Imagine you're a network engineer who needs to remotely manage a router in a data center across the country. You could use either Telnet or SSH. The difference? Telnet sends everything—including your password—in plaintext, while SSH encrypts the entire session. For the CCNA 200-301 exam (objective 4.7), you must understand why SSH is the secure standard and how to configure it on Cisco IOS. In real networks, using Telnet is a security violation; SSH is mandatory for any production environment.
Jump to a section
Think of Telnet as sending your network commands on a postcard. You write your message (e.g., 'configure terminal', 'enable', 'password cisco') on the back, drop it in the mail, and it travels across the network exposed. Any postal worker, sorting machine, or curious bystander can read every word. Worse, your login credentials are right there for anyone to copy. That's Telnet: no encryption, no authentication beyond a simple password, and no integrity check. Now imagine SSH as a steel lockbox. You put your message inside, lock it with a key that only you and the recipient have, and mail the box. Even if someone intercepts it, they can't open it. SSH uses strong encryption (like AES) to scramble the data, public-key cryptography to verify the server's identity, and a secure key exchange to create a shared secret. The lockbox analogy breaks down a bit because SSH also ensures the message hasn't been tampered with (integrity) and authenticates both sides (client and server). But the core idea holds: Telnet is readable by anyone; SSH is private, authenticated, and tamper-proof. In the networking world, you never send commands on a postcard. You always use the lockbox.
Telnet (Telecommunication Network) is a network protocol that provides a bidirectional, interactive text-oriented communication facility using a virtual terminal connection. It operates over TCP port 23. SSH (Secure Shell) is a cryptographic network protocol for operating network services securely over an unsecured network. It operates over TCP port 22. The CCNA exam focuses on the configuration and verification of SSH, and the reasons why SSH has replaced Telnet.
Why SSH Exists
The Internet was designed in a more trusting era. Telnet, created in 1969, sends all data—including usernames and passwords—in cleartext. Anyone with a packet sniffer (like Wireshark) on the same network segment can capture the entire session. SSH, developed in 1995, addresses this by providing: - Encryption: All data is encrypted using symmetric ciphers (e.g., AES, 3DES). - Authentication: The server proves its identity to the client using public-key cryptography (host key). Optionally, the client can also authenticate using a password or public key. - Integrity: A message authentication code (MAC) ensures data has not been altered.
How SSH Works Step by Step at the Packet Level
TCP Connection Establishment: The client initiates a TCP three-way handshake to the server on port 22.
SSH Protocol Version Exchange: Both sides send their supported protocol versions (e.g., SSH-2.0).
Key Exchange (Diffie-Hellman): The client and server agree on a shared secret key using the Diffie-Hellman algorithm. This key is used to encrypt the rest of the session.
Host Key Authentication: The server sends its host key (public key). The client checks if this key matches a known host key (stored in ~/.ssh/known_hosts). If not, the client warns the user. This prevents man-in-the-middle attacks.
User Authentication: The client authenticates to the server. Common methods: password (encrypted), public key, or keyboard-interactive.
Session Establishment: After authentication, both sides derive session keys for symmetric encryption (e.g., AES-256-CBC) and integrity (e.g., HMAC-SHA1). All subsequent data is encrypted and integrity-protected.
Key Differences in Packet Content
Telnet: Every byte (including keystrokes) is sent as plaintext. A packet capture shows the password in clear.
SSH: All bytes are encrypted. A packet capture shows random-looking data.
IOS CLI Configuration for SSH
To enable SSH on a Cisco router or switch, you must: 1. Configure a hostname and domain name (required for RSA key generation). 2. Generate an RSA key pair. 3. Configure VTY lines to use SSH (and optionally Telnet, but best practice is SSH only). 4. Optionally configure local authentication or AAA.
Example configuration:
Router(config)# hostname R1
R1(config)# ip domain-name example.com
R1(config)# crypto key generate rsa modulus 2048
The name for the keys will be: R1.example.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)
R1(config)# username admin secret cisco123
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local
R1(config-line)# exitVerification Commands
show ip ssh: Displays SSH version, authentication timeout, and retries.
R1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): ...show ssh: Shows active SSH sessions.
R1# show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started admin
0 2.0 OUT aes256-cbc hmac-sha1 Session started adminshow crypto key mypubkey rsa: Displays the RSA public key.
R1# show crypto key mypubkey rsa
% Key pair was generated at: 08:24:20 UTC Mar 1 2023
Key name: R1.example.com
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A ...Interaction with Related Protocols
AAA (RADIUS/TACACS+): SSH can integrate with AAA for centralized authentication, authorization, and accounting. The VTY lines use login authentication to reference an AAA method list.
SCP (Secure Copy): Uses SSH for secure file transfer.
SFTP (SSH File Transfer Protocol): Also uses SSH for secure file transfer.
