Question 1mediummulti select
Full question →mediummulti selectObjective-mapped
Which two actions are reasonable examples of basic device-hardening practice?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Disable unused services or interfaces where practical
This is correct because reducing unnecessary exposure is a basic hardening principle.
B
Best answer
Use SSH instead of Telnet for remote management
This is correct because SSH provides encrypted management access.
C
Distractor review
Allow anonymous administrative login for convenience
This is wrong because anonymous administrative access weakens security.
D
Distractor review
Place all traffic in VLAN 1 so it is easier to remember
This is wrong because overusing VLAN 1 is not a hardening measure.
E
Distractor review
Remove authentication from VTY lines
This is wrong because authentication is a key part of securing management access.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A common exam trap is selecting options that prioritize convenience over security, such as allowing anonymous administrative logins or removing authentication from VTY lines. These choices might seem to simplify management but actually expose the device to unauthorized access and potential compromise. Another tempting mistake is to assume that placing all traffic in VLAN 1 is a hardening measure because it simplifies configuration; however, this practice increases risk by making VLAN 1 a single point of attack. Recognizing that security fundamentals emphasize reducing exposure and enforcing secure access helps avoid these pitfalls.
Technical deep dive
How to think about this question
Device hardening is a fundamental security practice that involves configuring network devices to minimize vulnerabilities and reduce the attack surface. This includes disabling unused services and interfaces, which prevents unauthorized access points and limits potential exploitation vectors. Using secure management protocols like SSH instead of Telnet ensures that administrative sessions are encrypted, protecting credentials and commands from interception over the network. In Cisco devices, disabling unused interfaces or services is a straightforward but effective way to reduce exposure. For example, shutting down unused switch ports or disabling unnecessary routing protocols prevents attackers from leveraging these entry points. Similarly, Cisco IOS supports SSH for secure remote management, which encrypts all traffic, unlike Telnet that transmits data in clear text. Choosing SSH aligns with best practices for device administration security. A common exam trap is to confuse convenience with security, such as allowing anonymous administrative logins or removing authentication on VTY lines. These practices weaken device security and are explicitly discouraged in CCNA-level questions. Understanding that basic hardening focuses on reducing unnecessary services and enforcing secure access methods helps avoid these pitfalls and ensures compliance with Cisco’s recommended security fundamentals.
KKey Concepts to Remember
- Disabling unused services or interfaces on Cisco devices reduces the attack surface by eliminating unnecessary access points that attackers could exploit.
- Using SSH instead of Telnet for remote device management encrypts administrative traffic, protecting credentials and commands from interception.
- Cisco IOS devices allow administrators to disable unused interfaces with the 'shutdown' command to prevent unauthorized access through inactive ports.
- Telnet transmits management data in clear text, making it vulnerable to eavesdropping, whereas SSH provides secure encrypted communication.
- Allowing anonymous administrative login removes accountability and weakens security, which is against Cisco’s device-hardening best practices.
- Placing all traffic in VLAN 1 is discouraged because VLAN 1 is the default VLAN and overusing it can expose the network to VLAN hopping attacks.
- Removing authentication from VTY lines disables essential access control, making devices vulnerable to unauthorized remote management.
- Basic device hardening focuses on disciplined configuration choices that reduce unnecessary exposure rather than relying solely on advanced security tools.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
Disabling unused services or interfaces on Cisco devices reduces the attack surface by eliminating unnecessary access points that attackers could exploit.
What is the correct answer to this question?
The correct answer is: Disable unused services or interfaces where practical — Basic hardening is about reducing unnecessary exposure and making administrative access safer. In plain language, this usually means disabling services or interfaces that are not needed and preferring secure management protocols such as SSH. These choices shrink the attack surface and improve the security of routine device administration without requiring advanced security products. The wrong answers in hardening questions often suggest convenience at the expense of security, such as leaving insecure access methods enabled or removing authentication. CCNA-level security expects you to recognize that strong fundamentals often come from disciplined configuration choices rather than from complex tools alone.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.