Cisco CCNP ENCOR 350-401 Practice Exam

What the Cisco CCNP ENCOR 350-401 exam covers

• Architecture67 questions
• Virtualization63 questions
• Infrastructure78 questions
• Network Assurance67 questions
• Security67 questions
• Automation65 questions

Free Cisco CCNP ENCOR 350-401 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 407.

1. Question 1Architecture

   A network architect is designing a new SD-WAN deployment for a company with 50 branch offices. The company requires centralized policy management, dynamic path selection based on application SLA requirements, and secure overlay tunnels between sites. Which component in the Cisco SD-WAN architecture is responsible for distributing data plane and application-aware routing policies to the edge routers?

   • AvBond orchestrator
   • BvSmart controllerCorrect
   • CvManage
   • DvEdge router
   ✓ Correct answer: B

   The vSmart distributes data plane and application-aware routing policies to edge routers. It generates policies based on SLA requirements and enforces them across all devices. Unlike vBond or vManage, vSmart actively distributes policies in data plane. This maintains consistent security and performance across all 50 branch offices.

2. Question 2ArchitectureSelect all that apply

   Which two QoS mechanisms are applied at the egress interface to manage congestion and shape traffic? (Choose two.)

   • ACommitted Access Rate (CAR) policing at ingress
   • BClass-Based Weighted Fair Queuing (CBWFQ)Correct
   • CClassification using NBAR2
   • DWeighted Random Early Detection (WRED)Correct
   ✓ Correct answer: B, D

   Answers: B, D. Multiple correct statements

3. Question 3Architecture

   True or False: LISP (Locator/ID Separation Protocol) separates the device identity (EID) from its location (RLOC) in the network.

   • ATrueCorrect
   • BFalse
   ✓ Correct answer: A

   True

4. Question 4Virtualization

   Which type of hypervisor runs directly on the physical hardware without requiring a host operating system?

   • AType 1 hypervisor (bare-metal)Correct
   • BContainer runtime
   • CParavirtualized hypervisor only
   • DType 2 hypervisor
   ✓ Correct answer: A

   Correct answer for this scenario.

5. Question 5InfrastructureSelect all that apply

   Which two STP features help protect the spanning-tree topology from unauthorized or misconfigured switches? (Choose two.)

   • ABPDU GuardCorrect
   • BRoot GuardCorrect
   • CUplinkFast
   • DBackboneFast
   ✓ Correct answer: A, B

   This is the correct answer based on technical specifications and best practices for this technology. The solution provides the most accurate and reliable approach to addressing the technical requirements. Understanding the underlying mechanisms and protocol specifications is essential for proper network design and troubleshooting. This answer reflects industry-standard implementations and vendor best practices. Root Guard is incorrect because it does not align with the technical specifications or represents a misunderstanding of the protocol.

6. Question 6InfrastructureSelect all that apply

   Which two protocols can be used for Layer 3 First Hop Redundancy? (Choose two.)

   • AHSRP (Hot Standby Router Protocol)Correct
   • BVRRP (Virtual Router Redundancy Protocol)Correct
   • CLACP (Link Aggregation Control Protocol)
   • DSTP (Spanning Tree Protocol)
   ✓ Correct answer: A, B

   This is the correct answer based on technical specifications and best practices for this technology. The solution provides the most accurate and reliable approach to addressing the technical requirements. Understanding the underlying mechanisms and protocol specifications is essential for proper network design and troubleshooting. This answer reflects industry-standard implementations and vendor best practices. VRRP (Virtual Router Redundancy Protocol) is incorrect because it does not align with the technical specifications or represents a misunderstanding of the protocol.

7. Question 7Network Assurance

   A network engineer at Quantum Systems is configuring IP SLA to monitor reachability to a critical server. Which IP SLA operation type should be used to measure round-trip time using ICMP?

   • ATCP connect
   • BICMP echoCorrect
   • CUDP jitter
   • DHTTP operation
   ✓ Correct answer: B

   This is the correct answer based on technical specifications and best practices for this technology. The solution provides the most accurate and reliable approach to addressing the technical requirements. Understanding the underlying mechanisms and protocol specifications is essential for proper network design and troubleshooting. This answer reflects industry-standard implementations and vendor best practices.

   Why the other options are wrong

   • ATCP connect is incorrect because it does not align with the technical specifications or represents a misunderstanding of the protocol.
8. Question 8Security

   An enterprise has deployed Cisco ISE for network access control. A contractor connects a laptop to the wired network. The switch port is configured for 802.1X authentication. The contractor's laptop does not have an 802.1X supplicant installed. Which authentication fallback mechanism can ISE use to authenticate the contractor via a web portal?

   • ASSH key-based authentication
   • BRADIUS Change of Authorization with EAP-FAST
   • CTACACS+ interactive authentication
   • DMAB (MAC Authentication Bypass) followed by Central Web Authentication (CWA)Correct
   ✓ Correct answer: D

   This is the correct answer based on technical specifications and best practices for this technology. The solution provides the most accurate and reliable approach to addressing the technical requirements. Understanding the underlying mechanisms and protocol specifications is essential for proper network design and troubleshooting. This answer reflects industry-standard implementations and vendor best practices.

   Why the other options are wrong

   • ASSH key-based authentication is incorrect because it does not align with the technical specifications or represents a misunderstanding of the protocol.
9. Question 9SecuritySelect all that apply

   Which two are functions of a Next-Generation Firewall (NGFW) that differentiate it from a traditional stateful firewall? (Choose two.)

   • AIntegrated Intrusion Prevention System (IPS)Correct
   • Bbasic packet filtering based on source/destination IP
   • CNAT translation
   • DApplication-layer visibility and controlCorrect
   ✓ Correct answer: A, D

   IPS and D. App control.

10. Question 10AutomationSelect all that apply

    AutoNet Corp is evaluating configuration management tools for their network. Which two tools use a declarative approach to define the desired state of infrastructure? (Choose 2)

    • ABash shell scripts
    • BPython scripts using Netmiko
    • CTerraform configurationsCorrect
    • DAnsible playbooks
    • EPuppet manifestsCorrect
    ✓ Correct answer: C, E

    Terraform and E. Puppet.

Cisco CCNP ENCOR 350-401 practice exam FAQ