The check-cli-acl script restricts the CLI access to logins from an authorized subnet only. This can be easily extended to multiple subnets to use 0.0.0.0/32 to deny any access. It uses jcs:parse-ip extension function.
Read the document: check-cli-acl