Telnet is working, but I'm trying to block telnet and permit only SSH on this 2911 router.  It's not our firewall, the firewall is allowing port 22 to the router.  Here's my running config.  I thought the transport input ssh command would do it, but it's not working.

***********************************************************************
WARNING: This system is for the use of authorized clients only.
Individuals using the computer network system without authorization,
or in excess of their authorization, are subject to having all their
activity on this computer network system monitored and recorded by
system personnel. To protect the computer network system from
unauthorized use and to ensure the computer network system is
functioning properly, system administrators monitor this system.
Anyone using this computer network system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
conduct of criminal activity, system personnel may provide the
evidence of such activity to law enforcement officers.
Access is restricted to authorized users only. Unauthorized access is
a violation of state and federal, civil and criminal laws.
***********************************************************************

User Access Verification

Username: XXadmin
Password:

***********************************************************************
XXX
HOST: AIRP_2911
Configured for Data and Voice Use
***********************************************************************

XXXX_2911#sh run
Building configuration...

Current configuration : 10303 bytes
!
! Last configuration change at 09:39:22 EST Wed May 9 2018 by mradmin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXX_2911
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.154-3.M6.bin
boot-end-marker
!
!
card type t1 0 0
logging buffered 512000
logging monitor informational
enable secret 5 $1$g7vK$bcLIFwsKTC.DzQWvpsbP./
!
aaa new-model
!
!
aaa authentication login default local group radius
aaa authentication enable default line
aaa authorization exec default local group radius
!
!
!
!
!
aaa session-id common
clock timezone EDT -5 0
clock summer-time EST recurring
network-clock-participate wic 0
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.13.0.1 10.13.0.19
ip dhcp excluded-address 10.13.8.1 10.13.8.32
!
ip dhcp pool Voice
network 10.13.8.0 255.255.255.0
default-router 10.13.8.1
option 150 ip 10.11.136.41 10.10.136.42
dns-server 10.11.144.150 10.11.144.151
!
!
!
ip domain name XXX.org
ip name-server 10.13.0.10
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
trunk group outgoing
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-1426142420
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1426142420
revocation-check none
rsakeypair TP-self-signed-1426142420
!
!
crypto pki certificate chain TP-self-signed-1426142420
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343236 31343234 3230301E 170D3130 31323136 31343531
35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34323631
34323432 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E8F3 FDB69B1D 3BAE3DA0 6CF0E632 6FD798E5 83166A36 C9E4D7C3 9CD35842
A2EBFF49 1D3E2C6E C533EA94 C832C2C4 9F32B6A7 14426250 7E65C14C 99D370A3
A4A4AB9D 4DFE25D3 8F92A8B7 1BC0F965 1E7BF62F 6EBD1259 C106146C 52CB1C41
8C9B879D BAAE93D2 B0981704 66006EEA 67711BAA DCC08C26 7CF6D640 A7A09526
41D50203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 11414952 505F3239 31312E61 63722E6F 7267301F 0603551D
23041830 16801449 461BA7C5 C4008B68 F7418B44 87D6BEFA 7F308030 1D060355
1D0E0416 04144946 1BA7C5C4 008B68F7 418B4487 D6BEFA7F 3080300D 06092A86
4886F70D 01010405 00038181 00769EE5 8427317E D8862A8F 2E686DF1 854516C0
7CB2FC65 5C146FDD 0D997832 D54D7E00 E52594E8 C223AB0B 718F6F59 F128DA6C
8F75918F 033375A2 EECBD239 922531AA 093B3C73 5678F6F6 1E59EE54 0479FA44
7AEBAFBC 1E03C2AE B2499E7B 850BD186 894B6DE5 FB5A55A2 826FC82B 2120BDB9
7F1FC97B 4765F00D 17BA918C 91
quit
voice-card 0
!
!
!
voice service voip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
!
!
voice register global
mode srst
!
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1446A0WV
hw-module pvdm 0/0
!
!
!
archive
log config
logging enable
logging size 1000
notify syslog contenttype plaintext
hidekeys
path scp://backups:backups@10.5.144.114/$h-config
write-memory
username admin privilege 15 secret 5 $1$5unU$I.zsM.YLps88tiN1uUJta1
!
redundancy
!
!
!
!
!
controller T1 0/0/0
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
cablelength long 0db
channel-group 1 timeslots 1-24
!
!
class-map match-all AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3 af31
!
policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
set dscp ef
class AutoQoS-VoIP-Control-Trust
set dscp cs3
class class-default
fair-queue
random-detect
!
!
!
!
!
!
!
!
!
!
!
interface Multilink1
ip address X.X.X.X 255.255.255.252
ppp multilink
ppp multilink group 1
ppp multilink fragment disable
service-policy output AutoQoS-Police-CiscoPhone
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Connection to Switch
