NTP Questions
Question 1
Explanation
The command “ntp master [stratum]” is used to configure the device as an authoritative NTP server. You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15.
The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server… A stratum server may also peer with other stratum servers at the same level to provide more stable and robust time for all devices in the peer group (for example a stratum 2 server can peer with other stratum 2 servers).
Question 2
Explanation
The “ntp broadcast client” command is used under interface mode to allow the device to receive Network Time Protocol (NTP) broadcast packets on that interface
Question 3
Question 4
Explanation
The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server. Therefore the lower the stratum level is, the more accurate the NTP server is. When multiple NTP servers are configured, the client will prefer the NTP server with the lowest stratum level.
NTP uses User Datagram Protocol (UDP) port 123.
Question 5
Explanation
First we need to understand some basic knowledge about NTP. There are two types of NTP messages:
+ Control messages: for reading and writing internal NTP variables and obtain NTP status information. It is not used for time synchronization so we will not care about them in this question.
+ Request/Update messages: for time synchronization. Request messages ask for synchronization information while Update messages contains synchronization information and may change the local clock.
There are four types of NTP access-groups exist to control traffic to the NTP services:
+ Peer: controls which remote devices the local device may synchronize. In other words, it permits the local router to respond to NTP request and accept NTP updates.
+ Serve: controls which remote devices may synchronize with the local device. In other words, it permits the local router to reply to NTP requests, but drops NTP update. This access-group allows control messages.
+ Serve-only: controls which remote devices may synchronize with the local device. In other words, it permits the local router to respond to NTP requests only. This access-group denies control messages.
+ Query-only: only accepts control messages. No response to NTP requests are sent, and no local system time synchronization with remote system is permitted.
| From my experience, you just need to remember: + Peer: serve and to be served + Serve: serve but not to be served |
Therefore in this question:
+ The “ntp access-group peer 2” command says “I can only accept NTP updates and respond to NTP (time) requests from 192.168.1.4“. -> Answer F is correct while answer D is not correct.
+ The “ntp access-group serve 1” command says “I can only reply to time requests (but cannot accept time update) from 192.168.1.1 ” -> Answer A is correct*
The “ntp master 4” indicates it is running as a time source with stratum level of 4 -> Answer B is not correct while answer C is correct.
Answer E is not correct because it can accept time requests from both 192.168.1.1 and 192.168.1.4.
*Note: In fact answer A is incorrect too because the local router can accept time requests from both 192.168.1.1 and 192.168.1.4 (not only from 192.168.1.1). Maybe this is an mistake of this question.
Question 6
Explanation
To control access to Network Time Protocol (NTP) services on the system, use the ntp access-group command in global configuration mode.
NTP supports “Control messages” and “Request/Update messages”.
+ Control messages are for reading and writing internal NTP variables and obtaining NTP status information. Not to deal with time synchronization itself.
+ NTP request/Update messages are used for actual time synchronization. Request packet obviously asks for synchronization information, and update packet contains synchronization information, and may change local clock.
When synchronizing system clocks on Cisco IOS devices only Request/Update messages are used. Therefore in this question we only care about “NTP Update message”.
Syntax:
ntp access-group [ipv4 | ipv6] {peer | query-only | serve | serve-only} {access-list-number | access-list-number-expanded | access-list-name} [kod]
+ Peer: permits router to respond to NTP requests and accept NTP updates. NTP control queries are also accepted. This is the only class which allows a router to be synchronized by other devices -> not correct. In other words, the peer keyword enables the device to receive time requests and NTP control queries and to synchronize itself to the servers specified in the access list.
+ Serve-only: Permits router to respond to NTP requests only. Rejects attempt to synchronize local system time, and does not access control queries. In other words, the serve-only keyword enables the device to receive only time requests from servers specified in the access list.
+ Serve: permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a server or update packets from a peer). Control queries are also permitted. In other words, the serve keyword enables the device to receive time requests and NTP control queries from the servers specified in the access list but not to synchronize itself to the specified servers -> this option is surely correct.
