In the CCNA 200-301 exam, you must understand the security implications of remote device management. Telnet and SSH are both used to access network device CLIs, but they differ fundamentally in how they handle authentication and data transmission. This comparison is critical because real-world networks require secure management, and Cisco exams test your ability to choose the right protocol based on security requirements. Exam objective 4.7 covers this comparison explicitly.
Jump to a section
Imagine you need to send instructions to a colleague in another city. You have two options: a postcard or a sealed letter. A postcard is quick and easy—you write the message, put on a stamp, and drop it in the mail. But anyone who handles the postcard—the mail carrier, a sorter, or a curious bystander—can read your message because it's written in plain view. That's Telnet: fast, simple, but completely unencrypted. Now consider a sealed letter. You write your message, fold it, place it in an envelope, and seal it with wax. The contents are hidden from everyone except the intended recipient, who breaks the seal. That's SSH: it encrypts the entire session, including passwords and commands, so even if someone intercepts the data, they can't read it. The sealed letter also includes a way to verify the sender's identity—like a signature or a wax stamp—which corresponds to SSH's use of public-key cryptography for server authentication. In networking, Telnet sends everything in clear text (like a postcard), while SSH encrypts everything (like a sealed letter). The analogy also extends to the 'handshake' process: with a postcard, you just write and send; with a sealed letter, you must first agree on the sealing method (encryption algorithm) and exchange a key (the envelope's design). This mirrors SSH's initial key exchange and encryption negotiation.
Telnet (Teletype Network) is a network protocol that provides a bidirectional, interactive text-oriented communication facility using a virtual terminal connection. It operates on TCP port 23. SSH (Secure Shell) is a cryptographic network protocol for operating network services securely over an unsecured network. It operates on TCP port 22. Both allow remote command-line access to network devices, but SSH provides strong encryption and authentication, while Telnet sends all data—including passwords—in plaintext.
Why SSH Exists
Telnet was developed in 1969 and was never designed for security. In the early days of the internet, networks were trusted, and encryption was not a concern. As networks grew and security threats emerged, the need for a secure remote access protocol became obvious. SSH was developed in 1995 by Tatu Ylönen as a replacement for Telnet and other insecure remote shell protocols. It provides confidentiality, integrity, and authentication using cryptographic techniques.
How They Work at the Packet Level
Telnet: - The client initiates a TCP connection to the server on port 23. - After the TCP three-way handshake, Telnet negotiates options (e.g., terminal type, window size) using the Telnet protocol (RFC 854). - All subsequent data—including the login prompt, username, password, and commands—is sent in cleartext. This means any packet capture (e.g., using Wireshark) can read everything. - Telnet uses the Network Virtual Terminal (NVT) concept, where both ends map to a standard terminal.
SSH: - The client initiates a TCP connection to the server on port 22. - After the TCP handshake, the SSH protocol begins with a transport layer handshake: 1. Version exchange: Both sides send their SSH version (e.g., SSH-2.0-OpenSSH_8.9). 2. Key exchange: Using Diffie-Hellman (or similar), they generate a shared session key. This key is used to encrypt the rest of the session. 3. Server authentication: The server sends its public key. The client verifies it (e.g., via a known_hosts file). 4. Encryption negotiation: Both sides agree on a symmetric cipher (e.g., AES-256-CTR) and a MAC algorithm (e.g., HMAC-SHA2-256). - Then the user authentication occurs: typically password (encrypted) or public-key authentication. - All subsequent data is encrypted and integrity-protected.
Key Timers and Defaults
- Telnet: No inherent timers; relies on TCP keepalives (default 2 hours on Cisco IOS).
- SSH:
- SSH idle timeout: default 0 (no timeout) on Cisco IOS, but configurable with ip ssh time-out 120 (seconds).
- SSH authentication retries: default 3, configurable with ip ssh authentication-retries 2.
- SSH version: Cisco devices support SSHv1 and SSHv2. The default is SSHv1 if not specified; recommended to set ip ssh version 2.
