Home > NTP Questions

NTP Questions

July 13th, 2019 in ROUTE 300-101 Go to comments

Question 1

Explanation

The command “ntp master [stratum]” is used to configure the device as an authoritative NTP server. You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15.

The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

ntp-stratum.jpg

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server… A stratum server may also peer with other stratum servers at the same level to provide more stable and robust time for all devices in the peer group (for example a stratum 2 server can peer with other stratum 2 servers).

Question 2

Explanation

The “ntp broadcast client” command is used under interface mode to allow the device to receive Network Time Protocol (NTP) broadcast packets on that interface

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf012.html#wp1123148

Question 3

Question 4

Explanation

The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server. Therefore the lower the stratum level is, the more accurate the NTP server is. When multiple NTP servers are configured, the client will prefer the NTP server with the lowest stratum level.

NTP uses User Datagram Protocol (UDP) port 123.

Question 5

Explanation

First we need to understand some basic knowledge about NTP. There are two types of NTP messages:
+ Control messages: for reading and writing internal NTP variables and obtain NTP status information. It is not used for time synchronization so we will not care about them in this question.
+ Request/Update messages: for time synchronization. Request messages ask for synchronization information while Update messages contains synchronization information and may change the local clock.

There are four types of NTP access-groups exist to control traffic to the NTP services:
+ Peer: controls which remote devices the local device may synchronize. In other words, it permits the local router to respond to NTP request and accept NTP updates.
+ Serve: controls which remote devices may synchronize with the local device. In other words, it permits the local router to reply to NTP requests, but drops NTP update. This access-group allows control messages.
+ Serve-only: controls which remote devices may synchronize with the local device. In other words, it permits the local router to respond to NTP requests only. This access-group denies control messages.
+ Query-only: only accepts control messages. No response to NTP requests are sent, and no local system time synchronization with remote system is permitted.

From my experience, you just need to remember:
+ Peer: serve and to be served
+ Serve: serve but not to be served

Therefore in this question:
+ The “ntp access-group peer 2” command says “I can only accept NTP updates and respond to NTP (time) requests from 192.168.1.4“. -> Answer F is correct while answer D is not correct.
+ The “ntp access-group serve 1” command says “I can only reply to time requests (but cannot accept time update) from 192.168.1.1 ” -> Answer A is correct*

The “ntp master 4” indicates it is running as a time source with stratum level of 4 -> Answer B is not correct while answer C is correct.

Answer E is not correct because it can accept time requests from both 192.168.1.1 and 192.168.1.4.

*Note: In fact answer A is incorrect too because the local router can accept time requests from both 192.168.1.1 and 192.168.1.4 (not only from 192.168.1.1). Maybe this is an mistake of this question.

Question 6

Explanation

To control access to Network Time Protocol (NTP) services on the system, use the ntp access-group command in global configuration mode.

NTP supports “Control messages” and “Request/Update messages”.

+ Control messages are for reading and writing internal NTP variables and obtaining NTP status information. Not to deal with time synchronization itself.
+ NTP request/Update messages are used for actual time synchronization. Request packet obviously asks for synchronization information, and update packet contains synchronization information, and may change local clock.

When synchronizing system clocks on Cisco IOS devices only Request/Update messages are used. Therefore in this question we only care about “NTP Update message”.

Syntax:

ntp access-group [ipv4 | ipv6] {peer | query-only | serve | serve-only} {access-list-number | access-list-number-expanded | access-list-name} [kod]

+ Peer: permits router to respond to NTP requests and accept NTP updates. NTP control queries are also accepted. This is the only class which allows a router to be synchronized by other devices -> not correct. In other words, the peer keyword enables the device to receive time requests and NTP control queries and to synchronize itself to the servers specified in the access list.
+ Serve-only: Permits router to respond to NTP requests only. Rejects attempt to synchronize local system time, and does not access control queries. In other words, the serve-only keyword enables the device to receive only time requests from servers specified in the access list.
+ Serve: permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a server or update packets from a peer). Control queries are also permitted. In other words, the serve keyword enables the device to receive time requests and NTP control queries from the servers specified in the access list but not to synchronize itself to the specified servers -> this option is surely correct.

In summary, the answer “serve” is surely correct but the answer “serve-only” seems to be correct too (although the definition is not clear).

