Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

As Bilal has noted, your ACL, as applied to the VTY, will limit source IPs that are granted permission for VTY access.

However, depending on your router's exposure, you might still want to consider an ACL on your serial or other interfaces to protect what packets can even be directed to the router itself.  When using an internal service based ACL, you might also want a similar ACL to restrict what IPs might be allowed to a service such as SNMP to your device.

A VTY or SNMP ACL only considers packets directed to that particular service.

An interface ACL would examine all packets hitting the interface and can selectively block before any internal or downstream device need to further process them.

Both approaches can protect your device.  Which is "better" depends on what you believe your exposure is and how "efficiently" it might preclude that access.

Sometimes you might use both.  For example, an interface ACL might block all Telnet packets from the "outside" interface, while the VTY ACL controls what "inside" IPs are granted access to the VTY service.  Or you might want to block Telnet from the "outside" yet allow SSH from the "outside".