Cisco Study Guide

Cisco CCNP ENARSI (300-410) Study Guide

The Cisco CCNP ENARSI (300-410) is a 90-minute, ~60-question concentration exam validating advanced enterprise routing skills: Layer 3 technologies (EIGRP, OSPF, BGP, redistribution), VPN technologies (DMVPN, MPLS Layer 3 VPN), infrastructure security, and infrastructure services. It is intended for experienced network engineers (typically 3-5 years) pursuing the CCNP Enterprise certification after passing the 350-401 ENCOR core exam.

Domain 1 Domain 2 Domain 3 Domain 4

Practice Cisco CCNP ENARSI (300-410) questions free Create free account

Domain 1: Layer 3 Technologies

Key concepts you must know · 192 practice questions

EIGRP is Cisco's advanced distance-vector protocol that uses DUAL (Diffusing Update Algorithm) to guarantee loop-free paths and fast reconvergence via precomputed feasible successors.
EIGRP neighbors must agree on AS number and K-values, and be on the same primary subnet; mismatched K-values or authentication prevent adjacency. The default metric uses K1 (bandwidth) and K3 (delay) only.
The EIGRP feasibility condition requires a neighbor's reported distance (RD/advertised distance) to be less than the local feasible distance (FD); a route meeting this becomes a feasible successor (loop-free backup).
OSPF is a link-state IGP: routers flood LSAs within an area to build an identical LSDB, then each runs Dijkstra's SPF to compute best paths. OSPFv2 uses IP protocol 89.
OSPF requires matching area ID, subnet/mask, hello/dead timers, authentication, and stub flags to form an adjacency; the OSPF router ID must be unique.
On broadcast/multi-access segments OSPF elects a DR/BDR (highest priority, then highest router ID); priority 0 means a router never becomes DR/BDR. The DR uses multicast 224.0.0.6.
OSPF stub areas block Type 5 (external) LSAs but allow Type 3 summaries; totally stubby areas (Cisco 'area X stub no-summary') block Type 3 and 5, injecting only a default route. NSSA carries externals as Type 7 LSAs.
An Area Border Router (ABR) connects an area to the backbone (area 0) and generates Type 3 summary LSAs; an ASBR redistributes external routes and generates Type 5 (or Type 7 in NSSA) LSAs.
Administrative Distance selects between protocols offering the same prefix (lower is preferred): connected 0, static 1, eBGP 20, EIGRP internal 90, OSPF 110, IS-IS 115, RIP 120, EIGRP external 170, iBGP 200.
Longest-prefix match governs forwarding: the most specific matching route wins regardless of AD or metric (a /28 beats a /24 covering the same address).
BGP is the path-vector EGP that exchanges routes between autonomous systems over TCP port 179; the AS-path attribute provides loop prevention by rejecting routes whose path already contains the local AS.
BGP best-path order (Cisco): Weight (highest, local only) > Local Preference (highest) > locally originated > shortest AS-path > lowest origin (IGP<EGP<incomplete) > lowest MED > eBGP over iBGP > lowest IGP metric to next hop. 'Established' means the session is fully operational.
Mutual redistribution without route tags or filtering can create loops and suboptimal paths; tag routes on redistribution and deny them back in, or raise the AD on redistributed routes.
A floating static route is a backup configured with a higher AD than the primary (e.g., 'ip route 0.0.0.0 0.0.0.0 next-hop 200'); route summarization at boundaries reduces table size and update churn. Verify with 'show ip route', 'show ip eigrp topology', and 'show ip ospf neighbor'.