- SSH RSA key size: default 1024 bits, but 2048 or higher is recommended for security.
IOS CLI Verification Commands
Show Telnet connections (on a router):
Router# show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
2 vty 0 admin idle 00:01:23 192.168.1.100Show SSH sessions:
Router# show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-ctr hmac-sha2-256 Session started admin
0 2.0 OUT aes256-ctr hmac-sha2-256 Session started admin
%No SSHv1 server connections running.Show IP SSH:
Router# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie-Hellman key size: 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...Interaction with Related Protocols
Telnet and SSH both use TCP as the transport. They are application layer protocols (Layer 7).
SSH relies on RSA or DSA for server key generation. The host key is generated with crypto key generate rsa.
Telnet has no authentication mechanism of its own; it relies on the device's login process (e.g., local username/password or AAA). SSH also uses AAA but encrypts the credentials.
On Cisco devices, VTY lines are used for both Telnet and SSH. You can restrict which protocols are allowed on VTY lines using the transport input command.
Configuration Example
Enable SSH on a Cisco router:
Router(config)# hostname R1
R1(config)# ip domain-name example.com
R1(config)# crypto key generate rsa modulus 2048
The name for the keys will be: R1.example.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
R1(config)# ip ssh version 2
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local
R1(config-line)# exit
R1(config)# username admin secret cisco123Enable Telnet (insecure, for comparison):
Router(config)# line vty 0 4
Router(config-line)# transport input telnet
Router(config-line)# password telnetpass
Router(config-line)# loginNote: transport input telnet ssh allows both, but for security, you should use only SSH.
Configure hostname and domain
SSH requires a hostname and domain name for RSA key generation. The hostname combined with the domain forms the fully qualified domain name (FQDN) used in key generation. Without these, the `crypto key generate rsa` command will fail. Example: ``` Router(config)# hostname R1 R1(config)# ip domain-name example.com ``` The FQDN becomes R1.example.com.
Generate RSA key pair
The RSA key pair is used for server authentication and key exchange. The modulus size determines the key strength; 2048 bits is the minimum recommended for security. On Cisco IOS, the command is: ``` R1(config)# crypto key generate rsa modulus 2048 ``` You can also specify a key label, but the default uses the FQDN. The keys are stored in NVRAM. To view them: `show crypto key mypubkey rsa`.
Set SSH version and parameters
By default, Cisco IOS may support SSHv1 and SSHv2. For security, you should force version 2. You can also set authentication timeout and retries: ``` R1(config)# ip ssh version 2 R1(config)# ip ssh time-out 120 R1(config)# ip ssh authentication-retries 3 ``` The timeout is in seconds; default is 120. Retries default to 3. These settings help prevent brute-force attacks.
Configure VTY lines for SSH
VTY (Virtual Teletype) lines are used for remote access. To allow only SSH, set `transport input ssh`. To also allow Telnet, you could use `transport input telnet ssh`, but for security, use only SSH. Also configure login authentication (local or AAA): ``` R1(config)# line vty 0 4 R1(config-line)# transport input ssh R1(config-line)# login local R1(config-line)# exit ``` `login local` means use the local username database. You must create usernames: `username admin secret cisco123`.
Verify SSH configuration
Use `show ip ssh` to see SSH settings. Use `show ssh` to see active sessions. Example: ``` R1# show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 R1# show ssh Connection Version Mode Encryption Hmac State Username 0 2.0 IN aes256-ctr hmac-sha2-256 Session started admin ``` If you see no sessions, try connecting from a client: `ssh -l admin 192.168.1.1`.
Test and troubleshoot SSH
Common issues: SSH not enabled, RSA keys missing, wrong VTY transport, or ACL blocking port 22. Use `debug ip ssh` to see detailed handshake messages. Also check that the client has the server's host key in known_hosts. On the router, use `show running-config | include ssh` to confirm SSH commands. If you get 'Connection refused', check that the VTY lines allow SSH and that the router has an RSA key pair.
