A network team must manage switches from home without exposing management ports to the internet. Which two controls best fit? Select two.

Expose the switch web interface directly on a public IP address.

Publicly exposing a management interface increases attack surface and makes brute-force and exploitation more likely. Secure administration should stay behind controlled access paths.

Use FTP to transfer configuration files because it is simple.

FTP does not encrypt usernames, passwords, or file contents. For device administration, secure protocols are preferred because they protect sensitive management data in transit.

Send management passwords by email to approved admins.

Email is not a secure channel for administrative credentials. It creates unnecessary exposure and weakens accountability because passwords can be forwarded or intercepted.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Require a VPN before allowing access to the management network. — The best fit is to place management access behind a VPN and use SSH for administration. The VPN ensures remote administrators must first authenticate into a protected network path, and SSH protects the actual management session with encryption. Together, those controls keep switch administration off the public internet while supporting secure remote work. Why others are wrong: Exposing a web console publicly, using FTP, or emailing passwords creates avoidable risk. Those choices either expose the management plane directly or use unencrypted channels. The goal is secure remote administration, so the answer pair must protect both network access and the management protocol itself.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.