Question 229 of 1,819
Network Services and SecuritymediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the device may not have SSH fully enabled with keys and a valid login method, because restricting the VTY lines with an ACL is only one part of the solution. Even if the ACL correctly permits traffic from 10.5.5.0/24, SSH access will fail if the router lacks a configured hostname and domain name, has no RSA keys generated, or does not have the transport input ssh command applied to the VTY lines. This scenario tests your understanding of the complete SSH configuration chain on the CCNA 200-301 v2 exam, where a common trap is to focus solely on the ACL while forgetting the prerequisite steps. The search intent “vty acl ssh not working ccna” highlights this exact pitfall—students often assume a correct ACL guarantees access, but the underlying SSH service must be operational first. Remember the mnemonic “H-D-R-T” for Hostname, Domain, RSA keys, and Transport input ssh to avoid missing any critical step.

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

line vty 0 4
 access-class 12 in
 transport input ssh

access-list 12 permit 10.5.5.0 0.0.0.255

Exhibit: An engineer applies an ACL inbound on the VTY lines to permit SSH only from 10.5.5.0/24. Users from that subnet still cannot connect. What is the most likely reason?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1mediummultiple choice
Study the full ACL explanation →

Exhibit

line vty 0 4
 access-class 12 in
 transport input ssh

access-list 12 permit 10.5.5.0 0.0.0.255

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The device may not have SSH fully enabled with keys and a valid login method

Restricting the VTY lines is not enough if SSH itself has not been enabled correctly. A missing local username, domain name, RSA keys, or transport input ssh setting can stop access even when the ACL is correct.

Key principle: Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The device may not have SSH fully enabled with keys and a valid login method

    Why this is correct

    The ACL allows the subnet, but SSH still needs its base configuration.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.

  • The ACL must be applied outbound on the VTY lines

    Why it's wrong here

    Inbound is the correct direction for controlling management access to the device.

    When this WOULD be correct

    In a different scenario, if the question stated that the ACL was applied outbound on the VTY lines, and users from the subnet were still unable to connect, then option B would be correct as it would indicate a misconfiguration of the ACL application direction.

  • SSH requires UDP port 22

    Why it's wrong here

    SSH uses TCP port 22.

    When this WOULD be correct

    In a different scenario, if a question asked about a network protocol that indeed uses UDP for communication, such as TFTP (Trivial File Transfer Protocol), then stating that it requires UDP port 69 would be correct. This would involve a context where the protocol in question is specifically UDP-based.

  • VTY access-class can only be used with Telnet

    Why it's wrong here

    It can absolutely be used with SSH.

    When this WOULD be correct

    In a different question setup where the focus is on Telnet access specifically and the context indicates that only Telnet connections are being considered, this option could be correct. For example, if the question specifies that only Telnet is allowed and SSH is not configured, then the statement about VTY access-class would be accurate.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

The device may not have SSH fully enabled with keys and a valid login methodCorrect answer

Why this is correct

The ACL allows the subnet, but SSH still needs its base configuration.

The ACL must be applied outbound on the VTY linesWrong answer — click to see why

Why this is wrong here

The access-class command applied inbound on VTY lines filters incoming connection attempts before they reach the login prompt; applying it outbound would filter traffic leaving the VTY session, which is not the intended behavior for restricting management access.

★ When this WOULD be the correct answer

In a different scenario, if the question stated that the ACL was applied outbound on the VTY lines, and users from the subnet were still unable to connect, then option B would be correct as it would indicate a misconfiguration of the ACL application direction.

Why candidates choose this

Students often confuse the direction of ACL application, thinking that outbound on VTY lines might control who can connect, but inbound is the correct direction for filtering incoming management sessions.

SSH requires UDP port 22Wrong answer — click to see why

Why this is wrong here

SSH uses TCP port 22, not UDP. The ACL in the scenario likely permits TCP port 22, but if the student mistakenly thinks SSH uses UDP, they might misconfigure the ACL or expect a different behavior.

