- A
SSH is preferred because it provides encrypted remote administration, unlike Telnet
This is correct because SSH protects management traffic with encryption, while Telnet sends it in clear text.
- B
Telnet is preferred because it provides stronger confidentiality than SSH
Why wrong: This is wrong because Telnet does not provide stronger confidentiality. It is less secure because it is unencrypted.
- C
SSH can be used only on Layer 2 switches and not routers
Why wrong: This is wrong because SSH is widely used on both routers and switches.
- D
Blocking Telnet automatically disables all AAA functions
Why wrong: This is wrong because disabling Telnet does not automatically disable AAA mechanisms.
Quick Answer
The answer is SSH because it provides encrypted remote administration, unlike Telnet. SSH encrypts the entire session—including credentials and commands—using cryptographic keys, while Telnet transmits everything in plaintext, making it vulnerable to packet sniffing. On the CCNA 200-301 v2 exam, this distinction tests your understanding of secure device hardening; a common trap is assuming Telnet is acceptable for lab environments or that SSH only works on Layer 2 switches. In reality, SSH operates on routers and Layer 3 switches as well, and blocking Telnet does not disable AAA services, which can still function over SSH or local authentication. The key takeaway is that SSH ensures confidentiality and integrity for remote management traffic, whereas Telnet offers none. Memory tip: think “SSH = Secure Shell, Telnet = Tell-everyone.”
CCNA Network Services and Security Practice Question
This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: sSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
An administrator wants to permit SSH management access but block Telnet access to a device. Which statement best reflects that design goal?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"best"Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
SSH is preferred because it provides encrypted remote administration, unlike Telnet
Permitting SSH while blocking Telnet is a hardening decision because SSH encrypts management traffic and Telnet does not. The administrator wants remote access to remain available with credentials and session data protected. Option A is correct: SSH provides encrypted remote administration. Option B is wrong: Telnet offers no confidentiality. Option C is wrong: SSH works on routers and Layer 3 switches, not only Layer 2 switches. Option D is wrong: blocking Telnet does not disable AAA; AAA can still function over SSH or local authentication.
Key principle: SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
SSH is preferred because it provides encrypted remote administration, unlike Telnet
Why this is correct
This is correct because SSH protects management traffic with encryption, while Telnet sends it in clear text.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.
- ✗
Telnet is preferred because it provides stronger confidentiality than SSH
Why it's wrong here
This is wrong because Telnet does not provide stronger confidentiality. It is less secure because it is unencrypted.
When this WOULD be correct
In a hypothetical scenario where a question asks which protocol provides stronger confidentiality in a specific legacy system that has been configured to use Telnet with additional encryption layers, option B could be considered correct. This would imply that the context allows for Telnet to be enhanced beyond its standard capabilities.
- ✗
SSH can be used only on Layer 2 switches and not routers
Why it's wrong here
This is wrong because SSH is widely used on both routers and switches.
When this WOULD be correct
In a different exam scenario, if the question stated that SSH is only supported on Layer 2 switches and asked which protocol should be used for secure management of Layer 2 devices, then option C would be correct as it aligns with the constraints of that specific context.
- ✗
Blocking Telnet automatically disables all AAA functions
Why it's wrong here
This is wrong because disabling Telnet does not automatically disable AAA mechanisms.
When this WOULD be correct
If a question stated that blocking Telnet access would also disable AAA functions due to a specific device configuration or policy that ties AAA to Telnet sessions, then this option would be correct. For example, if a legacy system required Telnet for AAA operations, blocking it could impact those functionalities.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓SSH is preferred because it provides encrypted remote administration, unlike TelnetCorrect answer▾
Why this is correct
This is correct because SSH protects management traffic with encryption, while Telnet sends it in clear text.
✗Telnet is preferred because it provides stronger confidentiality than SSHWrong answer — click to see why▾
Why this is wrong here
Telnet does not provide confidentiality; it transmits all data, including login credentials, in clear text, making it easily intercepted. SSH uses strong encryption to protect the session, so Telnet is never preferred over SSH for security.
★ When this WOULD be the correct answer
In a hypothetical scenario where a question asks which protocol provides stronger confidentiality in a specific legacy system that has been configured to use Telnet with additional encryption layers, option B could be considered correct. This would imply that the context allows for Telnet to be enhanced beyond its standard capabilities.
Why candidates choose this
A student might confuse the terms 'confidentiality' and 'authentication' or mistakenly think that an older protocol like Telnet could be more secure due to simplicity. Some might also assume that because Telnet is widely used in legacy environments, it must have some security advantage.
✗SSH can be used only on Layer 2 switches and not routersWrong answer — click to see why▾
Why this is wrong here
SSH is not limited to Layer 2 switches; it is supported on virtually all Cisco routers, switches, firewalls, and other network devices that run an IOS or similar operating system. The statement is factually incorrect.
★ When this WOULD be the correct answer
In a different exam scenario, if the question stated that SSH is only supported on Layer 2 switches and asked which protocol should be used for secure management of Layer 2 devices, then option C would be correct as it aligns with the constraints of that specific context.
Why candidates choose this
A test-taker might confuse SSH with a Layer 2 protocol or think that because Telnet is often used for console access on switches, SSH might be restricted. The similarity in names between SSH and other Layer 2 protocols (like STP) could also cause confusion.
✗Blocking Telnet automatically disables all AAA functionsWrong answer — click to see why▾
Why this is wrong here
Blocking Telnet only disables Telnet access; AAA (Authentication, Authorization, and Accounting) functions are independent and can still be used with SSH, console, or other access methods. Disabling Telnet does not affect AAA configuration or operation.
★ When this WOULD be the correct answer
If a question stated that blocking Telnet access would also disable AAA functions due to a specific device configuration or policy that ties AAA to Telnet sessions, then this option would be correct. For example, if a legacy system required Telnet for AAA operations, blocking it could impact those functionalities.
