MikroTik Updated MTCNA Exam Questions and Answers by pixie

The show access-lists command in Cisco IOS is used to display all configured access control entries (ACEs) in every access list, both named and numbered. This command shows the complete content, including rules and hit counters.

Cisco IOS Command Reference – Access List Monitoring:

“Use show access-lists to view the complete list of all access control entries. This includes both standard and extended lists.”

Other options:

A: Invalid command syntax

C: show ip interface shows interface-level IP settings and ACL applications, but not full ACL content

D: show interface shows status and statistics, not ACL rules

Final Answer: BQUESTION NO: 134 [Cisco IOS – Console Access Configuration]

What does the command routerA(config)#line cons 0 allow you to perform next?

A. Set the Telnet password.

B. Shut down the router.

C. Set your console password.

D. Disable console connections.

Answer: C

The command line cons 0 enters the console line configuration mode. This is used to apply settings specific to the physical console line, such as setting a login password (via password and login commands).

Cisco IOS Configuration Guide – Line Console Mode:

“Use line console 0 to configure settings for the console line, including timeouts, password security, and logging behavior.”

René Meneses Study Guide – Device Access:

“Console access configuration begins with line console 0. It is followed by login and password commands.”

Other options:

A: Telnet is configured under line vty, not console

B: Router shutdown is done with reload or shutdown commands (not here)

D: Console cannot be disabled from line cons 0

Final Answer: CQUESTION NO: 135 [Switching – Spanning Tree Protocol]

How often are BPDUs sent from a Layer 2 device?

A. Never

B. Every 2 seconds

C. Every 10 minutes

D. Every 30 seconds

Answer: B

BPDU (Bridge Protocol Data Units) are messages exchanged by switches in a Spanning Tree Protocol (STP) topology to maintain loop-free Layer 2 networks. By default, switches send BPDUs every 2 seconds.

MTCNA Course Material – STP Operation:

“Switches send BPDUs to maintain spanning tree and detect topology changes. The default transmission interval is 2 seconds.”

Cisco STP Documentation:

“BPDUs are transmitted by the root bridge and propagated every 2 seconds by default, controlled by the hello-time timer.”

Other options:

A: Incorrect — BPDUs are essential for loop prevention

C & D: Not correct — default is 2 seconds, not minutes

Final Answer: BQUESTION NO: 136 [Routing Protocols – Passive Interface Behavior]

What does the passive command provide to dynamic routing protocols?

A. Stops an interface from sending or receiving periodic dynamic updates.

B. Stops an interface from sending periodic dynamic updates but not from receiving updates.

C. Stops the router from receiving any dynamic updates.

D. Stops the router from sending any dynamic updates.

Answer: B

In dynamic routing (e.g., RIP, OSPF, EIGRP), the passive-interface command stops routingadvertisements (outgoing updates) from being sent through the specified interface. However, the router still listens for incoming routing updates.

Cisco IOS Configuration Guide – Passive Interface:

“The passive-interface command prevents routing updates from being sent on an interface, while still allowing updates to be received.”

René Meneses MTCNA Guide – Passive Mode:

“It suppresses sending routing advertisements but does not block receiving updates on that interface.”

Other options:

A: Incorrect — it does not block receiving

C: Incorrect — it applies to interfaces, not globally

D: Also incorrect — it does not block all updates

Final Answer: B

────────────────────────────────────────────────────────────

The “Backup” function in WinBox (located under Files → Backup) creates a binary backup file (.backup) of the router’s full configuration, including sensitive data like usernames, passwords, IPsec keys, wireless keys, etc.

A.✔Correct – By default, the backup file name includes the router identity and timestamp.

B.✘Incorrect – The file is saved on the router’s internal storage (Files menu), not on the user’s computer. You must download it manually to store it locally.

C.✔Correct – Unlike an “Export” file, a .backup file includes all configuration, including encrypted credentials.

D.✔Correct – You can specify a name and optionally a password to encrypt the backup.

Extract from MTCNA Course Material – Backup & Restore:

“The backup file includes all settings and can be encrypted with a password. It is saved on the router under the Files menu.”

