Question 388 of 1,819
Network Services and SecurityhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is SSH because it provides encrypted remote administration, unlike Telnet. SSH encrypts the entire session—including credentials and commands—using cryptographic keys, while Telnet transmits everything in plaintext, making it vulnerable to packet sniffing. On the CCNA 200-301 v2 exam, this distinction tests your understanding of secure device hardening; a common trap is assuming Telnet is acceptable for lab environments or that SSH only works on Layer 2 switches. In reality, SSH operates on routers and Layer 3 switches as well, and blocking Telnet does not disable AAA services, which can still function over SSH or local authentication. The key takeaway is that SSH ensures confidentiality and integrity for remote management traffic, whereas Telnet offers none. Memory tip: think “SSH = Secure Shell, Telnet = Tell-everyone.”

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: sSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An administrator wants to permit SSH management access but block Telnet access to a device. Which statement best reflects that design goal?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

SSH is preferred because it provides encrypted remote administration, unlike Telnet

Permitting SSH while blocking Telnet is a hardening decision because SSH encrypts management traffic and Telnet does not. The administrator wants remote access to remain available with credentials and session data protected. Option A is correct: SSH provides encrypted remote administration. Option B is wrong: Telnet offers no confidentiality. Option C is wrong: SSH works on routers and Layer 3 switches, not only Layer 2 switches. Option D is wrong: blocking Telnet does not disable AAA; AAA can still function over SSH or local authentication.

Key principle: SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • SSH is preferred because it provides encrypted remote administration, unlike Telnet

    Why this is correct

    This is correct because SSH protects management traffic with encryption, while Telnet sends it in clear text.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.

  • Telnet is preferred because it provides stronger confidentiality than SSH

    Why it's wrong here

    This is wrong because Telnet does not provide stronger confidentiality. It is less secure because it is unencrypted.

    When this WOULD be correct

    In a hypothetical scenario where a question asks which protocol provides stronger confidentiality in a specific legacy system that has been configured to use Telnet with additional encryption layers, option B could be considered correct. This would imply that the context allows for Telnet to be enhanced beyond its standard capabilities.

  • SSH can be used only on Layer 2 switches and not routers

    Why it's wrong here

    This is wrong because SSH is widely used on both routers and switches.

    When this WOULD be correct

    In a different exam scenario, if the question stated that SSH is only supported on Layer 2 switches and asked which protocol should be used for secure management of Layer 2 devices, then option C would be correct as it aligns with the constraints of that specific context.

  • Blocking Telnet automatically disables all AAA functions

    Why it's wrong here

    This is wrong because disabling Telnet does not automatically disable AAA mechanisms.

    When this WOULD be correct

    If a question stated that blocking Telnet access would also disable AAA functions due to a specific device configuration or policy that ties AAA to Telnet sessions, then this option would be correct. For example, if a legacy system required Telnet for AAA operations, blocking it could impact those functionalities.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

SSH is preferred because it provides encrypted remote administration, unlike TelnetCorrect answer

Why this is correct

This is correct because SSH protects management traffic with encryption, while Telnet sends it in clear text.

Telnet is preferred because it provides stronger confidentiality than SSHWrong answer — click to see why

Why this is wrong here

Telnet does not provide confidentiality; it transmits all data, including login credentials, in clear text, making it easily intercepted. SSH uses strong encryption to protect the session, so Telnet is never preferred over SSH for security.

★ When this WOULD be the correct answer

In a hypothetical scenario where a question asks which protocol provides stronger confidentiality in a specific legacy system that has been configured to use Telnet with additional encryption layers, option B could be considered correct. This would imply that the context allows for Telnet to be enhanced beyond its standard capabilities.

Why candidates choose this

A student might confuse the terms 'confidentiality' and 'authentication' or mistakenly think that an older protocol like Telnet could be more secure due to simplicity. Some might also assume that because Telnet is widely used in legacy environments, it must have some security advantage.

SSH can be used only on Layer 2 switches and not routersWrong answer — click to see why

Why this is wrong here

SSH is not limited to Layer 2 switches; it is supported on virtually all Cisco routers, switches, firewalls, and other network devices that run an IOS or similar operating system. The statement is factually incorrect.

★ When this WOULD be the correct answer

In a different exam scenario, if the question stated that SSH is only supported on Layer 2 switches and asked which protocol should be used for secure management of Layer 2 devices, then option C would be correct as it aligns with the constraints of that specific context.

Why candidates choose this

A test-taker might confuse SSH with a Layer 2 protocol or think that because Telnet is often used for console access on switches, SSH might be restricted. The similarity in names between SSH and other Layer 2 protocols (like STP) could also cause confusion.

Blocking Telnet automatically disables all AAA functionsWrong answer — click to see why

Why this is wrong here

Blocking Telnet only disables Telnet access; AAA (Authentication, Authorization, and Accounting) functions are independent and can still be used with SSH, console, or other access methods. Disabling Telnet does not affect AAA configuration or operation.

