Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
A router allows SSH management from anywhere on the internal network. A new policy requires that only the management subnet 10.50.50.0/24 be allowed to initiate SSH to the device. Which approach best enforces that requirement?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Restrict SSH access so only the 10.50.50.0/24 management subnet is permitted
This is correct because the policy is specifically about limiting management access by source.
B
Distractor review
Replace SSH with Telnet so the traffic is easier to identify
This is wrong because Telnet is less secure than SSH.
C
Distractor review
Enable PortFast on all access switches
This is wrong because PortFast is unrelated to router management access control.
D
Distractor review
Raise the Syslog severity threshold
This is wrong because logging thresholds do not restrict who can initiate SSH.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is selecting an option that changes the management protocol, such as replacing SSH with Telnet, because it seems to simplify access control. However, Telnet is insecure as it transmits data in clear text, exposing credentials to interception. Another trap is choosing unrelated features like PortFast or syslog severity thresholds, which do not control access to management services. Candidates may also overlook the need to apply an ACL to restrict source IPs, mistakenly believing that enabling SSH alone enforces the policy. This misunderstanding leads to incomplete security configurations that fail the requirement to limit SSH access to the management subnet.
Technical deep dive
How to think about this question
Access Control Lists (ACLs) are fundamental tools in Cisco networking used to control traffic flow by filtering packets based on criteria such as source IP addresses, destination IP addresses, and protocols. In the context of router management, ACLs can be applied to restrict which hosts or subnets are allowed to initiate management sessions like SSH. SSH (Secure Shell) is the industry-standard protocol for secure remote management because it encrypts all communication, including authentication credentials, ensuring confidentiality and integrity. To enforce a policy that only the management subnet 10.50.50.0/24 can initiate SSH connections, an ACL is created permitting SSH traffic only from that subnet and denying all other sources. This ACL is then applied to the router’s VTY (virtual terminal) lines or inbound interface to filter incoming SSH connection attempts. This approach ensures that even if SSH is enabled globally, only trusted hosts within the management subnet can establish sessions, effectively reducing the attack surface and improving security. A common exam trap is confusing protocol choice with access control. While SSH is the correct secure protocol, simply enabling SSH does not restrict who can connect. Another trap is assuming unrelated features like PortFast or syslog severity thresholds affect access control; they do not. PortFast optimizes Spanning Tree convergence and syslog controls logging detail, neither restricts SSH access. Understanding the distinction between protocol security and access control mechanisms is critical for correctly implementing and securing device management in Cisco environments.
KKey Concepts to Remember
- Access Control Lists (ACLs) are used on Cisco routers to filter traffic based on source IP addresses, destination IP addresses, protocols, and ports.
- SSH is the preferred secure management protocol for Cisco devices because it encrypts all transmitted data, preventing interception and tampering.
- Applying an ACL to the VTY lines or inbound interface restricts which source IP addresses can initiate SSH sessions to the router.
- A management subnet like 10.50.50.0/24 is commonly designated to centralize and secure device administration traffic.
- Restricting SSH access by source subnet reduces the attack surface by allowing only trusted hosts to connect to the router’s management interface.
- Replacing SSH with Telnet is insecure because Telnet transmits credentials and data in clear text, exposing the device to interception.
- PortFast is a Spanning Tree Protocol feature that speeds up port transition to forwarding state and does not control access to router management.
- Syslog severity thresholds control logging verbosity but do not affect network access or restrict SSH session initiation.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
Access Control Lists (ACLs) are used on Cisco routers to filter traffic based on source IP addresses, destination IP addresses, protocols, and ports.
What is the correct answer to this question?
The correct answer is: Restrict SSH access so only the 10.50.50.0/24 management subnet is permitted — The best approach is to use an access control mechanism that limits SSH access to the approved source subnet. In practical terms, SSH is the correct secure protocol, but protocol choice alone is not enough. The device should also restrict who is allowed to reach that management service. That usually means applying an ACL or equivalent source restriction focused on the management subnet. This is a common management-plane security pattern: use a secure protocol, then limit the set of trusted sources that are allowed to use it.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.