Examice

Exam 200-301 All QuestionsBrowse all questions from this exam

Go to Exam

Question 568

R1 as an NTP server must have:

✑ NTP authentication enabled

✑ NTP packets sourced from Interface loopback 0

✑ NTP stratum 2

✑ NTP packets only permitted to client IP 209.165.200.225

How should R1 be configured?

ntp authenticate ntp authentication-key 2 sha1 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp master 2 ! access-list 10 permit udp host 209.165.200.225 any eq 123

ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp interface Loopback0 ntp access-group server-only 10 ntp stratum 2 ! access-list 10 permit 209.165.200.225

ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp master 2 ! access-list 10 permit 209.165.200.225

ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp stratum 2 ! access-list 10 permit udp host 209.165.200.225 any eq 123

Correct Answer: C

The correct configuration ensures that R1 functions as an NTP server with specific requirements. It uses MD5 for NTP authentication, sources NTP packets from loopback 0, and sets NTP as a master with stratum level 2. Additionally, the access group is configured to serve NTP requests only to the specified IP address. The correct standard access control list permits the IP address 209.165.200.225 without specifying protocols or ports, as standard ACLs filter solely based on source IP addresses.

Discussion

splashyOption: C

C seems correct, its an acl question. 10 is standard acl number so A and D are wrong cause they are extended acls. NTP Master 2 makes the router an ntp server with stratum lvl 2.

AbdullahMohammad251

Also since the NTP access group is set to server-only, time requests are allowed only from a device whose IP address passes the access list criteria.

oatmealturkeyOption: C

It cannot be D because stratum is not a valid command.

splashyOption: C

explained below

CertBusterOption: C

NTP does not support extended ACLs when using the "ntp access-group" command. It also does not need an extended access list; the fact that it's configured on a per-protocol basis means that the implicit deny only applies to NTP anyway. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/system-management/b-cisco-nexus-9000-series-nx-os-system-management-configuration-guide-93x/b-cisco-nexus-9000-series-nx-os-system-management-configuration-guide-93x_chapter_0101.html

Aiman_AbdullahOption: C

try to login to any router, i think we cannot insert any stratum 2 , only master 2 can. and for ntp access-group server-only 10,, i should serve-only 10.. anyway Answer is C. agree with MDK94

MDK94Option: D

Note ntp access-group serve-only is the correct command not server-only, but its incorrect on every answer so it shouldn't matter. Source: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-0/system_management/command/reference/yr40crs_chapter10.html#wp1797670550:~:text=Allows%20only%20time%20requests. A. Incorrect because sha1 isn't used for NTP authentication, must be MD5 ntp authenticate ntp authentication-key 2 sha1 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp master 2 access-list 10 permit udp host 209.165.200.225 any eq 123

MDK94

B. Incorrect because it isn't using the NTP source command (uses ntp interface Loopback0) instead ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp interface Loopback0 ntp access-group server-only 10 ntp stratum 2 access-list 10 permit 209.165.200.225

MDK94

Both C and D are correct answers in my opinion, the only difference is that the access-list is more granular for D, meaning C is probably the best option. C. ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp master 2 access-list 10 permit 209.165.200.225 D. ntp authenticate ntp authentication-key 2 md5 CISCO123 ntp source Loopback0 ntp access-group server-only 10 ntp stratum 2 access-list 10 permit udp host 209.165.200.225 any eq 123

MDK94

Granularity of the ACL shouldn't be required as the acl is being applied to "serve-only" aka only allow time requests Source: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-0/system_management/command/reference/yr40crs_chapter10.html#wp1797670550:~:text=Allows%20only%20time%20requests.

MDK94

I just realised, its 100% C because the access-list 10 is a standard access-list, meaning that specifying the protocol (udp) and destination address as any with the eq port number wouldn't be allowed. C is the correct answer 100%

ratu68

Good Catch !

BOFA

you got a point but there is something pops up on my mind the acl command is using standard numbered acl which ranges between 1 to 99 and as i studied the standard use only source ip so correct me if im wrong

Nmk3216Option: C

C is correct. standard access lists do not specifically filter by protocol.

yass40

But they have missed the word "host" or the wildcard mask (0.0.0.0) in the ACL: access-list 10 permit 209.165.200.225

Junior_NetworkOption: C

ntp master command is correct but ntp stratum command is not

Elmasquentona963Option: C

ntp master <stratum-level> global configuration command is the correct way to set the stratum value.

sijanOption: C

C should be correct

iampogiianOption: C

Letter C ang sagot

schmidt97Option: D

D is correct NTP uses UDP port 514

BTK0311Option: D

NTP stratus is NOT a valid cisco command. NTP master [stratum level]

SeMo0o0oOption: C

C is correct ntp master 2 is the right configuration.

beskardripOption: D

Pretty sure its D because it says Only NTP packets are allowed and on the access list command on D it specifies only allow traffic on port 123.

RougePotatoe

D has the command NTP stratum 2 (not a real command) it is suppose to be ntp master 2

alejandro12

Its not d, because the access list 10 is standar and cannot configure ports on this

iGlitch

I thought the question is about NTP, but it's NOT.