An example of using the “ntp access-group” command is shown below:

R1(config)#ntp server 178.240.12.1
R1(config)#access-list 2 permit 165.16.4.1 0.0.0.0
R1(config)#access-list 2 deny any
R1(config)#ntp access-group peer 2 // peer only to 165.16.4.1
R1(config)#access-list 3 permit 160.1.0.0 0.0.255.255
R1(config)#access-list 3 deny any
R1(config)#ntp access-group serve-only 3 //provide time services only to internal network 160.1.0.0/16

Reference:

+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html
+ http://blog.ine.com/2008/07/28/ntp-access-control/

Question 7

Question 8

Explanation

The output indicates that the local device did not receive the NTP update successfully so something went wrong during the transmission.

Question 9

Explanation

NTP operates in four different modes.
+ Server Mode is configured such that a device will synchronize NTP clients. Servers can be configured to synchronize all clients or only a specific group of clients. NTP servers, however, will not accept synchronization information from their clients. This restriction will not allow clients to update or manipulate a server’s time settings.
+ Client Mode is configured used to allow a device to set its clock by and synchronized by an external timeserver. NTP clients can be configured to use multiple servers to set their local time and can be configured to give preference to the most accurate time sources available to them. They will not, however, provide synchronization services to any other devices.
+ Peer Mode is when one NTP-enabled device does not have any authority over another. With the peering model, each device will share its time information with its peer. Additionally, each device can also provide time synchronization to the other.
+ Broadcast/Multicast Mode is a special server mode where the NTP server broadcasts its synchronization information to all clients. Broadcast mode requires that clients be on the same subnet as the server, and multicast mode requires that clients and servers have multicast capabilities configured.

Reference: http://www.pearsonitcertification.com/articles/article.aspx?p=1851440

“Interface” is not a NTP mode so answer A is not correct.

It is sure that in “peer” mode we don’t need to use the “trusted-key” command for authentication so answer C is not correct.

Question 10

Explanation

An example of the output of this command is shown below:

Router#show ntp associations
      address         ref clock     st  when  poll reach  delay  offset    disp
*~10.1.2.65        10.1.2.33        11    36    64  377    27.9   25.17    30.0
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

If there’s an asterisk (*) next to a configured peer, then you are synced to this peer and using them as the master clock. As long as one peer is the master then everything is fine. However, the key to knowing that NTP is working properly is looking at the value in the reach field.

The reach field is a circular bit buffer. It gives you the status of the last eight NTP messages (eight bits in octal is 377, so you want to see a reach field value of 377). If an NTP response packet is lost, the missing packet is tracked over the next eight NTP update intervals in the reach field. For more information about this field please read http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-110/15171-ntpassoc.html

Question 11

Question 12

Explanation

The command “ntp master [stratum]” is used to configure the device as an authoritative NTP server. You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15.

The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

ntp-stratum.jpg

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server… A stratum server may also peer with other stratum servers at the same level to provide more stable and robust time for all devices in the peer group (for example a stratum 2 server can peer with other stratum 2 servers).

Comments
  1. abdo996
    April 9th, 2017

    failed the exam within 710 a lot of NTP, AAA, frame-relay have appeared in the new exam pool

  2. abdo996
    April 11th, 2017

    how can buy cisco ccnp routing & switching V 2.0 ?

  3. AnyMaster
    July 13th, 2017

    Which three NTP operating modes must the trusted-Key command be configured on for
    authentication to operate properly? (Choose Three)
    A. interface
    B. client
    C. peer
    D. server
    E. broadcast

    Correct Ans: B, C, E.
    See: http://www.cisco.com/c/en/us/support/docs/availability/high-availability/19643-ntpm.html
    ‘B’ because : “In some contexts, this would be described as a poll operation, in that the client polls the time and authentication data from the server. A client is configured in client mode by using the server command and specifying the domain name server (DNS) name or address.”
    ‘C’ because : Since an intruder can impersonate a symmetric active peer and inject false time values, symmetric mode should always be authenticated”.
    ‘E’ because : Since an intruder can impersonate a broadcast server and inject false time values, this mode should always be authenticated”.

  4. acme
    July 18th, 2017

    @anymaster
    BDE

  5. Chief
    August 7th, 2017

    @AnyMaster, @acme

    B, C, E is the correct answer

    After doing some lab testing I found the following:
    Basically the device that is requesting the update have to trust the configured key.
    in Client\Server Mode: the trusted-key command had to be configured on the Client but not the server.

    Peer Mode: trusted-key command had to be configured on the less trustworthy peer to sync with the peer.

    Broadcast: trusted-key command had to be configured on the device that was in broadcast client mode but not on the device that was in broadcast mode.

  6. ali
    August 22nd, 2017

    @digitalut

    can u check once which is the correct answer?
    BDE or BCE

    Which three NTP operating modes must the trusted-key command be configured on for authentication to operate properly? (Choose three)
    A. interface
    B. client
    C. peer
    D. server
    E. broadcast

    Answer: B D E (?)

