319508018-11

1. To create a firewall which drops a random block of IP addresses, it is more efficient (less hardware resource intensive) to: A. Create a single rule for every single IP address B. Use an address-list and create 1 firewall rule for this address-list C. Create a custom chain and create drop rules for each IP there

2. You have default configuration, the firewall filter configuration is /ip firewall filter add chain=input src-address=192.168.0.1 action=accept /ip firewall filter add chain=input action=log /ip firewall filter add chain=input action=drop Which host is allowed to access the router? A. IP address 192.168.0.2, MAC-address 00:0C:42:01:01:02 B. IP address 5.8.8.8, MAC-address 00:0C:42:01:02:03 C. IP address 192.168.0.1, MAC-address 00:0C:42:05:05:01 D. IP address 192.168.0.1, MAC-address 00:0C:42:01:01:02

3. Is it possible for a client to get an IP address but no gateway after a successful DHCP request? true 4. You set up a brand new router to be a HotSpot gateway. Run the wizard and pick Ether2 as HotSpot interface. Everything else is set to defaults and you do not configure any additional Firewall or NAT rules. Connect laptop to Ether2 and try to browse to www.yourcompany.com, but you are redirected to the login page. You do not log in because you want hotspot users to access www.yourcompany.com without having to log in, so you want to add www.yourcompany.com to the Walled Garden list. You start the Winbox client and attempt to connect to the router, but encounter an error. Why can\'t you connect to the router with Winbox? A. Winbox is blocked when hotspot is enabled, you must connect to the router with Telnet or SSH instead. B. Access to router management is blocked on hotspot interface when you are not logged in to hotspot.

C. Access to router management is blocked on ALL interfaces when you are not logged in to hotspot. D. You must add www.yourcompany.com to your Walled Garden list BEFORE you run the Hotspot wizard. 5. You wish to secure your RouterOS system. You do not want the RouterOS to be discoverable using MNDP or CDP. You also want to deny management via the MAC addresses on all interfaces. Select the correct actions to accomplish this. A. Add a Deny All input firewall rule B. Place a proper forward firewall rule to block mac discovery C. Remove/Disable all interfaces under mac-Server winbox D. Remove/Disable all discovery interfaces E. Place a proper input firewall rule to block mac discovery F. Remove/Disable all interfaces under mac-server telnet G. Remove/Disable the Interfaces 6. To block users on my Local Area Network from accessing http://www.facebook.com between 8:00am and 5:00pm A. Add simple queue to block the site at 8:00am and allow it from 5:00pm B. Enable Webproxy, Transparent redirect http traffic, create access rule to drop http://www.facebook.com with a comment, schedule script to enable access rule at 8:00am and disable rule at 5:00pm C. Only schedule a script to block http://www.facebook.com at 8:00am and allow at 5:00pm D. Add firewall filter rule to block http://www.facebook.com and set time on the rule

7. There is a PCQ type queue with the following parameters: max-limit=660k pcq-rate=110k pcq-classifier=dst-address If you choose this queue to control the download rate of a local network, which interface should be selected and what is the maximal available speed for each host in the queue when you have 5 hosts?

A. local, 132k B. any, 110k C. local, 110k D. public, 110k E. public, 132k

8. What does this simple queue do (check the image)?

A. Queue guarantees upload data rate of one megabit per second for host 192.168.1.10 B. Queue limits host 192.168.1.10 upload data rate to one megabit per second. C. Queue guarantees download data rate of one megabit per second for host 192.168.1.10 D. Queue limits host 192.168.1.10 download data rate to one megabit per second. 9. An IP packet has matched all the conditions of a firewall rule and the action reject and the option icmp-network-unreachable was initiated for that packet. What will happen with the packet content ? A. The whole packet will be forwarded back to the sender regardless of its contents B. The packet will be rejected only if the destination network is unreachable C. The packet header will receive a flag of \\\"icmp-network-unreacheble\\\" D. The packet will be discarded regardless of its content 10. Simple Queue number 0 defines 2M for upload and download for target IP 10.10.0.33. Simple Queue number 1 defines 4M for upload and download for target IP 10.10.0.33. Client 10.10.0.33 is be able to obtain

A. 4M upload/download B. 0M upload/download C. 6M upload/download D. 2M upload/download 11. To mangle all traffic going to the router itself on chain=prerouting, we can use parameter: A. dst-address=127.0.0.1 B. dst-address=localhost C. dst-address-type=unicast D. dst-address-type=local 12. A firewall rule is used to redirect all incoming DNS requests. What is the source IP address generated in the response by the router? A. Source IP address of the response is the highest active loopback bridge interface of the router B. Source IP address of the response is broadcast to indicate the response was generated by proxy C. Source IP address of the response is IP address of router's out interface D. Source IP address of the response is the same as destination IP address of the original request 13. after putting this rule: /ip firewall add chain=input action=drop, you will still be able to access the Router using the mac-address. true 14. What is the correct action for a NAT rule on a router that should intercept SMTP traffic and send it over to a specified mail server? A. passthrough B. tarpit C. dst-nat D. redirect 15. A MikroTik Router has the following configuration /ip address add address=1.1.1.2/30 interface=ether1 add address=2.2.2.2/30 interface=ether2

