Question 1,113 of 1,819
Network Services and SecurityhardMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is that the router cannot reach the NTP server 10.1.1.100 at UDP port 123 due to a routing issue or an access list. When a router shows “Clock is unsynchronized, stratum 16, no reference clock” in the show ntp status output, it indicates that no valid NTP updates have been received, meaning the NTP server is unreachable at the network layer. This scenario tests your ability to differentiate between reachability problems and authentication failures on the CCNA 200-301 v2 exam, where a common trap is assuming a misconfiguration of the ntp server command itself. The key clue is the absence of any reference clock or reachability in the NTP associations table, which points squarely to an NTP unsynchronized unreachable server condition rather than a time-source mismatch. Remember the mnemonic “No Route, No Clock” — if you see stratum 16 with no reference clock, always check routing and ACLs blocking UDP 123 first.

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

R1# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
ntp uptime is 15000 (4.1 hours)
reference time is 00000000.00000000 (00:00:00.000 UTC Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 64, last update was 0 sec ago.

Refer to the exhibit. A network administrator is troubleshooting an NTP synchronization issue on R1. The router is configured with the command ntp server 10.1.1.100, but the clock remains unsynchronized. The administrator issues the show ntp status command. What is the most likely cause of the problem?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Review the full routing breakdown →

Exhibit

R1# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
ntp uptime is 15000 (4.1 hours)
reference time is 00000000.00000000 (00:00:00.000 UTC Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 64, last update was 0 sec ago.

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The router cannot reach the NTP server 10.1.1.100 at UDP port 123 due to a routing issue or an access list.

The output shows 'Clock is unsynchronized, stratum 16, no reference clock,' which means the router has not received any valid NTP updates from the configured server. This state is typical when the NTP server 10.1.1.100 is unreachable at the network layer—either because of a missing route or an ACL blocking UDP port 123. If the server were reachable but authentication failed, the output might still show a reference clock (but unsynchronized) or show reachability in the NTP associations table, which is absent here.

Key principle: ACLs process entries top to bottom and stop at the first match. Entry order and interface direction matter as much as the permit or deny statement.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The NTP authentication key configured on R1 does not match the one on the server.

    Why it's wrong here

    While an authentication mismatch would prevent synchronization, the router would still receive NTP packets from the server, and show ntp associations would likely show the server as reachable but with a status of 'reject' or 'bad auth.' The exhibit shows no reference clock at all, indicating no NTP packets are arriving.

  • The system time on R1 is set to an epoch that is too far from the server's time, causing NTP to refuse to synchronize.

    Why it's wrong here

    NTP can handle any time difference, although a very large offset (e.g., >1000 seconds by default) might trigger a panic and require manual stepping. However, in that case, the server would still be reachable and the output might show the server as a candidate but with a large offset; it would not result in 'no reference clock' and a persistent unsynchronized state without any peer communication.

  • The NTP service is not enabled on R1; the 'ntp server' command only defines a server but does not start the NTP process.

    Why it's wrong here

    The 'ntp server' command indeed enables the NTP service and starts the daemon. If NTP were not enabled, the 'show ntp status' command would return an error or indicate that NTP is not running, rather than showing detailed status fields. The output confirms NTP is running but unsynchronized.

  • The router cannot reach the NTP server 10.1.1.100 at UDP port 123 due to a routing issue or an access list.

    Why this is correct

    The exhibit clearly shows 'no reference clock' and stratum 16, which indicates that R1 has not received any NTP packets from the configured server. This is a classic symptom of network unreachability—the router’s NTP requests are not making it to the server or responses are not coming back, often caused by a missing route or an ACL filtering UDP 123.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Standard ACLs match source addresses.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

The router cannot reach the NTP server 10.1.1.100 at UDP port 123 due to a routing issue or an access list.Correct answer

Why this is correct

The exhibit clearly shows 'no reference clock' and stratum 16, which indicates that R1 has not received any NTP packets from the configured server. This is a classic symptom of network unreachability—the router’s NTP requests are not making it to the server or responses are not coming back, often caused by a missing route or an ACL filtering UDP 123.

The NTP authentication key configured on R1 does not match the one on the server.Wrong answer — click to see why

Why this is wrong here

Candidates often confuse unsynchronized status with authentication issues, but authentication failures do not prevent reception of packets; they just discard them after arrival.

The system time on R1 is set to an epoch that is too far from the server's time, causing NTP to refuse to synchronize.Wrong answer — click to see why

Why this is wrong here

A common myth is that NTP cannot sync if the clocks are too far apart. While extreme offsets may delay sync, they do not prevent the router from hearing the server, so the reference clock field would still show the server’s IP or clock ID.

The NTP service is not enabled on R1; the 'ntp server' command only defines a server but does not start the NTP process.Wrong answer — click to see why

Why this is wrong here

Some candidates mistakenly believe that a separate 'ntp enable' command is required. In IOS, configuring an ntp server automatically enables NTP, so the service is active.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: ACLs stop at the first match

ACLs are processed top to bottom. The first matching entry wins, and an implicit deny usually exists at the end.

Trap categories for this question

  • Command / output trap

    While an authentication mismatch would prevent synchronization, the router would still receive NTP packets from the server, and show ntp associations would likely show the server as reachable but with a status of 'reject' or 'bad auth.' The exhibit shows no reference clock at all, indicating no NTP packets are arriving.

Detailed technical explanation

How to think about this question

ACL questions test precision: source, destination, protocol, port and direction. A generally correct ACL can still fail if it is applied on the wrong interface or in the wrong direction.

KKey Concepts to Remember

  • Standard ACLs match source addresses.
  • Extended ACLs can match source, destination, protocol and ports.
  • The first matching ACL entry is used.
  • There is usually an implicit deny at the end.

TExam Day Tips

  • Check inbound versus outbound direction.
  • Read the ACL from top to bottom.
  • Look for a broader permit or deny above the intended line.

Key takeaway

ACLs process entries top to bottom and stop at the first match. Entry order and interface direction matter as much as the permit or deny statement.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Review ACL processing order, placement rules (standard near destination, extended near source), and inbound vs outbound direction. Study wildcard masks and implicit deny. Then practise related 200-301 ACL questions on filtering logic and placement.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — Standard ACLs match source addresses..

What is the correct answer to this question?

The correct answer is: The router cannot reach the NTP server 10.1.1.100 at UDP port 123 due to a routing issue or an access list. — The output shows 'Clock is unsynchronized, stratum 16, no reference clock,' which means the router has not received any valid NTP updates from the configured server. This state is typical when the NTP server 10.1.1.100 is unreachable at the network layer—either because of a missing route or an ACL blocking UDP port 123. If the server were reachable but authentication failed, the output might still show a reference clock (but unsynchronized) or show reachability in the NTP associations table, which is absent here.

What should I do if I get this 200-301 question wrong?

Review ACL processing order, placement rules (standard near destination, extended near source), and inbound vs outbound direction. Study wildcard masks and implicit deny. Then practise related 200-301 ACL questions on filtering logic and placement.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Standard ACLs match source addresses.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 14, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.