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
!
interface GigabitEthernet0/0.35
encapsulation dot1Q 35
ip address 10.254.0.26 255.255.255.248
!
interface GigabitEthernet0/0.100
encapsulation dot1Q 100
ip address 10.13.0.1 255.255.255.0
ip helper-address 10.11.144.150
!
interface GigabitEthernet0/0.128
encapsulation dot1Q 1000
ip address 10.13.128.1 255.255.255.0
!
interface GigabitEthernet0/0.150
encapsulation dot1Q 150
ip address 10.13.8.1 255.255.255.0
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.13.8.1
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
description multilink 1 interface to MPLS
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/0/1:1
description multilink 1 interface to MPLS
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
!
router eigrp 1
network 10.13.0.0 0.0.255.255
redistribute connected
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 10.254.0.25
ip route 10.2.0.0 255.255.0.0 10.254.0.27
ip route 10.3.0.0 255.255.0.0 10.254.0.29
ip route 10.5.0.0 255.255.0.0 10.254.0.29
ip route 10.11.0.0 255.255.0.0 10.254.0.25
ip route 10.254.0.42 255.255.255.255 10.254.0.29
ip route X.X.X.X 255.255.255.252 X.X.X.X
!
logging trap warnings
logging source-interface GigabitEthernet0/0.35
logging host 10.5.128.118
logging host 10.11.175.199
!
!
snmp-server community XXX1999 RO
snmp-server community XXXCORE RO
!
radius server host
address ipv4 10.5.144.145 auth-port 1645 acct-port 1646
key XXXXXXXXX
!
!
!
control-plane
!
!
voice-port 0/1/0
trunk-group outgoing 1
no vad
no comfort-noise
description 301-585-0147
caller-id enable
!
voice-port 0/1/1
trunk-group outgoing 2
no vad
no comfort-noise
description FXO 301-585-0413
caller-id enable
!
voice-port 0/1/2
trunk-group outgoing 3
no vad
no comfort-noise
caller-id enable
!
voice-port 0/1/3
trunk-group outgoing 4
no vad
no comfort-noise
caller-id enable
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
dial-peer voice 1 voip
description Catch All
incoming called-number .
voice-class codec 1
dtmf-relay h245-alphanumeric
no vad
!
dial-peer voice 2 voip
preference 1
destination-pattern [4-5]...
session target ipv4:10.11.136.42
voice-class codec 1
dtmf-relay h245-alphanumeric
no vad
!
dial-peer voice 3 voip
preference 2
destination-pattern [4-5]...
session target ipv4:10.10.136.42
voice-class codec 1
dtmf-relay h245-alphanumeric
no vad
!
dial-peer voice 100 pots
preference 1
destination-pattern 8T
port 0/1/0
!
dial-peer voice 101 pots
preference 2
destination-pattern 8T
port 0/1/1
!
dial-peer voice 102 pots
preference 4
destination-pattern 8911
port 0/1/2
forward-digits 3
!
dial-peer voice 103 pots
preference 3
destination-pattern 8911
port 0/1/1
forward-digits 3
!
dial-peer voice 104 pots
preference 2
destination-pattern 8911
port 0/1/0
forward-digits 3
!
dial-peer voice 105 pots
preference 1
destination-pattern 8911
port 0/1/3
forward-digits 3
!
dial-peer voice 1102 pots
preference 4
destination-pattern 911
port 0/1/2
forward-digits 3
!
dial-peer voice 1103 pots
preference 3
destination-pattern 911
port 0/1/1
forward-digits 3
!
dial-peer voice 1104 pots
preference 2
destination-pattern 911
port 0/1/0
forward-digits 3
!
dial-peer voice 1105 pots
preference 1
destination-pattern 911
port 0/1/3
forward-digits 3
!
dial-peer voice 7104 pots
preference 1
destination-pattern 8XXXXXXXXXX
port 0/1/0
forward-digits 10
!
!
!
!
gatekeeper
shutdown
!
!
call-manager-fallback
max-conferences 8 gain -6
transfer-system full-consult
timeouts interdigit 4
ip source-address 10.13.8.1 port 2000
max-ephones 40
max-dn 45 dual-line
system message primary Call Manager Down-Call Support
transfer-pattern 8T
!
!
no vstack
banner exec ^C
***********************************************************************
XXXXXXXXXXXXX
HOST: XXXX_2911
Configured for Data and Voice Use
***********************************************************************
^C
banner motd ^C
***********************************************************************
WARNING: This system is for the use of authorized clients only.
Individuals using the computer network system without authorization,
or in excess of their authorization, are subject to having all their
activity on this computer network system monitored and recorded by
system personnel. To protect the computer network system from
unauthorized use and to ensure the computer network system is
functioning properly, system administrators monitor this system.
Anyone using this computer network system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
conduct of criminal activity, system personnel may provide the
evidence of such activity to law enforcement officers.
Access is restricted to authorized users only. Unauthorized access is
a violation of state and federal, civil and criminal laws.
***********************************************************************
^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
transport input ssh
transport output ssh
line vty 5 15
privilege level 15
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
ntp server 10.13.0.10
!
end

xxxx_2911#