In summary, the answer “serve” is surely correct but the answer “serve-only” seems to be correct too (although the definition is not clear).
An example of using the “ntp access-group” command is shown below:
| R1(config)#ntp server 178.240.12.1 R1(config)#access-list 2 permit 165.16.4.1 0.0.0.0 R1(config)#access-list 2 deny any R1(config)#ntp access-group peer 2 // peer only to 165.16.4.1 R1(config)#access-list 3 permit 160.1.0.0 0.0.255.255 R1(config)#access-list 3 deny any R1(config)#ntp access-group serve-only 3 //provide time services only to internal network 160.1.0.0/16 |
Reference:
+ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bsm/command/bsm-cr-book/bsm-cr-n1.html
+ http://blog.ine.com/2008/07/28/ntp-access-control/
Question 7
Question 8
Explanation
The output indicates that the local device did not receive the NTP update successfully so something went wrong during the transmission.
Question 9
Explanation
NTP operates in four different modes.
+ Server Mode is configured such that a device will synchronize NTP clients. Servers can be configured to synchronize all clients or only a specific group of clients. NTP servers, however, will not accept synchronization information from their clients. This restriction will not allow clients to update or manipulate a server’s time settings.
+ Client Mode is configured used to allow a device to set its clock by and synchronized by an external timeserver. NTP clients can be configured to use multiple servers to set their local time and can be configured to give preference to the most accurate time sources available to them. They will not, however, provide synchronization services to any other devices.
+ Peer Mode is when one NTP-enabled device does not have any authority over another. With the peering model, each device will share its time information with its peer. Additionally, each device can also provide time synchronization to the other.
+ Broadcast/Multicast Mode is a special server mode where the NTP server broadcasts its synchronization information to all clients. Broadcast mode requires that clients be on the same subnet as the server, and multicast mode requires that clients and servers have multicast capabilities configured.
Reference: http://www.pearsonitcertification.com/articles/article.aspx?p=1851440
“Interface” is not a NTP mode so answer A is not correct.
It is sure that in “peer” mode we don’t need to use the “trusted-key” command for authentication so answer C is not correct.
Question 10
Explanation
An example of the output of this command is shown below:
Router#show ntp associations
address ref clock st when poll reach delay offset disp
*~10.1.2.65 10.1.2.33 11 36 64 377 27.9 25.17 30.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
If there’s an asterisk (*) next to a configured peer, then you are synced to this peer and using them as the master clock. As long as one peer is the master then everything is fine. However, the key to knowing that NTP is working properly is looking at the value in the reach field.
The reach field is a circular bit buffer. It gives you the status of the last eight NTP messages (eight bits in octal is 377, so you want to see a reach field value of 377). If an NTP response packet is lost, the missing packet is tracked over the next eight NTP update intervals in the reach field. For more information about this field please read http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-110/15171-ntpassoc.html
Question 11
Question 12
Explanation
The command “ntp master [stratum]” is used to configure the device as an authoritative NTP server. You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15.
The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.
A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server… A stratum server may also peer with other stratum servers at the same level to provide more stable and robust time for all devices in the peer group (for example a stratum 2 server can peer with other stratum 2 servers).
failed the exam within 710 a lot of NTP, AAA, frame-relay have appeared in the new exam pool
how can buy cisco ccnp routing & switching V 2.0 ?
Which three NTP operating modes must the trusted-Key command be configured on for
authentication to operate properly? (Choose Three)
A. interface
B. client
C. peer
D. server
E. broadcast
Correct Ans: B, C, E.
See: http://www.cisco.com/c/en/us/support/docs/availability/high-availability/19643-ntpm.html
‘B’ because : “In some contexts, this would be described as a poll operation, in that the client polls the time and authentication data from the server. A client is configured in client mode by using the server command and specifying the domain name server (DNS) name or address.”
‘C’ because : Since an intruder can impersonate a symmetric active peer and inject false time values, symmetric mode should always be authenticated”.
‘E’ because : Since an intruder can impersonate a broadcast server and inject false time values, this mode should always be authenticated”.