Extract from René Meneses Study Guide – Backup Options:

“A .backup file contains everything including usernames and secrets. You can assign a filename and encryption password.”

Extract from Terry Combs Notes – Backup and Export:

“Backup saves a full binary copy. Use the download button to copy it to your PC.”

===========

To block a client’s application traffic (like MSN Messenger) that is passing through the router (from LAN to WAN or vice versa), the forward chain must be used. This chain processes packets that are routed through the router.

Evaluation:

A. static →❌Not a valid firewall chain.

B.✅forward → Correct – used to filter traffic that passes through the router.

C.❌output → Filters traffic originating from the router itself.

D.❌input → Filters traffic destined for the router itself.

MTCNA Firewall Section – Chain Descriptions:

“forward – Used for filtering transit traffic (client to internet or internet to client).”

René Meneses Guide – Firewall Chains:

“To block client application traffic, use the forward chain. Input/output are for local router access.”

Terry Combs Notes – Chain Matching:

“forward = traffic passing through router, like client web or chat traffic.”

Answer: BQUESTION NO: 71 [Routing]

There are two routes in the routing table:

0 dst-addr=10.1.1.0/24 gateway=5.5.5.5

1 dst-addr=10.1.1.4/30 gateway=5.6.6.6

Which gateway will be used to get to the IP address 10.1.1.6?

A. both – half of the traffic will be routed through one gateway, half through the other

B. 5.5.5.5

C. the required route is not in the routing table

D. 5.6.6.6

Answer: D

Routing decisions are made based on the longest prefix match (most specific route).

10.1.1.6 falls within:→ 10.1.1.0/24 → range: 10.1.1.0 – 10.1.1.255 (prefix length: 24)→ 10.1.1.4/30 → range: 10.1.1.4 – 10.1.1.7 (prefix length: 30)

Because /30 is more specific than /24, it will be selected for routing the packet.

MTCNA Routing Module – Prefix Length Decision:

“Router chooses the route with the longest subnet mask (most specific match).”

René Meneses Study Guide – Longest Match Principle:

“10.1.1.6 falls within 10.1.1.4/30 → use gateway 5.6.6.6.”

Terry Combs Notes – Routing Table Resolution:

“Always check if multiple routes match. Use the one with the longest prefix.”

Answer: DQUESTION NO: 72 [Wireless Security]

In order to use dynamic keys in your wireless security profile for an AP, you MUST set up the DHCP server to provide the dynamic keys.

A. true

B. false

Answer: B

MikroTik RouterOS supports dynamic key exchange for wireless networks using WPA/WPA2 (with PSK or EAP). These dynamic keys are not provided by the DHCP server but are instead part of the wireless security profile configured under /interface wireless security-profiles.

DHCP only assigns IP addresses and other network configuration parameters — it does not provide encryption keys.

MTCNA Wireless Security Module – WPA/WPA2 Explained:

“Dynamic keys are negotiated during the WPA/WPA2 authentication process, not via DHCP.”

René Meneses Guide – Wireless Authentication:

“Security profiles define pre-shared or dynamic key exchange (WPA-EAP). DHCP is unrelated.”

Terry Combs Notes – Misconceptions in Wireless Setup:

“DHCP and wireless encryption are separate layers. Keys are not assigned through DHCP.”

Answer: BQUESTION NO: 73 [Firewall / Security]

Which firewall chain should you use to filter SSH access to the router itself?

A. output

B. input

C. prerouting

D. forward

Answer: B

SSH access to the router targets the router itself. Therefore, any packets destined for the router (for example, to TCP port 22) are evaluated in the input chain of the firewall.

Evaluation:

A. output →❌For packets originating from the router, not to it.

B.✅input → Correct – handles traffic destined for the router (like SSH, Winbox, etc.)

C.❌prerouting → Used for NAT and mangle operations, not filtering

D.❌forward → Used for traffic routed through the router (not for router itself)

MTCNA Firewall Section – Chain Functions:

“SSH access to the router is incoming traffic. Use input chain to filter or allow it.”

René Meneses Guide – Access Protection:

“input chain is responsible for traffic to the router’s IP – block/allow SSH, Winbox, etc.”