Enterprise Deployment Scenarios
Scenario 1: Replacing Telnet with SSH in a Data Center
A large enterprise data center has hundreds of switches and routers. Historically, network engineers used Telnet for quick access. After a security audit revealed that an attacker could sniff management traffic, the company mandated SSH. The network team had to generate RSA keys on every device, configure VTY lines for SSH only, and update all scripts that used Telnet. They also had to implement SSH key-based authentication for automation tools. The migration took weeks, but significantly reduced the risk of credential theft.
Scenario 2: Hybrid Access for Legacy Devices
Some older devices (e.g., legacy routers running older IOS) may not support SSHv2. In such cases, engineers might temporarily allow both Telnet and SSH, but restrict Telnet to specific management IPs using ACLs. For example:
access-list 10 permit 10.0.0.0 0.255.255.255
line vty 0 4
transport input telnet ssh
access-class 10 inThis allows Telnet only from the management subnet. Eventually, the plan is to upgrade the devices or replace them.
Scenario 3: SSH for Secure Automation
Network automation tools (Ansible, Python scripts) use SSH to push configurations. In such environments, SSH with public key authentication is used to avoid storing passwords in scripts. The automation server's public key is added to each device's authorized_keys file. This eliminates password-based authentication and allows non-interactive logins. Misconfiguration (e.g., leaving password authentication enabled) can lead to brute-force attacks. Best practice: disable password authentication for SSH and use only public-key.
Performance Considerations
SSH adds overhead due to encryption. On low-end routers, this can impact CPU usage, especially during key exchange. However, modern routers have hardware acceleration for encryption. In high-latency links, SSH may feel slightly slower than Telnet. But the security benefits far outweigh the performance cost.
What Happens When Misconfigured?
If RSA keys are not generated, SSH will not start. The router will refuse SSH connections.
If VTY lines are configured for Telnet only, SSH connections are rejected.
If ACLs block port 22, SSH fails silently from the client perspective.
If SSH version is set to 1, some clients may not connect (modern clients often disable SSHv1 due to vulnerabilities).
If authentication fails (wrong password or key), the router logs the failure and increments the retry counter. After max retries, the connection is dropped.
What the CCNA 200-301 Tests
Exam objective 4.7: "Compare remote access methods: Telnet vs. SSH." The exam expects you to know:
The default port numbers: Telnet = 23, SSH = 22.
That Telnet sends data in cleartext; SSH encrypts all traffic.
That SSH provides authentication and integrity; Telnet does not.
The basic configuration steps for SSH on a Cisco device: hostname, domain name, RSA key generation, VTY transport.
The show commands: show ip ssh, show ssh, show users.
That SSHv2 is preferred over SSHv1 due to security vulnerabilities in v1.
Common Wrong Answers and Why
1. "Telnet uses encryption if you configure a password." - Wrong because Telnet never encrypts; the password is sent in plaintext. Candidates confuse the login password with encryption. 2. "SSH uses UDP port 22." - Wrong because SSH uses TCP for reliable, connection-oriented communication. Candidates may confuse with DNS (UDP 53). 3. "SSH requires a AAA server." - Wrong because SSH can use local authentication. AAA is optional. Candidates think encryption implies external authentication. 4. "Telnet is more secure because it uses a three-way handshake." - Wrong because both use TCP three-way handshake. Security comes from encryption, not the handshake. Candidates confuse connection establishment with security.
Specific Values and Commands on the Exam
Port numbers: Telnet = 23, SSH = 22.
SSH version: You should set ip ssh version 2.
RSA key generation: crypto key generate rsa modulus 2048.
VTY transport: transport input ssh.
Show command: show ip ssh displays timeout, retries, version.
Decision Rule for Scenario Questions
If a question asks which protocol to use for secure remote management, the answer is always SSH. If the question mentions "encrypted" or "secure", choose SSH. If it mentions "legacy" or "no encryption", choose Telnet. Also, if the question asks about port numbers, know that Telnet is 23 and SSH is 22.
