There are usually 5 VTY lines on Cisco routers (VTY 0 to 4). An attacker can perform a Denial of Service attack by opening several simultaneous Telnet or SSH connections to the router, thus occupying all available lines and prohibiting the legitimate administrators for managing the device.
To protect from this kind of attack, we can configure and apply an ACL on lines 0 to 3 allowing the general Network Management address range, and then configure a more restrictive ACL for the last VTY line 4, which allows only a specific management station to connect.
! Allow access from the general Network Management range (assume management network is 10.10.10.0/24)
Router(config)# access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq ssh
! Allow access from a single management station
Router(config)# access-list 101 permit tcp host 10.10.10.10 any eq ssh
Router(config)# line vty 0 3
Router(config-line)# access-class 100 in
Router(config)# line vty 4
Router(config-line)# access-class 101 in