This is not the preferred way to do this for the exact reasons you describe. The better way to do this is via MPP, management plane protection. This allows us to program the hardware via LPTS to drop unwanted requests in hardware instead of having to have software deal with it.
the line template default needs to be associated with your VTY pool or SSH pool right like this:
vty-pool default 0 4 line-template default
and of course telnet daemon needs to run:
telnet vrf default ipv4 server max-servers 4
The reason why this is not preferred is because all the traffic received for us-telnet uis processed by the hardware on teh LC and sent to the RP. then goes through all the forwarding chain until telnet verifies it agaisnt the ACL and says ok deny.
Using MPP, which is hardware based, we can drop packets immediately in the hardware so they are not further forwarded and saves system resources and provides better protection.
Google asr9000 local packet transport services to find a good write up on LPTS and more details about the management plane protection MPP.
Introduction: The "external-out enable" command is available for
configuration under the "router ospf process" in case of the IOS-XR
operating system. This command basically enables advertisement of
intra-area routes on the device as external routes in th...
Introduction Basic configuration for netflow Scale parameters for
netflow Netflow support Architecture Packet flow for netflow Inside the
LC CPU Netflow Cache size, maintenance and memory Sample usage Cache
Size Aging Permanent cache Characteristics Which...