Implementing and Operating Cisco Service Provider Network Core Technologies (SPCOR) — Question 388

A network engineer is testing an automation platform that interacts with Cisco networking devices via NETCONF over SSH. In accordance with internal security requirements:
✑ NETCONF sessions are permitted only from trusted sources in the 172.16.20.0/24 subnet.
✑ CLI SSH access is permitted from any source.
Which configuration must the engineer apply on R1?

Answer options

• A. configure terminal hostname R1 ip domain-name mydomain.com crypto key generate rsa ip ssh version 1 access-list 1 permit 172.16.20.0 0.0.0.255 netconf ssh acl 1 line vty 0 4 transport input ssh end
• B. configure terminal hostname R1 ip domain-name mydomain.com crypto key generate rsa ip ssh version 2 access-list 1 permit 172.16.20.0 0.0.0.255 access-list 1 permit any netconf ssh line vty 0 4 access-class 1 in transport input ssh end
• C. configure terminal hostname R1 ip domain-name mydomain.com crypto key generate rsa ip ssh version 1 access-list 1 permit 172.16.20.0 0.0.0.255 access-list 2 permit any netconf ssh line vty 0 4 access-class 2 in transport input ssh end
• D. configure terminal hostname R1 ip domain-name mydomain.com crypto key generate rsa ip ssh version 2 access-list 1 permit 172.16.20.0 0.0.0.255 netconf ssh acl 1 line vty 0 4 transport input ssh end

Correct answer: D

Explanation

The correct answer is D because it specifies SSH version 2, which is more secure than version 1, and correctly allows NETCONF access from the trusted subnet while permitting SSH access from any source. Options A and C use SSH version 1, which is not recommended, and option B incorrectly allows any source for NETCONF access, violating the security requirements.