The answer is that the device may not have SSH fully enabled with keys and a valid login method, because restricting the VTY lines with an ACL is only one part of the solution. Even if the ACL correctly permits traffic from 10.5.5.0/24, SSH access will fail if the router lacks a configured hostname and domain name, has no RSA keys generated, or does not have the transport input ssh command applied to the VTY lines. This scenario tests your understanding of the complete SSH configuration chain on the CCNA 200-301 v2 exam, where a common trap is to focus solely on the ACL while forgetting the prerequisite steps. The search intent “vty acl ssh not working ccna” highlights this exact pitfall—students often assume a correct ACL guarantees access, but the underlying SSH service must be operational first. Remember the mnemonic “H-D-R-T” for Hostname, Domain, RSA keys, and Transport input ssh to avoid missing any critical step.
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
line vty 0 4
access-class 12 in
transport input ssh
access-list 12 permit 10.5.5.0 0.0.0.255
Exhibit: An engineer applies an ACL inbound on the VTY lines to permit SSH only from 10.5.5.0/24. Users from that subnet still cannot connect. What is the most likely reason?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The device may not have SSH fully enabled with keys and a valid login method
Restricting the VTY lines is not enough if SSH itself has not been enabled correctly. A missing local username, domain name, RSA keys, or transport input ssh setting can stop access even when the ACL is correct.
Key principle: Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
The device may not have SSH fully enabled with keys and a valid login method
Why this is correct
The ACL allows the subnet, but SSH still needs its base configuration.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.
✗
The ACL must be applied outbound on the VTY lines
Why it's wrong here
Inbound is the correct direction for controlling management access to the device.
When this WOULD be correct
In a different scenario, if the question stated that the ACL was applied outbound on the VTY lines, and users from the subnet were still unable to connect, then option B would be correct as it would indicate a misconfiguration of the ACL application direction.
In a different scenario, if a question asked about a network protocol that indeed uses UDP for communication, such as TFTP (Trivial File Transfer Protocol), then stating that it requires UDP port 69 would be correct. This would involve a context where the protocol in question is specifically UDP-based.
In a different question setup where the focus is on Telnet access specifically and the context indicates that only Telnet connections are being considered, this option could be correct. For example, if the question specifies that only Telnet is allowed and SSH is not configured, then the statement about VTY access-class would be accurate.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓The device may not have SSH fully enabled with keys and a valid login methodCorrect answer▾
Why this is correct
The ACL allows the subnet, but SSH still needs its base configuration.
✗The ACL must be applied outbound on the VTY linesWrong answer — click to see why▾
Why this is wrong here
The access-class command applied inbound on VTY lines filters incoming connection attempts before they reach the login prompt; applying it outbound would filter traffic leaving the VTY session, which is not the intended behavior for restricting management access.
★ When this WOULD be the correct answer
In a different scenario, if the question stated that the ACL was applied outbound on the VTY lines, and users from the subnet were still unable to connect, then option B would be correct as it would indicate a misconfiguration of the ACL application direction.
Why candidates choose this
Students often confuse the direction of ACL application, thinking that outbound on VTY lines might control who can connect, but inbound is the correct direction for filtering incoming management sessions.
✗SSH requires UDP port 22Wrong answer — click to see why▾
Why this is wrong here
SSH uses TCP port 22, not UDP. The ACL in the scenario likely permits TCP port 22, but if the student mistakenly thinks SSH uses UDP, they might misconfigure the ACL or expect a different behavior.
★ When this WOULD be the correct answer
In a different scenario, if a question asked about a network protocol that indeed uses UDP for communication, such as TFTP (Trivial File Transfer Protocol), then stating that it requires UDP port 69 would be correct. This would involve a context where the protocol in question is specifically UDP-based.
Why candidates choose this
Some protocols like SNMP or DNS use UDP, and students may incorrectly assume SSH also uses UDP due to a common misconception or confusion with other secure protocols.
✗VTY access-class can only be used with TelnetWrong answer — click to see why▾
Why this is wrong here
The access-class command works with both Telnet and SSH; it is not limited to Telnet. The VTY lines use the same access-class regardless of the transport protocol.
★ When this WOULD be the correct answer
In a different question setup where the focus is on Telnet access specifically and the context indicates that only Telnet connections are being considered, this option could be correct. For example, if the question specifies that only Telnet is allowed and SSH is not configured, then the statement about VTY access-class would be accurate.
Why candidates choose this
Students might think access-class is only for Telnet because it was originally designed for Telnet in older IOS versions, but modern IOS supports it for SSH as well.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is believing that simply applying an ACL to permit SSH traffic on the VTY lines guarantees remote access. Candidates often overlook that SSH requires full configuration, including RSA key generation, domain name setting, and valid login credentials. Without these, the device will refuse SSH connections regardless of ACL permissions. Another pitfall is misapplying the ACL outbound instead of inbound on VTY lines, which does not control incoming management sessions. Also, confusing SSH’s use of TCP port 22 with UDP can lead to incorrect ACL configurations. Recognizing these nuances prevents misinterpretation of the question and ensures correct troubleshooting.
Detailed technical explanation
How to think about this question
Access Control Lists (ACLs) are essential tools in Cisco networking to filter traffic based on IP addresses, protocols, and ports. When applied inbound on VTY lines, ACLs filter incoming management traffic before it reaches the device's virtual terminal interface, effectively controlling which hosts can attempt remote connections such as SSH or Telnet. However, ACLs only filter traffic; they do not enable or configure the management protocols themselves.
SSH (Secure Shell) is a secure protocol used for remote management of Cisco devices. To allow SSH access, the device must have SSH fully enabled, which includes generating RSA key pairs, setting a domain name, and configuring valid login credentials such as local usernames or external authentication servers. The VTY lines must also be configured with 'transport input ssh' to accept only SSH connections. Without these configurations, even if an ACL permits SSH traffic from a subnet, the device will reject connection attempts.
A common exam trap is assuming that applying an ACL to permit SSH traffic is sufficient for remote access. In reality, the device must be fully configured for SSH. Additionally, applying the ACL outbound on VTY lines is ineffective because inbound filtering controls access to the management interface. Understanding the distinction between enabling SSH and filtering SSH traffic is critical for both exam success and practical network security management.
KKey Concepts to Remember
Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.
SSH access to Cisco devices requires enabling SSH with RSA key generation, a domain name, and a valid local username and password or external authentication.
The 'transport input ssh' command on VTY lines restricts remote management to SSH only, blocking Telnet or other protocols.
ACLs control which IP addresses can initiate SSH sessions but do not enable SSH functionality by themselves.
Without proper SSH configuration, including keys and login methods, ACLs permitting SSH traffic will not allow successful connections.
Applying an ACL outbound on VTY lines is ineffective because inbound filtering controls access to the management interface.
SSH uses TCP port 22, not UDP, so ACLs must permit TCP port 22 traffic for SSH connections.
The 'access-class' command on VTY lines works with both Telnet and SSH to restrict remote access based on IP addresses.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.
Real-world example
How this comes up in practice
A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Review access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface., then practise related 200-301 questions on the same topic to reinforce the concept.
Network Services and Security — This question tests Network Services and Security — Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface..
What is the correct answer to this question?
The correct answer is: The device may not have SSH fully enabled with keys and a valid login method — Restricting the VTY lines is not enough if SSH itself has not been enabled correctly. A missing local username, domain name, RSA keys, or transport input ssh setting can stop access even when the ACL is correct.
What should I do if I get this 200-301 question wrong?
Review access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.