★ When this WOULD be the correct answer

In a different scenario, if a question asked about a network protocol that indeed uses UDP for communication, such as TFTP (Trivial File Transfer Protocol), then stating that it requires UDP port 69 would be correct. This would involve a context where the protocol in question is specifically UDP-based.

Why candidates choose this

Some protocols like SNMP or DNS use UDP, and students may incorrectly assume SSH also uses UDP due to a common misconception or confusion with other secure protocols.

VTY access-class can only be used with TelnetWrong answer — click to see why

Why this is wrong here

The access-class command works with both Telnet and SSH; it is not limited to Telnet. The VTY lines use the same access-class regardless of the transport protocol.

★ When this WOULD be the correct answer

In a different question setup where the focus is on Telnet access specifically and the context indicates that only Telnet connections are being considered, this option could be correct. For example, if the question specifies that only Telnet is allowed and SSH is not configured, then the statement about VTY access-class would be accurate.

Why candidates choose this

Students might think access-class is only for Telnet because it was originally designed for Telnet in older IOS versions, but modern IOS supports it for SSH as well.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

A frequent exam trap is believing that simply applying an ACL to permit SSH traffic on the VTY lines guarantees remote access. Candidates often overlook that SSH requires full configuration, including RSA key generation, domain name setting, and valid login credentials. Without these, the device will refuse SSH connections regardless of ACL permissions. Another pitfall is misapplying the ACL outbound instead of inbound on VTY lines, which does not control incoming management sessions. Also, confusing SSH’s use of TCP port 22 with UDP can lead to incorrect ACL configurations. Recognizing these nuances prevents misinterpretation of the question and ensures correct troubleshooting.

Detailed technical explanation

How to think about this question

Access Control Lists (ACLs) are essential tools in Cisco networking to filter traffic based on IP addresses, protocols, and ports. When applied inbound on VTY lines, ACLs filter incoming management traffic before it reaches the device's virtual terminal interface, effectively controlling which hosts can attempt remote connections such as SSH or Telnet. However, ACLs only filter traffic; they do not enable or configure the management protocols themselves. SSH (Secure Shell) is a secure protocol used for remote management of Cisco devices. To allow SSH access, the device must have SSH fully enabled, which includes generating RSA key pairs, setting a domain name, and configuring valid login credentials such as local usernames or external authentication servers. The VTY lines must also be configured with 'transport input ssh' to accept only SSH connections. Without these configurations, even if an ACL permits SSH traffic from a subnet, the device will reject connection attempts. A common exam trap is assuming that applying an ACL to permit SSH traffic is sufficient for remote access. In reality, the device must be fully configured for SSH. Additionally, applying the ACL outbound on VTY lines is ineffective because inbound filtering controls access to the management interface. Understanding the distinction between enabling SSH and filtering SSH traffic is critical for both exam success and practical network security management.

KKey Concepts to Remember

  • Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.
  • SSH access to Cisco devices requires enabling SSH with RSA key generation, a domain name, and a valid local username and password or external authentication.
  • The 'transport input ssh' command on VTY lines restricts remote management to SSH only, blocking Telnet or other protocols.
  • ACLs control which IP addresses can initiate SSH sessions but do not enable SSH functionality by themselves.
  • Without proper SSH configuration, including keys and login methods, ACLs permitting SSH traffic will not allow successful connections.
  • Applying an ACL outbound on VTY lines is ineffective because inbound filtering controls access to the management interface.
  • SSH uses TCP port 22, not UDP, so ACLs must permit TCP port 22 traffic for SSH connections.
  • The 'access-class' command on VTY lines works with both Telnet and SSH to restrict remote access based on IP addresses.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Review access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface..

What is the correct answer to this question?

The correct answer is: The device may not have SSH fully enabled with keys and a valid login method — Restricting the VTY lines is not enough if SSH itself has not been enabled correctly. A missing local username, domain name, RSA keys, or transport input ssh setting can stop access even when the ACL is correct.

What should I do if I get this 200-301 question wrong?

Review access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface., then practise related 200-301 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Access Control Lists (ACLs) applied inbound on VTY lines filter management traffic before it reaches the device's virtual terminal interface.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.