Why candidates choose this
A student might think that Telnet is a required component for AAA, especially if they have seen AAA configured with Telnet in lab scenarios. The acronym AAA and its association with remote access could lead to the mistaken belief that disabling Telnet breaks AAA.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
Avoid assuming that enabling both protocols or disabling both achieves security goals. Focus on encryption as the key factor.
Detailed technical explanation
How to think about this question
Secure remote management of Cisco devices is critical for maintaining network integrity and confidentiality. SSH (Secure Shell) is a protocol that encrypts all management traffic, including usernames, passwords, and session data, preventing eavesdropping and man-in-the-middle attacks. Unlike Telnet, which sends data in plaintext, SSH uses cryptographic techniques to secure communication channels, making it the preferred method for remote device access in modern networks. When designing secure network management, administrators must explicitly permit SSH access while blocking Telnet to enforce encryption. Cisco devices support SSH on both routers and switches, requiring configuration of RSA key pairs and enabling the SSH server feature. Blocking Telnet access does not affect AAA services, which continue to authenticate and authorize users independently. This separation ensures that disabling insecure protocols does not compromise overall device security policies. A common exam trap is assuming that disabling Telnet disables all authentication or management access, which is incorrect. Telnet and SSH are separate protocols, and AAA functions operate independently of the transport protocol used. Practically, network engineers must verify that SSH is correctly configured and accessible before disabling Telnet to avoid losing remote management capabilities. This approach aligns with Cisco’s security best practices and is a foundational concept tested in the CCNA exam.
KKey Concepts to Remember
- SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.
- Telnet transmits data, including credentials, in clear text, making it vulnerable to interception and unauthorized access.
- Cisco devices prefer SSH over Telnet for secure remote management to comply with security best practices and industry standards.
- Blocking Telnet access does not disable AAA (Authentication, Authorization, and Accounting) functions on Cisco devices.
- SSH is supported on both routers and switches, enabling encrypted remote access across various Cisco network devices.
- Enabling SSH requires proper configuration of device host keys and user authentication methods to secure management sessions.
- Network administrators should disable Telnet to reduce attack surfaces and prevent exposure of sensitive management information.
- Secure management protocols like SSH are fundamental to network hardening and protecting device control planes from compromise.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.
Real-world example
How this comes up in practice
A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.
What to study next
Got this wrong? Here's your next step.
Review sSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks., then practise related 200-301 questions on the same topic to reinforce the concept.
- →
Network Services and Security — study guide chapter
Learn the concepts, then practise the questions
- →
Network Services and Security practice questions
Targeted practice on this topic area only
- →
All 200-301 questions
1,819 questions across all exam domains
- →
CCNA 200-301 v2 study guide
Full concept coverage aligned to exam objectives
- →
200-301 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Infrastructure and Connectivity practice questions
Practise 200-301 questions linked to Network Infrastructure and Connectivity.
Switching and Network Access practice questions
Practise 200-301 questions linked to Switching and Network Access.
IP Routing practice questions
Practise 200-301 questions linked to IP Routing.
Network Services and Security practice questions
Practise 200-301 questions linked to Network Services and Security.
AI and Network Operations practice questions
Practise 200-301 questions linked to AI and Network Operations.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practice this exam
Start a free 200-301 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this 200-301 question test?
Network Services and Security — This question tests Network Services and Security — SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks..
What is the correct answer to this question?
The correct answer is: SSH is preferred because it provides encrypted remote administration, unlike Telnet — Permitting SSH while blocking Telnet is a hardening decision because SSH encrypts management traffic and Telnet does not. The administrator wants remote access to remain available with credentials and session data protected. Option A is correct: SSH provides encrypted remote administration. Option B is wrong: Telnet offers no confidentiality. Option C is wrong: SSH works on routers and Layer 3 switches, not only Layer 2 switches. Option D is wrong: blocking Telnet does not disable AAA; AAA can still function over SSH or local authentication.
What should I do if I get this 200-301 question wrong?
Review sSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks., then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
SSH encrypts management traffic, ensuring confidentiality and integrity for remote device administration over insecure networks.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
2 more ways this is tested on 200-301
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. An engineer wants remote administrative access to remain available but also wants session contents protected in transit. Which management choice best supports that goal?
hard- ✓ A.SSH
- B.Telnet
- C.Open wireless access
- D.Native VLAN 1
Why A: The best choice is SSH because it provides encrypted remote administrative access. In plain language, the engineer wants administrators to keep managing devices remotely, but without exposing credentials or session contents in clear text. SSH solves that by protecting the traffic in transit, which is why it is preferred over older plaintext protocols such as Telnet. This is a core management-plane security principle. The goal is not to remove remote administration, but to perform it safely. The correct answer is the one that aligns with secure remote access rather than convenience at the expense of protection.
Variation 2. An administrator wants to block all Telnet access to a router’s VTY lines and allow only SSH. Which change most directly supports that goal?
hard- ✓ A.Configure the VTY lines to accept SSH and not Telnet.
- B.Enable PortFast on the VTY lines.
- C.Use DHCP snooping to protect the VTY lines.
- D.Increase the OSPF hello interval.
Why A: The most direct change is to configure the VTY lines to accept only SSH, which removes Telnet as an accepted protocol. Option B (PortFast) is a spanning-tree feature that speeds up port transition on access ports and has nothing to do with VTY access. Option C (DHCP snooping) is a Layer 2 security feature to prevent rogue DHCP servers; it does not affect VTY line protocols. Option D (OSPF hello interval) is an OSPF timer adjustment, unrelated to remote access security. Therefore, only option A directly achieves the goal.
Last reviewed: May 17, 2026
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.