: Fast Pass, Third Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
