- A
SSH encrypts remote access to prevent eavesdropping and unauthorized command interception.
SSH provides encrypted remote access, ensuring confidentiality and integrity of management sessions.
- B
AAA manages authentication, authorization, and accounting to control user access and track activities.
Why wrong: This is incorrect because AAA is a framework for access control, not specifically for encrypting remote access.
- C
ACLs filter traffic to permit or deny packets based on IP addresses and protocols.
Why wrong: This is incorrect because ACLs are used for traffic filtering, not for encrypting remote access.
- D
RBAC restricts commands to specific users based on roles to enforce least privilege.
Why wrong: This is incorrect because RBAC controls command authorization, not encryption of remote access.
Quick Answer
The answer is SSH, which encrypts remote access to prevent eavesdropping and unauthorized command interception. This is correct because SSH establishes a secure, encrypted channel for management-plane traffic, protecting sensitive commands and credentials from being captured in transit over the network. On the CCNA 200-301 v2 exam, this concept tests your understanding of how to secure the management plane specifically, often appearing in drag-and-drop or matching questions where you pair security controls with their functions. A common trap is confusing SSH with Telnet, which offers no encryption, or mixing up AAA’s role in access control with SSH’s role in transport security. Remember the mnemonic: “SSH Secures Shell, Telnet Tells All.”
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: sSH encrypts remote management sessions to protect credentials and commands from interception during device administration.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Match each management-plane security item to its most accurate purpose.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
SSH encrypts remote access to prevent eavesdropping and unauthorized command interception.
SSH provides encrypted remote administration, ensuring confidentiality of management traffic. AAA is a framework that handles authentication, authorization, and accounting for user access. Syslog enables centralized logging and event visibility from network devices. ACLs can filter traffic and be used to restrict which source IPs are allowed for management access. Each item directly maps to its described purpose without overlapping concepts.
Key principle: SSH encrypts remote management sessions to protect credentials and commands from interception during device administration.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
SSH encrypts remote access to prevent eavesdropping and unauthorized command interception.
- ✗
AAA manages authentication, authorization, and accounting to control user access and track activities.
Why it's wrong here
This is incorrect because AAA is a framework for access control, not specifically for encrypting remote access.
- ✗
ACLs filter traffic to permit or deny packets based on IP addresses and protocols.
Why it's wrong here
This is incorrect because ACLs are used for traffic filtering, not for encrypting remote access.
- ✗
RBAC restricts commands to specific users based on roles to enforce least privilege.
Why it's wrong here
This is incorrect because RBAC controls command authorization, not encryption of remote access.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓SSH encrypts remote access to prevent eavesdropping and unauthorized command interception.Correct answer▾
Why this is correct
SSH provides encrypted remote access, ensuring confidentiality and integrity of management sessions.
✗AAA manages authentication, authorization, and accounting to control user access and track activities.Wrong answer — click to see why▾
Why this is wrong here
AAA does not provide encryption; it handles authentication, authorization, and accounting.
Why candidates choose this
Candidates may confuse AAA with SSH because both are used for secure management, but AAA focuses on access control rather than encryption.
✗ACLs filter traffic to permit or deny packets based on IP addresses and protocols.Wrong answer — click to see why▾
Why this is wrong here
ACLs operate at Layer 3/4 and do not provide encryption or secure remote access.
Why candidates choose this
Candidates might think ACLs enhance security for management traffic, but they do not encrypt.
✗RBAC restricts commands to specific users based on roles to enforce least privilege.Wrong answer — click to see why▾
Why this is wrong here
RBAC is about role-based permissions, not about securing the communication channel.
Why candidates choose this
Candidates may associate RBAC with management security but overlook that encryption is the primary purpose of SSH.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Do not confuse encryption (SSH) with access control (AAA) or traffic filtering (ACLs). SSH is the only option that directly encrypts remote management traffic.
Trap categories for this question
Command / output trap
This is incorrect because RBAC controls command authorization, not encryption of remote access.
Detailed technical explanation
How to think about this question
Management-plane security protects the administrative access and control plane of network devices, ensuring only authorized users can configure or monitor the device. SSH (Secure Shell) is a protocol that encrypts remote management sessions, preventing eavesdropping and credential theft during command-line interface access. AAA (Authentication, Authorization, and Accounting) frameworks enforce who can log in, what commands they can execute, and keep audit trails of their activities. ACLs (Access Control Lists) can restrict which IP addresses or networks are permitted to initiate management sessions, adding a layer of source-based filtering. Syslog servers collect and centralize logs from devices, providing visibility into management-plane events and potential security incidents. The decision process for securing the management plane involves layering these technologies to complement each other. SSH ensures confidentiality of remote sessions, but without AAA, any user with network access might log in. AAA enforces strict user identity verification and command authorization. ACLs limit the attack surface by allowing only trusted hosts to attempt management access. Syslog does not prevent access but supports security monitoring and incident response by capturing logs of management-plane activities. Together, these tools form a comprehensive defense-in-depth strategy for device administration. A frequent exam trap is to conflate the purposes of these technologies or to assume one tool covers all management-plane security needs. For example, relying on SSH alone ignores the need for user authentication and authorization controls provided by AAA. Similarly, neglecting ACLs can expose devices to unauthorized access attempts from untrusted networks. In practical Cisco environments, combining SSH, AAA, ACLs, and syslog is standard practice to secure device management effectively and maintain audit trails for compliance and troubleshooting.