@anymaster
BDE
@AnyMaster, @acme
B, C, E is the correct answer
After doing some lab testing I found the following:
Basically the device that is requesting the update have to trust the configured key.
in Client\Server Mode: the trusted-key command had to be configured on the Client but not the server.
Peer Mode: trusted-key command had to be configured on the less trustworthy peer to sync with the peer.
Broadcast: trusted-key command had to be configured on the device that was in broadcast client mode but not on the device that was in broadcast mode.
@digitalut
can u check once which is the correct answer?
BDE or BCE
Which three NTP operating modes must the trusted-key command be configured on for authentication to operate properly? (Choose three)
A. interface
B. client
C. peer
D. server
E. broadcast
Answer: B D E (?)
Failed today with 760 pts…all labs the same..loads of new questions ..and simlets…all dumps outdated..study hard chaps
And also loads of routers commands questions for IPv6 EVN and NAT-PT
Hello guys, for latest valid dump with continuous update, please contact me at steffyshirls @ gmail .com
I also failed with 760, lots of PPP, EVN, IPv6 questions
steffy I have just emailed you , can you please update me with the valid dumps.
Which three NTP operating modes must the trusted-key command be configured on for authentication to operate properly? (Choose three)
A. interface
B. client
C. peer
D. server
E. broadcast
Correct: B,C,E.
Interface is not a NTP operating mode and server mode does not need trusted-key command. It is the client that specifies in the NTP request which key the server should use to authenticate the response.
Q9 Which three NTP operating modes must the trusted-key command be configured on for authentication to operate properly? (Choose three)
A. interface
B. client
C. peer
D. server
E. broadcast
CDE, imho. Question mean (trusted-key command be configured щn). On cisco router there are:
ntp peer 1.1.1.1 ?
burst Send a burst when peer is reachable
iburst Send a burst when peer is unreachable
key Configure peer authentication key
ntp server 1.1.1.1 ?
burst Send a burst when peer is reachable
iburst Send a burst when peer is unreachable
key Configure peer authentication key
(config-subif)#ntp broadcast ?
client Listen to NTP broadcasts
destination Configure broadcast destination address
key Configure broadcast authentication key
Thanks all, done with the router. 539q dumps from IT-Libraries are valid. Practice the labs since the ips change on the exam
Hello everyone, I have the valid dump with me and I’m wiling to share. Please contact me via durshen81 @ gmail .com
Passed used the 21q dumps from IT-Libraries
according to this http://blog.ine.com/2007/12/28/how-does-ntp-authentication-work/, it is on server, peer, and broadcast
Smashed my route exam today, 9xx used the dumps from it libraries and tut.
Confirming the 440q dumps are valid. I used the ones from it Libaries.
Hi guys, I’m willing to share valid dumps that guarantee you pass. Please contact me via durshen81 @ gmail .com
Q5 , Q6 in exam.
Hi buddies, I have the valid dump with me and I’m wiling to share. Please contact me via durshen81 @ gmail .com
Q6. Seems to me A,B & D are all correct?
q8 how can they say the Auth has failed or the traffic is blocked.Nothing in the output suggests this?Can anyone help please.
https://learningnetwork.cisco.com/thread/55433. This link helps answer the question.
Which three NTP operating modes must the trusted-Key command be configured on for
authentication to operate properly? (Choose Three)
A. interface
B. client
C. peer
D. server
E. broadcast
Correct Ans: B, D, E.
See http://doc.ntp.org/3-5.93e/confopt.html
Please let me know if you have found a Cisco doc that is clear enough to explain this…
Dumb question…when someone says they studied 21q dumps or that the 440 dumps are valid, what does that mean?
The server does not need to authenticate the client, as it is server it cannot not be hacked by a the client.
The client, in the other hand, need to be sure that the server is the good one. The “trusted key” command is configured on the client side, the server side has the key but not the command “trusted key”
I found the tests here : http://blog.ine.com/2007/12/28/how-does-ntp-authentication-work/
B, C, E
@pazi: Check the comments on your link, this behavior is not valid anymore and trusted key has to be used.
“Dumb question…when someone says they studied 21q dumps or that the 440 dumps are valid, what does that mean?”