  7. Anonymous
    August 25th, 2017

    Failed today with 760 pts…all labs the same..loads of new questions ..and simlets…all dumps outdated..study hard chaps
    And also loads of routers commands questions for IPv6 EVN and NAT-PT

  8. Steffy
    August 28th, 2017

    Hello guys, for latest valid dump with continuous update, please contact me at steffyshirls @ gmail .com

  9. Anonymous
    August 29th, 2017

    I also failed with 760, lots of PPP, EVN, IPv6 questions

  10. Anonymous
    September 13th, 2017

    steffy I have just emailed you , can you please update me with the valid dumps.

  11. cl
    September 29th, 2017

    Which three NTP operating modes must the trusted-key command be configured on for authentication to operate properly? (Choose three)
    A. interface
    B. client
    C. peer
    D. server
    E. broadcast
    Correct: B,C,E.
    Interface is not a NTP operating mode and server mode does not need trusted-key command. It is the client that specifies in the NTP request which key the server should use to authenticate the response.

  12. Anonymous
    October 2nd, 2017

    Q9 Which three NTP operating modes must the trusted-key command be configured on for authentication to operate properly? (Choose three)
    A. interface
    B. client
    C. peer
    D. server
    E. broadcast
    CDE, imho. Question mean (trusted-key command be configured щn). On cisco router there are:

    ntp peer 1.1.1.1 ?
    burst Send a burst when peer is reachable
    iburst Send a burst when peer is unreachable
    key Configure peer authentication key

    ntp server 1.1.1.1 ?
    burst Send a burst when peer is reachable
    iburst Send a burst when peer is unreachable
    key Configure peer authentication key

    (config-subif)#ntp broadcast ?
    client Listen to NTP broadcasts
    destination Configure broadcast destination address
    key Configure broadcast authentication key

  13. Galen
    November 9th, 2017

    Thanks all, done with the router. 539q dumps from IT-Libraries are valid. Practice the labs since the ips change on the exam

  14. durshen
    November 11th, 2017

    Hello everyone, I have the valid dump with me and I’m wiling to share. Please contact me via durshen81 @ gmail .com

  15. Stuart
    November 14th, 2017

    Passed used the 21q dumps from IT-Libraries

  16. Anonymous
    November 24th, 2017

    according to this http://blog.ine.com/2007/12/28/how-does-ntp-authentication-work/, it is on server, peer, and broadcast

  17. Louis
    November 28th, 2017

    Smashed my route exam today, 9xx used the dumps from it libraries and tut.

  18. Refugio
    December 5th, 2017

    Confirming the 440q dumps are valid. I used the ones from it Libaries.

  19. durshen
    December 13th, 2017

    Hi guys, I’m willing to share valid dumps that guarantee you pass. Please contact me via durshen81 @ gmail .com

  20. 690/1000
    December 15th, 2017

    Q5 , Q6 in exam.

  21. durshen
    December 19th, 2017

    Hi buddies, I have the valid dump with me and I’m wiling to share. Please contact me via durshen81 @ gmail .com

  22. 1WAY
    January 10th, 2018

    Q6. Seems to me A,B & D are all correct?

  23. ccnp83
    January 31st, 2018

    q8 how can they say the Auth has failed or the traffic is blocked.Nothing in the output suggests this?Can anyone help please.

  24. Anonymous
    February 1st, 2018

    https://learningnetwork.cisco.com/thread/55433. This link helps answer the question.

  25. bluephoenix
    April 11th, 2018

    Which three NTP operating modes must the trusted-Key command be configured on for
    authentication to operate properly? (Choose Three)
    A. interface
    B. client
    C. peer
    D. server
    E. broadcast

    Correct Ans: B, D, E.

    See http://doc.ntp.org/3-5.93e/confopt.html

    Please let me know if you have found a Cisco doc that is clear enough to explain this…

  26. Anonymous
    May 15th, 2018

    Dumb question…when someone says they studied 21q dumps or that the 440 dumps are valid, what does that mean?

  27. pazi
    June 30th, 2018

    The server does not need to authenticate the client, as it is server it cannot not be hacked by a the client.

    The client, in the other hand, need to be sure that the server is the good one. The “trusted key” command is configured on the client side, the server side has the key but not the command “trusted key”

    I found the tests here : http://blog.ine.com/2007/12/28/how-does-ntp-authentication-work/

    B, C, E

  28. Lheyra
    July 6th, 2018

    @pazi: Check the comments on your link, this behavior is not valid anymore and trusted key has to be used.

  29. Raito
    July 18th, 2018

    “Dumb question…when someone says they studied 21q dumps or that the 440 dumps are valid, what does that mean?”

