Courseiva
200-301
Full test
easymultiple choiceObjective-mapped

Why is SSH preferred over Telnet for device management?

Question 1easymultiple choice
Full question →

Why is SSH preferred over Telnet for device management?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Distractor review

SSH uses UDP and is therefore faster

SSH uses TCP, not UDP.

B

Best answer

SSH encrypts the session traffic

That is the main security advantage.

C

Distractor review

SSH works only on Layer 2 networks

SSH works across IP networks.

D

Distractor review

SSH does not require user authentication

SSH absolutely supports and usually requires authentication.

Common exam trap

Common exam trap: answer the scenario, not the keyword

A frequent exam trap is the misconception that SSH uses UDP or does not require user authentication. Some candidates mistakenly believe SSH is faster because it uses UDP, but SSH actually uses TCP to ensure reliable, ordered delivery of encrypted data. Another trap is thinking SSH works only on Layer 2 networks, whereas it operates over IP and can be used across routed networks. Additionally, assuming SSH does not require authentication is incorrect; SSH mandates authentication to establish a secure session. Recognizing these facts helps avoid selecting incorrect options related to SSH’s protocol and security features.

Technical deep dive

How to think about this question

Secure Shell (SSH) is a network protocol that provides administrators with a secure way to access and manage network devices remotely. Unlike Telnet, which transmits data in plaintext, SSH encrypts all session traffic, including usernames, passwords, and commands, ensuring confidentiality and integrity. This encryption protects against eavesdropping and man-in-the-middle attacks, which are critical concerns in modern network security. SSH operates over TCP, typically using port 22, and supports strong authentication methods, including password and public key authentication. When choosing between SSH and Telnet for device management, Cisco devices and the CCNA exam emphasize the security benefits of SSH. Telnet sends all data unencrypted over the network, making it vulnerable to interception and credential theft. SSH’s encryption and authentication mechanisms make it the preferred protocol for managing Cisco routers, switches, and other network devices securely. Cisco IOS supports SSH configuration to replace Telnet, aligning with best practices for network security and compliance. A common exam trap is confusing SSH’s transport protocol or security features. For example, some might incorrectly believe SSH uses UDP or does not require authentication, which is false. Understanding that SSH uses TCP and mandates authentication helps avoid this mistake. Practically, network engineers must disable Telnet and enable SSH on Cisco devices to ensure secure remote management, especially in environments where sensitive data and device configurations are at risk.

KKey Concepts to Remember

  • SSH encrypts all session traffic, including usernames, passwords, and commands, to protect device management sessions from interception.
  • Telnet transmits data in clear text, making it vulnerable to eavesdropping and credential theft on modern IP networks.
  • Cisco devices prefer SSH over Telnet for remote management due to SSH’s secure authentication and encrypted communication.
  • SSH operates over TCP port 22 and supports multiple authentication methods, including password and public key authentication.
  • Telnet uses TCP but does not provide encryption or secure authentication, which makes it unsuitable for secure device management.
  • SSH works across IP networks and is not limited to Layer 2, enabling secure remote access over routed networks.
  • Network administrators should disable Telnet and enable SSH on Cisco devices to comply with security best practices.
  • Misunderstanding SSH’s transport protocol or authentication requirements is a common exam trap that can lead to incorrect answers.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

CCNA subnetting practice questions

Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.

CCNA OSPF practice questions

Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.

CCNA VLAN practice questions

Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.

CCNA STP practice questions

Practise spanning tree, root bridge election, port roles and STP troubleshooting.

CCNA EtherChannel practice questions

Practise LACP, PAgP, port-channel behaviour and bundle requirements.

CCNA ACL practice questions

Practise standard and extended ACLs, permit/deny logic and traffic filtering.

CCNA NAT practice questions

Practise static NAT, dynamic NAT, PAT and inside/outside address translation.

CCNA DHCP practice questions

Practise DHCP scopes, relay, leases and troubleshooting.

CCNA show ip route practice questions

Practise routing-table output, longest-prefix match, AD and route selection.

CCNA show interfaces trunk practice questions

Practise trunk verification and VLAN forwarding across switches.

CCNA wireless security practice questions

Practise WLAN security, authentication and wireless architecture concepts.

CCNA IPv6 practice questions

Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?

Question 2

A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?

Question 3

What is the OSPF metric called?

Question 4

A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?

Question 5

A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?

Question 6

A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?

FAQ

Questions learners often ask

What does this 200-301 question test?

SSH encrypts all session traffic, including usernames, passwords, and commands, to protect device management sessions from interception.

What is the correct answer to this question?

The correct answer is: SSH encrypts the session traffic — SSH encrypts the management session, including usernames, passwords, and commands. Telnet sends traffic in clear text, which makes it unsafe on modern networks.

What should I do if I get this 200-301 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.