Cisco allows use of extended and named access lists for filtering access to VTY lines. However, still unsupported is the ability to specify destination addresses (ie, the ability to limit VTY access to specific management IP addresses). The destination portion of the ACL needs to be set to ‘any’.
Example named ACL for limiting VTY access from specific subnets over ssh. This also allows us to log rejected connected attempts
ip access-list extended vty.access permit tcp 10.10.250.0 0.0.0.255 any eq ssh deny tcp any any log line vty 0 4 access-class vty.access in