On a Cisco router, which line configuration command is used on VTY lines to apply an IP access list that controls which remote hosts are allowed to establish Telnet or SSH sessions?

Introduction / Context:
Virtual terminal lines, or VTY lines, on Cisco routers and switches are used for remote management connections such as Telnet and SSH. To harden access to these lines, administrators often apply access lists that restrict which source IP addresses are allowed to open remote sessions. This is done with a different command than the one used on physical interfaces, and recognising that difference is important for both exams and real configurations.

Given Data / Assumptions:

You want to control who can Telnet or SSH into the router via VTY lines.
You have already created a standard or extended IP access list with number 50 that matches permitted or denied source addresses.
You are configuring the VTY lines, for example with line vty 0 4.
You need the specific command that tells the VTY lines to use that ACL for inbound management traffic.

Concept / Approach:
On VTY lines, the command access-class is used, not ip access-group. The syntax is access-class list-number in or access-class list-number out. In this context, in refers to connections coming into the VTY lines from remote hosts. Using access-class 50 in under line vty 0 4 applies ACL 50 so that only matching sources are permitted or denied according to the ACL entries.

Step-by-Step Solution:
Remember that physical interfaces use ip access-group, but VTY lines use access-class. You must first enter line configuration mode with a command such as line vty 0 4. Within that mode, the correct command pattern is access-class 50 in, where 50 is the number of the ACL you created earlier. This command tells the router to apply the ACL to all incoming management connections attempting to use those VTY lines. Comparing with the options, option a matches exactly the required syntax, so it is the correct answer.

Verification / Alternative check:
After configuring line vty 0 4 and applying access-class 50 in, you can view the running configuration to see the binding. You can also test by attempting to connect from an allowed address and a denied address according to ACL 50. The allowed host should be able to Telnet or SSH, while the denied host should receive a refusal or time out. This functional test confirms that access-class is doing its job.

Why Other Options Are Wrong:
Option b, ip access-group 50 in, is correct for applying ACLs to data plane traffic on physical or logical interfaces, but it is not a valid command under line vty configuration and will not be accepted there.
Option c, line vty 0 4 access-class 50, merges two different configuration mode commands into one line and is not valid IOS syntax.
Option d, access-list 50 vty in, uses the wrong keyword order and does not exist as a valid command.
Option e, transport input access-list 50, confuses protocol selection (transport input ssh telnet) with ACL application; there is no transport input access-list subcommand.

Common Pitfalls:
It is common to mistakenly use ip access-group on VTY lines because it is so familiar from interface configuration. Another mistake is to forget that access-class operates in the context of management connections only; it does not filter normal routed traffic. Distinguishing these two use cases will help you design secure and correct router configurations.

Final Answer:
To apply an ACL on VTY lines, you use access-class 50 in under the line vty configuration.