Wireless Access

I only want to allow SSHv2 access to my controllers.  What's a better practice disabling telnet or applying an ACL to deny port 23 access?  

I think the result is the same, however, if you disable telnet in the CLI then it will be applied globally while using ACL's you can specify which VLAN or Port you want to control.

If you're sure that disabling Telnet is not going to give you an operational challenge, it's definately a good idea to disable it globally and always use SSHv2 instead.

Regarding the ACLs, I tend not to worry about those from interfaces facing interior networks (so as to allow for management flexibility) unless a customer has a strict industry compliance conformity to adhere to. For interfaces facing public networks, I tend to apply a very strict ACL.

Furthermore, I tend to actually have that public ACL redirect incoming SSHv2 sessions from a non-well-known port. For example, I set my SSHv2 client with a destination port of 650 on the controller IP, and then set a redirect rule in the controller ACL, redirecting port 650 traffic to 22. Before that rule, I deny port 22. The result is that you're less prone to some brute SSH and scripted attacks. Less alerts on your monitoring platforms too!

By default, telnet is disabled....

we have configured 5 VLANs on the controller. I want only one VLAN can access through telnet and other VLANs must be restricted.

Please advice how to configure ACL for this sceinario.

Thank You

Do you mean;

A. You only want clients with an IP source address within that one specific VLAN to be able to telnet to the controller

or

B. You want telnet permitted to all IP routed traffic (regardless of source IP) coming in via the SVI associated with that specific VLAN on the controller?