    That means that the files which contain 21 questions or 440 questions are valid. Usually dumps are offered as .vce files and have names as e.g. “300-101_CiscoDumps_by_Hero123_21q.vce”. If you go to other sites, you will recognize what I mean.

  30. _saiko
    September 30th, 2018

    Q9, one of the most mystic questions here lol.

    Why not B, C, D?

    NTP operating modes can actually be either client, server or peer.

    Broadcast/multicast/unicast are the L3 transport modes. So a host can be a broadcast ntp client and server.
    Also considering >12.4 releases require trusted-key to be configured on both client and server this would make the most sense to me.
    But who knows what the author of the question meant…

  31. Dmitry
    October 11th, 2018

    Q9 correct answers are B,D,E.
    You can read this:
    https://learningnetwork.cisco.com/thread/55433
    especially the last comment.

  32. Q9- Agree with Saiko. B, C, D
    October 11th, 2018

    NTP authentication deals with a NTP “requestor” ensuring the credibility/authenticity of the NTP source.

    A server only needs the trusted-key command when it wants to authenticate a time source, example stratum 3 time server to stratum 2 time source. D is correct (but sketchy since it’s not always required).

    ntp
    authenticate **authentication required for NTP request/update**
    authentication-key 10 md5 NTP key1 **creates key 10 using MD5 hash with logical id key1**
    trusted-key 10 **use key 10 for NTP authentication**

    Similarly, Clients and Peers need the trusted-key command to authenticate their time sources (either a server or another peer). B and C are both correct.

    ntp
    authenticate **authentication required for NTP request/update**
    authentication-key 10 md5 NTP key1 **creates key 10 using MD5 hash with logical id key1**
    trusted-key 10 **use key 10 for NTP authentication**

    Broadcast is a NTP interface command that allows you to make a call to the previously defined authentication key.

    ntp **npt configuration mode**
    interface fa0/0 **ntp interface configuration mode**
    broadcast destination 10.0.0.0 key 10 **sends key 10 in broadcast packet from fa0/0**

  33. _saiko
    October 13th, 2018

    @Dmitry and how does that link lead to B (cli), D (serve), E (broadcast) answer? :)
    That last comment merely states that prior to 12.4 IOS release trusted-key wasn’t needed on the server side. It also explains what the trusted-key actually does – simply activates the key for even being used.

    Why would B, D, E be correct, i.e. why wouldn’t ntp in peer mode need the trusted key??

  34. RouteRider
    October 24th, 2018

    We can ntp broadcast on interface level and there isn’t trusted-key command only key command!

    R1(config-if)#ntp ?
    broadcast Configure NTP broadcast service
    disable Disable NTP
    multicast Configure NTP multicast service

    R1(config-if)#ntp broadcast ?
    client Listen to NTP broadcasts
    destination Configure broadcast destination address
    key Configure broadcast authentication key
    version Configure NTP version

    In my opinion the correct answer B,C,D…
    All of them has trusted-key command.

  35. Dany1
    December 5th, 2018

    Question 9 B.D,E
    NTP operation mode are client/server/broadcast. Practically there are 3 association modes:

    1. CLient/Server
    2. Symmetrical Active/Passive
    3. Broadcast/Multicast

    peer is way of configuration for ntp access control, using ntp access-group command (peer | serve| serve-only| query-only). NTP Access Control is a method of limit type of NTP access and NTP source associated with router.
    By contrary, Cisco has a second method to validate IDENTITY of NTP SOURCE and that is NTP authentication. Will validate by configure authentication on:
    1. NTP Request/NTP Response in CLient/Server Message
    2. NTP broadcast/multicast message, by configure NTP server and NTP client with ntp authentication, ntp authentication-key and ntp trusted-key( see CISCO notes “For auth purposes on pre-12.4T versions “ntp authentication-key” was enough on NTP server side, sync was working without “ntp trusted-key”.
    Since 12.4T you will issue matching “ntp trusted-key” command both on client and server.”
    https://learningnetwork.cisco.com/thread/122470

  36. Anonymous
    May 14th, 2019

    Can somebody explain Q6 please? Thanks a lot

  37. Chuckzero
    August 11th, 2019

    The correct answer is BCE. Emphasis on “MUST” the trusted-key commands be configured.

    We have four NTP operational modes
    1. Client
    2. Peer
    3. Server
    4. Broadcast/Multicast

    Routers do not circulate broadcast messages, so Broadcast mode is used in same subnet. Broadcast modes is purposed for configurations featuring one or a few severs or a potentially large network. you can use trusted-key in same subnet, but it is not a must.

  1. No trackbacks yet.