Terry Combs Notes – Firewall Management:

“Always use input chain for filtering incoming management protocols like SSH.”

In IPv6, the Address Resolution Protocol (ARP) is not used. Instead, IPv6 uses the Neighbor Discovery Protocol (NDP), which is part of the ICMPv6 suite. NDP handles address resolution, router discovery, and reachability.

MTCNA Course Material – IPv6 Address Resolution:

“IPv6 replaces ARP with Neighbor Discovery Protocol. NDP uses ICMPv6 to perform tasks like address resolution and router discovery.”

René Meneses MTCNA Study Guide – IPv6 Fundamentals:

“There is no ARP in IPv6. It uses NDP messages for neighbor solicitation and advertisement.”

Thus, ARP is not used in IPv6.

Final Answer: AQUESTION NO: 152 [Monitoring and Management – SNMP Protocol]

Which of the following protocols / ports are used for SNMP (Simple Network Management Protocol)?

A. TCP 162

B. UDP 162

C. UDP 161

D. TCP 25

E. TCP 123

F. TCP 161

Answer: B, C

SNMP uses the following ports:

UDP 161: Used for SNMP agent queries (GET, SET, etc.)

UDP 162: Used by SNMP managers to receive trap notifications

MTCNA Course Material – SNMP and Monitoring:

“SNMP uses UDP 161 for polling devices and UDP 162 for traps.”

MikroTik Wiki – SNMP:

“SNMP communication uses UDP ports 161 (queries) and 162 (traps). TCP is not used for SNMP by default.”

Option breakdown:

A: TCP 162 → incorrect (SNMP traps use UDP)

B:✔UDP 162

C:✔UDP 161

D: TCP 25 = SMTP

E: TCP 123 = NTP (incorrect protocol and transport)

F: TCP 161 = incorrect transport

Final Answer: B, CQUESTION NO: 153 [ARP – MikroTik Specific Behavior]

If arp=reply-only is configured on an interface, what will this interface do?

A. Accept all IP/MAC combinations listed in /ip arp as static entries

B. Accept all IP addresses listed in /ip arp as static entries

C. Add new MAC addresses in /ip arp list

D. Accept all MAC addresses listed in /ip arp as static entries

E. Add new IP addresses in /ip arp list

Answer: A

Setting arp=reply-only on an interface disables the normal dynamic ARP process. The router will only respond to ARP requests for IP/MAC pairs that are explicitly listed in /ip arp with type=static. No dynamic entries will be added.

MikroTik Wiki – ARP Modes:

“reply-only – the interface will only reply to ARP requests if there is a static entry. It will not add any new entries.”

MTCNA Course Material – ARP Configuration:

“When reply-only is set, the interface will not send ARP requests and will only respond to those IP/MAC combinations configured as static entries.”

Option breakdown:

A:✔Correct—replies only to statically configured IP/MAC pairs

B: Incorrect — ARP entries must have both IP and MAC

C/E: No new dynamic entries are added in reply-only mode

D: MAC addresses alone are not matched — ARP matches IP/MAC pairs

Final Answer: AQUESTION NO: 154 [RouterOS Tools – Configuration Export]

Mark all correct statements about /export (rsc file).

A. Exports logs from /log print

B. Exports full configuration of the router

C. Exports only part of the configuration (for example /ip firewall)

D. Exports scripts from /system script

E. Exported files could not be edited

Answer: B, C, D

The /export command in RouterOS allows exporting configuration as a script (.rsc file). It can:

Export the full configuration

Export a specific section (e.g., /ip firewall)

Include scripts under /system script if specified

It does not export logs and the exported .rsc file is plain text and can be edited.

MTCNA Course Material – Configuration Management:

“/export outputs configuration to a text file. You can export the full config or a specific menu, and it includes scripts if present.”

MikroTik Wiki – Export Command:

“You can use /export to generate editable .rsc files. Use /export file=name or /ip firewall export.”

Option breakdown:

A:❌Logs are not exported

B:✔Full config export is default

C:✔You can target specific sections (e.g., /ip dhcp-server)

D:✔Scripts are included if present

E:❌Exported files are editable text files

Final Answer: B, C, D