Active interfaces on a network router can be accesses by users on the network if not properly secured. Users or Hackers might try telnetting the network router through the VTY access.
To stop this from happening, the best practice is for you to use a standard IP access list to limit telnet access to every network or IP address on the router. Applying standard IP access list to the VTY lines eliminates the option of using telnet protocols and destination address since it does not matter which interface address a user or hacker is using as a target for the telnetting session.
Using standard IP access list to restrict VTY access enables you to define which IP addresses are allowed telnet access to the router EXEC process. You can control which workstation or network access your router with an ACL and an access-class statement to your VTY lines
You can also use extended access lists; don’t get me wrong, but that means you have to apply it inbound on every interface, imagine doing this on a large network with dozens if not hundreds of interfaces!
We use the network topology below as example:
Below, we are going to create a standard IP access list that permits only a host 192.168.30.2 (or hosts) to be able to telnet to the router R1, the command and configuration look like this:
R1(config)#access-list 10 permit 192.168.30.10
R1(config)#lines vty 0 4
R1(config-line)#access-lass 10 in
The above configuration simply means that only the IP address 192.168.30.10 or host is allowed to Telnet or access to the R1 router.