Defaults and Timers
SSH version: Cisco IOS defaults to version 2.0 (since IOS 12.3(2)T).
Authentication timeout: 120 seconds (configurable with ip ssh time-out).
Authentication retries: 3 (configurable with ip ssh authentication-retries).
RSA key modulus: minimum 768 bits, recommended 2048 bits. Cisco IOS requires at least 768 bits for SSH version 2.
Trap Patterns for the Exam
Trap: Thinking Telnet is acceptable on a lab or isolated network. Reality: The CCNA exam expects you to know that SSH is always preferred. Telnet is considered insecure, and many exam questions highlight this.
Trap: Forgetting to set a hostname and domain name before generating RSA keys. Reality: Without these, the crypto key generate rsa command will fail.
Trap: Confusing the SSH server and client configuration. Reality: On a router, you configure the SSH server for inbound connections; the client uses ssh command to connect outbound.
Trap: Assuming SSH version 1 is secure. Reality: SSHv1 has known vulnerabilities; Cisco defaults to SSHv2, and exam questions expect you to disable SSHv1 if needed.
Set hostname and domain name
Before generating RSA keys, the router must have a hostname and an IP domain name. These are used as part of the key label. Without them, the `crypto key generate rsa` command will produce an error. Use `hostname <name>` and `ip domain-name <domain>`. Example: `R1(config)# hostname R1` and `R1(config)# ip domain-name example.com`.
Generate RSA key pair
Use `crypto key generate rsa modulus <size>` to create the RSA public/private key pair. The modulus size must be at least 768 bits for SSHv2; 2048 bits is recommended for security. During generation, the router will display progress. Example: `R1(config)# crypto key generate rsa modulus 2048`. This command also enables the SSH server.
Create local user accounts
For local authentication, create usernames with passwords using the `username` command. Use the `secret` keyword to encrypt the password (MD5 hash). Example: `R1(config)# username admin secret cisco123`. Avoid using `password` (type 7 encryption) as it is weaker.
Configure VTY lines for SSH
Access the VTY lines with `line vty 0 4` (or more, e.g., `0 15` on some switches). Set `transport input ssh` to allow only SSH connections. If you allow both, use `transport input ssh telnet` but this is not recommended. Then apply local login: `login local`. Example: `R1(config-line)# transport input ssh` and `R1(config-line)# login local`.
Configure SSH timeouts and retries (optional)
Use `ip ssh time-out <seconds>` to set the authentication timeout (default 120). Use `ip ssh authentication-retries <count>` to set the maximum number of retries (default 3). These are global commands. Example: `R1(config)# ip ssh time-out 60` and `R1(config)# ip ssh authentication-retries 2`.
Verify SSH configuration
Use `show ip ssh` to display SSH version, timeout, and retries. Use `show ssh` to see active sessions. Use `show crypto key mypubkey rsa` to view the RSA public key. These commands confirm that SSH is operational. Example output: `R1# show ip ssh` returns version 2.0, timeout 120, retries 3.
In enterprise networks, SSH is the de facto standard for remote device management. A typical scenario: a network engineer needs to configure hundreds of switches across multiple sites. Instead of traveling to each site, they SSH into each device from a jump box. The jump box is often hardened and logged. SSH ensures that the configuration commands and credentials are encrypted in transit. Without SSH, an attacker on the same VLAN could capture the enable password and gain full control.
Another scenario: automated scripts (e.g., Ansible, Python with Netmiko) use SSH to push configurations to network devices. These scripts rely on SSH's reliable, encrypted channel. If a misconfiguration occurs (e.g., SSH access is accidentally disabled), the engineer might be locked out and need console access. Therefore, best practice is to always maintain an out-of-band management network or console server.
Performance considerations: SSH encryption adds a small overhead (CPU for encryption/decryption). On older routers, this can be significant. Modern routers have hardware acceleration. The CCNA exam does not test performance deeply, but you should know that SSH uses more CPU than Telnet.
Common misconfigurations: (1) Forgetting to generate RSA keys—SSH server will not start. (2) Using transport input telnet instead of ssh. (3) Not configuring login local on VTY lines, causing authentication to fail. (4) Setting an ACL on VTY lines that blocks SSH from the management station. In production, always test SSH connectivity from a management station before closing the console session.
The CCNA 200-301 exam objective 4.7 is titled 'Configure and verify SSH'. Expect questions on:
The steps to enable SSH (hostname, domain name, RSA key, VTY transport).
The default SSH version (2.0).
The minimum RSA key modulus for SSHv2 (768 bits, but Cisco recommends 2048).
Verification commands: show ip ssh, show ssh.
The difference between SSH and Telnet (encryption vs plaintext).
Common wrong answers:
1. 'Telnet is more secure because it uses TCP.' (Wrong: Telnet sends plaintext; SSH encrypts.)
