10.3 Restricting Virtual Terminal Access
10.3.1 How to control vty access
Standard and extended access lists will block packets from going through the router. They are not designed to block packets that originate within the router. An outbound Telnet extended access list does not prevent router-initiated Telnet sessions, by default.

Just as there are physical ports or interfaces, such as E0 and E1 on the router, there are also virtual ports. These virtual ports are called vty lines. There are five such vty lines, numbered vty 0 through 4, as shown in the main figure. For security purposes, users can be denied virtual terminal (vty) access to the router, or users can be permitted vty access to the router but denied access to destinations from that router. 

Restricting vty access is less a traffic control mechanism than one technique for increasing network security. Moreover, vty access is accomplished using the Telnet protocol to make a nonphysical connection to the router. As a result, there is only one type of vty access list. You should generally set identical restrictions on all vty lines because you cannot control on which vty line a user will connect.

Note: Some experts recommend that you configure the last vty line (line vty 4) differently than the others. This way, you will have a "back door" into the router. This works because the connection will use the first line available at the moment at the lowest unused number.