That means that the files which contain 21 questions or 440 questions are valid. Usually dumps are offered as .vce files and have names as e.g. “300-101_CiscoDumps_by_Hero123_21q.vce”. If you go to other sites, you will recognize what I mean.
Q9, one of the most mystic questions here lol.
Why not B, C, D?
NTP operating modes can actually be either client, server or peer.
Broadcast/multicast/unicast are the L3 transport modes. So a host can be a broadcast ntp client and server.
Also considering >12.4 releases require trusted-key to be configured on both client and server this would make the most sense to me.
But who knows what the author of the question meant…
Q9 correct answers are B,D,E.
You can read this:
https://learningnetwork.cisco.com/thread/55433
especially the last comment.
NTP authentication deals with a NTP “requestor” ensuring the credibility/authenticity of the NTP source.
A server only needs the trusted-key command when it wants to authenticate a time source, example stratum 3 time server to stratum 2 time source. D is correct (but sketchy since it’s not always required).
ntp
authenticate **authentication required for NTP request/update**
authentication-key 10 md5 NTP key1 **creates key 10 using MD5 hash with logical id key1**
trusted-key 10 **use key 10 for NTP authentication**
Similarly, Clients and Peers need the trusted-key command to authenticate their time sources (either a server or another peer). B and C are both correct.
ntp
authenticate **authentication required for NTP request/update**
authentication-key 10 md5 NTP key1 **creates key 10 using MD5 hash with logical id key1**
trusted-key 10 **use key 10 for NTP authentication**
Broadcast is a NTP interface command that allows you to make a call to the previously defined authentication key.
ntp **npt configuration mode**
interface fa0/0 **ntp interface configuration mode**
broadcast destination 10.0.0.0 key 10 **sends key 10 in broadcast packet from fa0/0**
@Dmitry and how does that link lead to B (cli), D (serve), E (broadcast) answer? :)
That last comment merely states that prior to 12.4 IOS release trusted-key wasn’t needed on the server side. It also explains what the trusted-key actually does – simply activates the key for even being used.
Why would B, D, E be correct, i.e. why wouldn’t ntp in peer mode need the trusted key??
We can ntp broadcast on interface level and there isn’t trusted-key command only key command!
R1(config-if)#ntp ?
broadcast Configure NTP broadcast service
disable Disable NTP
multicast Configure NTP multicast service
R1(config-if)#ntp broadcast ?
client Listen to NTP broadcasts
destination Configure broadcast destination address
key Configure broadcast authentication key
version Configure NTP version
In my opinion the correct answer B,C,D…
All of them has trusted-key command.
Question 9 B.D,E
NTP operation mode are client/server/broadcast. Practically there are 3 association modes:
1. CLient/Server
2. Symmetrical Active/Passive
3. Broadcast/Multicast
peer is way of configuration for ntp access control, using ntp access-group command (peer | serve| serve-only| query-only). NTP Access Control is a method of limit type of NTP access and NTP source associated with router.
By contrary, Cisco has a second method to validate IDENTITY of NTP SOURCE and that is NTP authentication. Will validate by configure authentication on:
1. NTP Request/NTP Response in CLient/Server Message
2. NTP broadcast/multicast message, by configure NTP server and NTP client with ntp authentication, ntp authentication-key and ntp trusted-key( see CISCO notes “For auth purposes on pre-12.4T versions “ntp authentication-key” was enough on NTP server side, sync was working without “ntp trusted-key”.
Since 12.4T you will issue matching “ntp trusted-key” command both on client and server.”
https://learningnetwork.cisco.com/thread/122470
Can somebody explain Q6 please? Thanks a lot
The correct answer is BCE. Emphasis on “MUST” the trusted-key commands be configured.
We have four NTP operational modes
1. Client
2. Peer
3. Server
4. Broadcast/Multicast
Routers do not circulate broadcast messages, so Broadcast mode is used in same subnet. Broadcast modes is purposed for configurations featuring one or a few severs or a potentially large network. you can use trusted-key in same subnet, but it is not a must.