2. 'SSH uses port 23.' (Wrong: SSH uses 22; Telnet uses 23.)
3. 'You need to configure an ACL to allow SSH.' (Wrong: ACLs are optional; the key is VTY transport.)
4. 'The transport input ssh command is applied globally.' (Wrong: It is applied under VTY lines.)
Trap: A question may give a configuration where transport input all is used. While this allows both SSH and Telnet, the exam expects you to know that SSH is preferred and Telnet should be disabled. Another trap: The crypto key generate rsa command may be shown with a modulus of 512 bits. This is too small for SSHv2 (minimum 768).
Decision rule: For any remote management question, choose SSH over Telnet. If the question asks for configuration steps, remember: hostname, domain, RSA key, VTY transport (ssh), and authentication (local or AAA).
SSH uses TCP port 22; Telnet uses TCP port 23.
SSH encrypts all session data; Telnet sends plaintext.
To enable SSH on Cisco IOS: set hostname, domain name, generate RSA key (min 768 bits, recommend 2048), configure VTY lines with `transport input ssh` and `login local`.
Default SSH version on Cisco IOS is 2.0.
Default SSH authentication timeout is 120 seconds; default retries is 3.
Verification commands: `show ip ssh` (global SSH config), `show ssh` (active sessions).
SSH uses public-key cryptography for server authentication and symmetric encryption for data.
Telnet is considered insecure and should not be used in production networks.
These come up on the exam all the time. Here's how to tell them apart.
SSH
Encrypts all data (password, commands, output)
Uses TCP port 22
Supports strong authentication (password, public key, etc.)
Provides data integrity (MAC)
More CPU overhead due to encryption
Default protocol for secure remote management
Telnet
Sends all data as plaintext
Uses TCP port 23
Only simple password authentication (also plaintext)
No integrity checking
Minimal CPU overhead
Obsolete; should not be used in production
Mistake
Telnet is more secure because it uses TCP, which is reliable.
Correct
Both SSH and Telnet use TCP. Telnet sends data in plaintext; SSH encrypts it. Security depends on encryption, not transport reliability.
Candidates confuse reliability (TCP) with security (encryption).
Mistake
SSH requires a separate server configuration; it is not enabled by default.
Correct
SSH is not enabled by default; you must generate RSA keys, which enables the SSH server. Without keys, SSH is unavailable.
Some think SSH is like Telnet, which is always ready to accept connections.
Mistake
The `transport input ssh` command must be applied globally.
Correct
The `transport input` command is applied under VTY line configuration (`line vty 0 4`), not globally.
Candidates confuse global commands with line-specific commands.
Mistake
SSH version 1 is acceptable if you use a strong password.
Correct
SSHv1 has known vulnerabilities (e.g., CRC-32 attack). Cisco defaults to SSHv2, and you should disable SSHv1 if possible.
Older documentation may still reference SSHv1; CCNA expects SSHv2.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SSH encrypts the entire session, including login credentials and commands, using strong encryption algorithms (e.g., AES). Telnet sends everything in plaintext, making it vulnerable to packet sniffing. SSH also provides server authentication via host keys, preventing man-in-the-middle attacks. For the CCNA exam, always choose SSH over Telnet for remote management.
The minimum modulus is 768 bits. However, Cisco recommends 2048 bits for security. If you use a modulus smaller than 768 bits, SSHv2 will not work. The exam may test that SSHv2 requires at least 768 bits. Note that SSHv1 can use smaller keys, but SSHv1 is insecure.
Under VTY line configuration, use `transport input ssh`. This allows only SSH connections. If you want to allow both, use `transport input ssh telnet` (not recommended). Also, ensure that no other protocols like rlogin are allowed. Use `line vty 0 4` then `transport input ssh`.
It displays the SSH version (e.g., 2.0), authentication timeout (default 120 seconds), authentication retries (default 3), and the minimum expected Diffie-Hellman key size. It also shows the RSA key fingerprint. This command is used to verify SSH configuration. For active sessions, use `show ssh`.
Yes, Cisco routers can act as SSH clients. Use the `ssh -l username ip-address` command from privileged EXEC mode. For example: `ssh -l admin 192.168.1.1`. The router must have an RSA key pair (for host authentication) and the destination must be running an SSH server.
The SSH server will not start. When you try to SSH to the router, you will get a connection refused error. You must generate RSA keys using `crypto key generate rsa` before SSH can accept connections. Also, ensure the hostname and domain name are set first.
Yes, you can configure `transport input ssh telnet` under VTY lines. This allows both protocols. However, this is not recommended because Telnet is insecure. The CCNA exam expects you to disable Telnet in favor of SSH. If a question asks for a secure configuration, choose `transport input ssh` only.
You've just covered SSH vs Telnet — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?