Trap: "Which protocol should you use to remotely manage a router over the internet?"
Answer: SSH, because the internet is untrusted. Telnet should only be used in isolated, trusted management networks.
Telnet uses TCP port 23; SSH uses TCP port 22.
Telnet sends all data, including passwords, in plaintext; SSH encrypts the entire session.
SSH provides server authentication using RSA host keys; Telnet has no authentication mechanism.
To enable SSH on Cisco IOS, you must configure a hostname, domain name, and generate RSA keys with `crypto key generate rsa`.
Set `ip ssh version 2` to use the more secure SSHv2.
On VTY lines, use `transport input ssh` to restrict access to SSH only.
Use `show ip ssh` and `show ssh` to verify SSH configuration and active sessions.
These come up on the exam all the time. Here's how to tell them apart.
Telnet
TCP port 23
No encryption (cleartext)
No server authentication
No integrity checking
Simple, low overhead
SSH
TCP port 22
Encrypts all data (e.g., AES)
Server authentication via RSA key
HMAC integrity verification
Higher overhead due to encryption
Mistake
Telnet is secure if you use a strong password.
Correct
Telnet sends the password in cleartext, so it can be captured by anyone on the path. A strong password does not protect against sniffing.
Candidates think password strength protects against interception, but encryption is needed for confidentiality.
Mistake
SSH uses UDP because it is faster.
Correct
SSH uses TCP for reliable, ordered delivery. Encryption overhead is separate from transport protocol.
Candidates confuse SSH with other protocols like SNMP or DNS that use UDP.
Mistake
You need a separate SSH server license on Cisco devices.
Correct
SSH is included in the IOS image; no additional license is required for basic SSH functionality.
Some advanced features (e.g., SSH with FIPS) may require licensing, but basic SSH is free.
Mistake
Telnet and SSH can be used interchangeably on any network.
Correct
Telnet should only be used on trusted, isolated management networks. SSH is required for any network where security is a concern, especially over the internet.
Candidates underestimate the risk of packet sniffing on shared networks.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, by configuring `transport input telnet ssh` on the VTY lines. However, this is not recommended for security because it leaves Telnet enabled. If you must support both, use ACLs to restrict Telnet to trusted management IPs only. For CCNA, remember that the best practice is to use SSH only.
SSHv1 has known security vulnerabilities, including issues with integrity checking and man-in-the-middle attacks. SSHv2 is more secure and is the current standard. On Cisco devices, you should configure `ip ssh version 2` to force v2. Some older clients may only support v1, but modern devices should use v2.
The hostname and domain name are used to create the fully qualified domain name (FQDN), which serves as the label for the RSA key pair. For example, if hostname is R1 and domain is example.com, the key is labeled R1.example.com. This ensures uniqueness. Without these, the `crypto key generate rsa` command fails.
First, verify SSH is enabled with `show ip ssh`. Check that RSA keys exist with `show crypto key mypubkey rsa`. Confirm VTY lines allow SSH with `show running-config | include transport`. Ensure there is no ACL blocking port 22. Use `debug ip ssh` to see detailed handshake messages. Also check that the client has the server's host key (if not, it may prompt to accept).
No, SSH requires authentication. You must configure either local usernames (using `username` command) or use AAA. The VTY line must have `login local` or `login authentication` pointing to a method list. Without a username database, SSH connections will fail.
The default authentication timeout is 120 seconds. This can be changed with `ip ssh time-out` command. The timeout applies to the time allowed for the SSH authentication process to complete. If exceeded, the connection is dropped.
No, SSH requires an IP network connection. The router must have an IP address on an interface that is reachable from the SSH client. Console access is out-of-band and does not use TCP/IP. For remote access, the router must be configured with an IP address and a route back to the client.
You've just covered Telnet vs SSH: Security Comparison — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?