1 should the ntp master not be on r4 and r6 ..?
2 whay the ntp access-group peer cmd on here ..?
1. A device in NTP master role has it's own timesource(external signal, or in case of cisco routers: hardware clock ). R4 and R6 should take their time from backbone routers, so they should not be masters.
2. because the task explicitly requires the use of ntp access-groups for filtering clients, you have to explicitly allow servers too. See:
"The access group options are scanned in the following order from the least restrictive to most restrictive:1. peer2. query-only3. serve4. serve-onlyAccess is granted for the first match that is found. If no access groups are specified, all access is granted to all sources. If you specify any access groups, only the specified access is granted."
Access is granted for the first match that is found
Take a look at the following thread - this task will cause you problems if you are running 12.4(24)T - http://ieoc.com/forums/p/22429/176514.aspx#176514