Controlling Telnet and SSH Access with ACLs

Telnet and SSH users connect to vty lines on a router, so to protect that access, an IP ACL can be applied to the vty lines.  You can use ACLs to limit the IP hosts that can telnet into the router, and you can also limit the hosts to which a user on the router can telnet.

The access-class command refers to the matching logic in the access-list identifier.  The keyword in refers to Telnet connections into this router.

If the command access class identifier out had been used, it would have checked for not only outgoing Telnets, but also the packets’ destination IP address (If an IP Address was listed.)  When filtering outbound Telnet and SSH connections, checking the source IP address, which by definition must be one of the interface IP addresses in that router, would not really make any sense.  For filtering outgoing Telnet sessions, it makes the most sense to filter based on the destination IP address.  So using the out keyword causes the standard IP ACL to ignore the source and only use the destination.