★ When this WOULD be the correct answer

If a question stated that blocking Telnet access would also disable AAA functions due to a specific device configuration or policy that ties AAA to Telnet sessions, then this option would be correct. For example, if a legacy system required Telnet for AAA operations, blocking it could impact those functionalities.

Why candidates choose this

A student might think that Telnet is a required component for AAA, especially if they have seen AAA configured with Telnet in lab scenarios. The acronym AAA and its association with remote access could lead to the mistaken belief that disabling Telnet breaks AAA.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

Avoid assuming that enabling both protocols or disabling both achieves security goals. Focus on encryption as the key factor.

Detailed technical explanation

How to think about this question

Secure remote management of Cisco devices is critical for maintaining network integrity and confidentiality. SSH (Secure Shell) is a protocol that encrypts all management traffic, including usernames, passwords, and session data, preventing eavesdropping and man-in-the-middle attacks. Unlike Telnet, which sends data in plaintext, SSH uses cryptographic techniques to secure communication channels, making it the preferred method for remote device access in modern networks. When designing secure network management, administrators must explicitly permit SSH access while blocking Telnet to enforce encryption. Cisco devices support SSH on both routers and switches, requiring configuration of RSA key pairs and enabling the SSH server feature. Blocking Telnet access does not affect AAA services, which continue to authenticate and authorize users independently. This separation ensures that disabling insecure protocols does not compromise overall device security policies. A common exam trap is assuming that disabling Telnet disables all authentication or management access, which is incorrect. Telnet and SSH are separate protocols, and AAA functions operate independently of the transport protocol used. Practically, network engineers must verify that SSH is correctly configured and accessible before disabling Telnet to avoid losing remote management capabilities. This approach aligns with Cisco’s security best practices and is a foundational concept tested in the CCNA exam.

KKey Concepts to Remember

  • SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.
  • Telnet transmits data, including credentials, in clear text, making it vulnerable to interception and unauthorized access.
  • Cisco devices prefer SSH over Telnet for secure remote management to comply with security best practices and industry standards.
  • Blocking Telnet access does not disable AAA (Authentication, Authorization, and Accounting) functions on Cisco devices.
  • SSH is supported on both routers and switches, enabling encrypted remote access across various Cisco network devices.
  • Enabling SSH requires proper configuration of device host keys and user authentication methods to secure management sessions.
  • Network administrators should disable Telnet to reduce attack surfaces and prevent exposure of sensitive management information.
  • Secure management protocols like SSH are fundamental to network hardening and protecting device control planes from compromise.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Review sSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks..

What is the correct answer to this question?

The correct answer is: SSH is preferred because it provides encrypted remote administration, unlike Telnet — Permitting SSH while blocking Telnet is a hardening decision because SSH encrypts management traffic and Telnet does not. The administrator wants remote access to remain available with credentials and session data protected. Option A is correct: SSH provides encrypted remote administration. Option B is wrong: Telnet offers no confidentiality. Option C is wrong: SSH works on routers and Layer 3 switches, not only Layer 2 switches. Option D is wrong: blocking Telnet does not disable AAA; AAA can still function over SSH or local authentication.

What should I do if I get this 200-301 question wrong?

Review sSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks., then practise related 200-301 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on 200-301

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. An engineer wants remote administrative access to remain available but also wants session contents protected in transit. Which management choice best supports that goal?

hard
  • A.SSH
  • B.Telnet
  • C.Open wireless access
  • D.Native VLAN 1

Why A: The best choice is SSH because it provides encrypted remote administrative access. In plain language, the engineer wants administrators to keep managing devices remotely, but without exposing credentials or session contents in clear text. SSH solves that by protecting the traffic in transit, which is why it is preferred over older plaintext protocols such as Telnet. This is a core management-plane security principle. The goal is not to remove remote administration, but to perform it safely. The correct answer is the one that aligns with secure remote access rather than convenience at the expense of protection.

Variation 2. An administrator wants to block all Telnet access to a router’s VTY lines and allow only SSH. Which change most directly supports that goal?

hard
  • A.Configure the VTY lines to accept SSH and not Telnet.
  • B.Enable PortFast on the VTY lines.
  • C.Use DHCP snooping to protect the VTY lines.
  • D.Increase the OSPF hello interval.

Why A: The most direct change is to configure the VTY lines to accept only SSH, which removes Telnet as an accepted protocol. Option B (PortFast) is a spanning-tree feature that speeds up port transition on access ports and has nothing to do with VTY access. Option C (DHCP snooping) is a Layer 2 security feature to prevent rogue DHCP servers; it does not affect VTY line protocols. Option D (OSPF hello interval) is an OSPF timer adjustment, unrelated to remote access security. Therefore, only option A directly achieves the goal.

Keep practising

More 200-301 practice questions

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.