R1 as an NTP server must have:
✑ NTP authentication enabled
✑ NTP packets sourced from Interface loopback 0
✑ NTP stratum 2
✑ NTP packets only permitted to client IP 209.165.200.225
How should R1 be configured?
R1 as an NTP server must have:
✑ NTP authentication enabled
✑ NTP packets sourced from Interface loopback 0
✑ NTP stratum 2
✑ NTP packets only permitted to client IP 209.165.200.225
How should R1 be configured?
The correct configuration ensures that R1 functions as an NTP server with specific requirements. It uses MD5 for NTP authentication, sources NTP packets from loopback 0, and sets NTP as a master with stratum level 2. Additionally, the access group is configured to serve NTP requests only to the specified IP address. The correct standard access control list permits the IP address 209.165.200.225 without specifying protocols or ports, as standard ACLs filter solely based on source IP addresses.
C seems correct, its an acl question. 10 is standard acl number so A and D are wrong cause they are extended acls. NTP Master 2 makes the router an ntp server with stratum lvl 2.
Also since the NTP access group is set to server-only, time requests are allowed only from a device whose IP address passes the access list criteria.
It cannot be D because stratum is not a valid command.
explained below
Note ntp access-group serve-only is the correct command not server-only, but its incorrect on every answer so it shouldn't matter. Source: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-0/system_management/command/reference/yr40crs_chapter10.html#wp1797670550:~:text=Allows%20only%20time%20requests. A. Incorrect because sha1 isn't used for NTP authentication, must be MD5 ntp authenticate ntp authentication-key 2 sha1 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp master 2 access-list 10 permit udp host 209.165.200.225 any eq 123
B. Incorrect because it isn't using the NTP source command (uses ntp interface Loopback0) instead ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp interface Loopback0 ntp access-group server-only 10 ntp stratum 2 access-list 10 permit 209.165.200.225
Both C and D are correct answers in my opinion, the only difference is that the access-list is more granular for D, meaning C is probably the best option. C. ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp master 2 access-list 10 permit 209.165.200.225 D. ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp stratum 2 access-list 10 permit udp host 209.165.200.225 any eq 123
Granularity of the ACL shouldn't be required as the acl is being applied to "serve-only" aka only allow time requests Source: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-0/system_management/command/reference/yr40crs_chapter10.html#wp1797670550:~:text=Allows%20only%20time%20requests.
I just realised, its 100% C because the access-list 10 is a standard access-list, meaning that specifying the protocol (udp) and destination address as any with the eq port number wouldn't be allowed. C is the correct answer 100%
Good Catch !
you got a point but there is something pops up on my mind the acl command is using standard numbered acl which ranges between 1 to 99 and as i studied the standard use only source ip so correct me if im wrong
try to login to any router, i think we cannot insert any stratum 2 , only master 2 can. and for ntp access-group server-only 10,, i should serve-only 10.. anyway Answer is C. agree with MDK94
NTP does not support extended ACLs when using the "ntp access-group" command. It also does not need an extended access list; the fact that it's configured on a per-protocol basis means that the implicit deny only applies to NTP anyway. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/system-management/b-cisco-nexus-9000-series-nx-os-system-management-configuration-guide-93x/b-cisco-nexus-9000-series-nx-os-system-management-configuration-guide-93x_chapter_0101.html
Letter C ang sagot
C should be correct
ntp master <stratum-level> global configuration command is the correct way to set the stratum value.
ntp master command is correct but ntp stratum command is not
C is correct. standard access lists do not specifically filter by protocol.
But they have missed the word "host" or the wildcard mask (0.0.0.0) in the ACL: access-list 10 permit 209.165.200.225
I thought the question is about NTP, but it's NOT.
Pretty sure its D because it says Only NTP packets are allowed and on the access list command on D it specifies only allow traffic on port 123.
D has the command NTP stratum 2 (not a real command) it is suppose to be ntp master 2
Its not d, because the access list 10 is standar and cannot configure ports on this
C is correct ntp master 2 is the right configuration.
NTP stratus is NOT a valid cisco command. NTP master [stratum level]
D is correct NTP uses UDP port 514