Restricting Telnet (VTY) access using a standard ACL: Which sequence correctly permits only host 172.16.1.1 to use Telnet/SSH to the router by applying a standard ACL to the VTY lines (inbound)?

Introduction / Context:
Remote administrative access to a router via Telnet or SSH terminates on VTY lines, not on physical interfaces. To restrict who can connect, apply a standard ACL to the VTYs using the access-class command in the inbound direction. This is distinct from ip access-group, which applies ACLs to routed traffic on interfaces.

Given Data / Assumptions:

• Only 172.16.1.1 should be allowed remote login.
• We are configuring VTY lines 0 through 4.
• Direction is inbound (connections coming into the VTY).

Concept / Approach:

Create a standard ACL that permits the allowed host (and optionally denies all others). Then, under line vty 0 4, apply it with access-class 10 in. This filters management-plane access attempting to reach the VTYs. It does not filter transit data traffic.

Step-by-Step Solution:

Verification / Alternative check:

Attempt a Telnet/SSH from 172.16.1.1 (should succeed) and from another host (should fail). Use show running-config | section line vty to confirm the binding.

Why Other Options Are Wrong:

A configures the console line, not VTY.

B applies the ACL in the outbound direction on VTY, which is not how we restrict incoming sessions.

D uses ip access-group on VTYs, which is invalid; that command is for interfaces.

Common Pitfalls:

Confusing access-class (VTY) with access-group (interfaces); forgetting the implicit deny; not adding a default deny after specific permits if the intent is “only these sources.”

Final Answer:

Lab_A(config)#access-list 10 permit 172.16.1.1 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 10 in