KKey Concepts to Remember
- SSH encrypts remote management sessions to protect credentials and commands from interception during device administration.
- AAA enforces authentication, authorization, and accounting to control who can access devices and what actions they can perform.
- ACLs restrict management-plane access by filtering source IP addresses allowed to initiate administrative sessions.
- Syslog centralizes logging of management-plane events to support monitoring, auditing, and incident response.
- Management-plane security requires layering SSH, AAA, ACLs, and syslog to provide confidentiality, access control, and visibility.
- SSH alone does not provide user authorization or accounting, which are critical functions handled by AAA.
- ACLs reduce the attack surface by limiting management access attempts to trusted IP addresses or networks.
- Syslog does not prevent unauthorized access but enables detection and investigation of management-plane security events.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
SSH encrypts remote management sessions to protect credentials and commands from interception during device administration.
Real-world example
How this comes up in practice
A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.
What to study next
Got this wrong? Here's your next step.
Review sSH encrypts remote management sessions to protect credentials and commands from interception during device administration., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Network Services and Security — study guide chapter
Learn the concepts, then practise the questions
- →
Network Services and Security practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Network Services and Security — This question tests Network Services and Security — SSH encrypts remote management sessions to protect credentials and commands from interception during device administration..
What is the correct answer to this question?
The correct answer is: SSH encrypts remote access to prevent eavesdropping and unauthorized command interception. — SSH provides encrypted remote administration, ensuring confidentiality of management traffic. AAA is a framework that handles authentication, authorization, and accounting for user access. Syslog enables centralized logging and event visibility from network devices. ACLs can filter traffic and be used to restrict which source IPs are allowed for management access. Each item directly maps to its described purpose without overlapping concepts.
What should I do if I get this 200-301 question wrong?
Review sSH encrypts remote management sessions to protect credentials and commands from interception during device administration., then practise related 200-301 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
SSH encrypts remote management sessions to protect credentials and commands from interception during device administration.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
3 more ways this is tested on 200-301
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Match each management or monitoring concept to its most accurate role.
medium- ✓ A.SIEM: Centralizes and correlates log data from multiple sources for security analysis.
- B.SIEM: Manages network device configurations and monitors device health via SNMP.
- C.SIEM: Analyzes network traffic flows to identify bandwidth usage and application performance.
- D.SIEM: Controls user access to network resources based on roles and policies.
Why A: SSH provides encrypted remote administration by encrypting the entire session, unlike unsecured protocols like Telnet. AAA is the foundational framework for network access control, covering who can authenticate, what operations they are authorized to perform, and what they did via accounting. Syslog enables centralized collection of event and log messages from multiple devices for monitoring and troubleshooting. NTP synchronizes system clocks across network devices, ensuring consistent timestamps for logging and security functions.
Variation 2. Match each security control or idea to its most accurate purpose.
medium- ✓ A.Firewall: Filters traffic based on security rules
- B.Firewall: Detects and alerts on suspicious activity
- C.Firewall: Prevents and blocks intrusions in real time
- D.Firewall: Authenticates users and manages access rights
Why A: SSH encrypts remote CLI sessions, ensuring secure management access. AAA is a framework that defines how users are authenticated, what they are authorized to do, and how their actions are accounted for. The least privilege principle restricts users to only the permissions essential for their role, minimizing potential damage. Syslog collects and centralizes log messages from devices, providing visibility into network events and aiding in troubleshooting and security monitoring.
Variation 3. Match each security control idea to its most accurate purpose.
medium- ✓ A.Firewall: Filters traffic based on security rules.
- B.Firewall: Detects and blocks malicious traffic patterns using signatures.
- C.Firewall: Prevents data loss by monitoring outbound traffic for sensitive data.
- D.Firewall: Protects web applications from attacks like SQL injection.
Why A: Least privilege restricts users and processes to only the access rights necessary for their tasks, reducing the attack surface. SSH provides encrypted remote management, preventing eavesdropping and credential theft during administrative sessions. BPDU Guard immediately disables an edge port if a BPDU is received, safeguarding the network from unauthorized switches and potential loops. Port security limits the number and identity of allowed MAC addresses on a switch port, blocking MAC flooding and unauthorized device access.
Keep practising
More 200-301 practice questions
- A switchport connected to another switch should carry multiple VLANs, but it was manually configured as an access port.…
- What problem is HSRP designed to solve?
- Which TWO statements correctly describe the causes or implications of CRC errors, runts, giants, or output errors as see…
- You are connected to R1. Configure IPv4 and IPv6 addressing on R1's interfaces and verify reachability to R2. The curren…
- Which TWO statements accurately describe how AI/ML concepts are applied to network operations in modern enterprise netwo…
- Which TWO switch port configurations are required when connecting a Cisco IP phone and a desktop PC to a single access p…
Last reviewed: May 17, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.