add address=192.168.10.1/24 interface=ether3 /ip firewall mangle add action=mark-connection chain=prerouting dst-port=80 new-connection-mark=web_c passthrough=yes protocol=tcp add action=mark-routing chain=prerouting connection-mark=web_c new-routing-mark=web passthrough=no /ip firewall nat add action=masquerade chain=srcnat out-interface=ether3 /ip route add gateway=1.1.1.1 add gateway=2.2.2.2 routing-mark=web What can be said about the Web Access (port 80) by a customer connected at ether3 interface with IP 192.168.10.2/24, gateway 192.168.10.1 ? A. The Customer is unable to access the Web. B. The Customer will access the Web by ECMP, by using both gateways 1.1.1.1 and 2.2.2.2 C. The customer will access the Web using the gateway 2.2.2.2 D. The customer will access the Web using the gateway 1.1.1.1 16. Router has Wireless and Ethernet client interfaces, all client interfaces are bridged. To create a DHCP service for all clients you must configure DHCP server on A. only on bridge interface B. Ethernet and wireless interfaces C. every bridge port D. DHCP service is not possible in this setup 17. Consider the following network diagram. In R1, you have the following configuration: /ip route add dst-address=192.168.1.0/24 gateway=192.168.99.2 /ip firewall nat add chain=srcnat out-interface=Ether1 action=masquerade On R2, if you wish to prevent all access to a server located at 192.168.1.10 from LAN1 devices, which of the following rules would be needed?

A. /ip firewall filter add chain=input src-address=192.168.99.1 dst-address=192.168.1.10 action=drop B. /ip firewall nat add chain=dstnat src-address=192.168.99.1 dst-address=192.168.1.10

action=drop C. /ip firewall filter add chain=forward src-address=192.168.0.0/24 dstaddress=192.168.1.10 action=drop D. /ip firewall filter add chain=forward src-address=192.168.99.1 dstaddress=192.168.1.10 action=drop 18. You want to offer a static route to your DHCP clients (besides the default-route). What is the best way to do that? A. Set a static IP into /ip route and it will automatically be sent to clients B. Set DHCP options 3 C. Set DHCP options 121 D. There is no way to send a static-route to DHCP clients 19. DHCP server is configured on a router’s ether1 interface. IP address 192.168.0.100/24 is assigned to the interface. Possible IP pools, that can be used by this DHCP server, are: A. 192.168.0.1-192.168.0.99,192.168.0.101-192.168.0.254 B. 192.168.0.1-192.168.0.14 C. 192.168.0.1-192.168.0.255 D. 192.169.0.1-192.169.0.254 20. How could you limit the impact of a DDoS (Distributed Denial of Service) attack? A. Use the firewall limit function to limit number of connections to servers B. Use the firewall limit function to limit number of connections from clients C. Create a tarpit rule to reject all "connection state=invalid" packets D. Set the TCP SynCookie option in ip firewall connection tracking 21. There can be more than one DHCP relay between DHCP server and DHCP client. false 22. In RouterOS queue configurations the word "total" usually represents A. download - upload B. upload C. upload + download D. download

23. You want to use PCQ and allow 256k maximum download and upload for each client. Choose correct argument values for the required queue. A. kind=pcq pcq-rate=5000000 pcq-classifier=dst-address B. kind=pcq pcq-rate=256000 pcq-classifier=src-address C. kind=pcq pcq-rate=5000000 pcq-classifier=src-address D. kind=pcq pcq-rate=1256000 pcq-classifier=dst-address E. kind=pcq pcq-rate=256000 pcq-classifier=dst-address 24. The Simple Queue Total tab controls both upload and download totals aggregated together. A. False B. True 25. You have a queue structure: queue "MK" max-limit=23M -queue "A" parent="MK" limit-at=10M max-limit=18M --queue "AA" parent="A" limit-at=3M max-limit=5M priority=1 --queue "AB" parent="A" limit-at=1M max-limit=2M priority=2 --queue "AC" parent="A" limit-at=4M max-limit=8M priority=4 -queue "B" parent="MK" limit-at=10M max-limit=18M --queue "BA" parent="B" limit-at=1M max-limit=10M priority=1 --queue "BB" parent="B" limit-at=2M max-limit=3M priority=3 Select the correct answer for the worst case scenario when all queues are trying to get all available traffic. A. queue "AA" will get 5M, "AB" 2M, "AC" 8M, "BA" 10M, "BB" 2M B. queue "AA" will get 3M, "AB" 2M, "AC" 4M, "BA" 10M, "BB" 2M C. queue "AA" will get 3M, "AB" 1M, "AC" 8M, "BA" 1M, "BB" 3M D. queue "AA" will get 5M, "AB" 2M, "AC" 8M, "BA" 10M, "BB" 3M E. queue "AA" will get 5M, "AB" 2M, "AC" 4M, "BA" 10M, "BB" 2M