Domain 2: VPN Technologies

Key concepts you must know · 110 practice questions

DMVPN provides scalable hub-and-spoke (and dynamic spoke-to-spoke) VPNs by combining multipoint GRE (mGRE), NHRP, a routing protocol, and IPsec encryption.
NHRP (Next Hop Resolution Protocol) maps tunnel (overlay) IP addresses to physical (underlay) NBMA addresses; spokes register with the hub as the Next Hop Server (NHS) using 'ip nhrp nhs' and 'ip nhrp map'.
The DMVPN hub uses 'tunnel mode gre multipoint' on its mGRE tunnel; spokes can use point-to-point GRE (Phase 1) or mGRE (Phase 2/3) tunnels.
DMVPN Phase 1 forces all traffic through the hub; Phase 2 enables direct spoke-to-spoke tunnels via NHRP resolution; Phase 3 adds NHRP redirect/shortcut switching for better scalability and summarization at the hub.
GRE alone encapsulates any protocol (including multicast and routing hellos) over IP but provides no encryption, integrity, or authentication; pairing it with IPsec adds confidentiality.
IPsec site-to-site VPNs use IKE Phase 1 to build the bidirectional ISAKMP/IKE SA (authenticated, encrypted management channel), then IKE Phase 2 negotiates the unidirectional IPsec SAs that protect data with ESP.
AES-GCM is an authenticated-encryption (AEAD) transform providing both confidentiality and integrity in one efficient operation, reducing IPsec overhead versus separate ESP encryption plus HMAC.
IKEv2 (used by FlexVPN) is more efficient and resilient than IKEv1: fewer messages, built-in NAT traversal and dead-peer detection, and asymmetric authentication. PSK is configured with 'crypto ikev2 keyring' containing peer and pre-shared-key.
FlexVPN is a unified IKEv2 framework covering site-to-site, hub-and-spoke, remote-access, and DMVPN-style deployments with one consistent configuration model.
Tunnel MTU/MSS tuning matters: GRE adds 24 bytes and IPsec adds more overhead, so set 'ip mtu 1400' and 'ip tcp adjust-mss 1360' on tunnels to avoid fragmentation; hardware crypto acceleration offloads encryption.
Cisco SD-WAN (Catalyst SD-WAN, formerly Viptela) separates control and data planes: vSmart controllers push centralized policy/routing to vEdge/cEdge routers over any transport (MPLS, broadband, LTE/5G) for transport-independent overlays.
Remote-access SSL VPN (Cisco AnyConnect / Secure Client) secures individual user access using TLS, while legacy IPsec remote-access uses IKE/ESP.
A traditional IPsec crypto map is applied to the egress interface with 'crypto map MAPNAME' in interface config mode; tunnel-protection (IPsec profiles) is used on GRE/mGRE tunnels instead.
Verification: 'show dmvpn' shows tunnel sessions and NHRP state per peer, 'show crypto ipsec sa' shows IPsec SAs and encrypted/decrypted packet counters, and 'show crypto ikev2 sa' shows IKEv2 SAs.

Domain 3: Infrastructure Security

Key concepts you must know · 138 practice questions

ACLs are ordered (top-down) permit/deny lists with an implicit deny-any at the end; standard ACLs match source IP only, while extended ACLs match source/destination IP, protocol, and L4 ports.
Order ACEs from most specific and most frequently matched first for performance; object groups let multiple ACEs reference reusable sets of addresses, ports, or services.
Control Plane Policing (CoPP) uses the MQC (class-map, policy-map, service-policy) to classify and rate-limit traffic punted to the CPU, protecting the control plane from DoS floods and excessive management traffic.
Apply CoPP with 'service-policy input POLICY' under 'control-plane' configuration mode; rate-limit or drop excess traffic categories such as routing-protocol, management, and undesirable packets.
AAA with TACACS+ (TCP 49, encrypts the full packet, ideal for command authorization) or RADIUS (UDP, encrypts only the password, common for network access) centralizes authentication, authorization, and accounting.
Use SSHv2 instead of Telnet for encrypted device management; require it on the VTY lines with 'transport input ssh' and generate an RSA key with 'crypto key generate rsa'.
Prefix lists filter routes by network address plus prefix length and support 'ge'/'le' range matching; e.g., 'ip prefix-list PL permit 192.168.0.0/16 ge 24 le 28' matches prefixes inside that block with masks /24 through /28.
Route filtering tools include prefix lists, distribute lists, and route maps; 'distribute-list 10 in' applies ACL 10 to inbound updates (e.g., for EIGRP), while BGP uses 'neighbor prefix-list' or 'neighbor route-map'.
Route maps (used by PBR and BGP) match traffic/routes and set attributes; they are ordered, sequenced, and have an implicit deny at the end.
Routing protocol authentication prevents spoofed updates: OSPF SHA uses a 'key chain' with 'cryptographic-algorithm hmac-sha-256' referenced by 'ip ospf authentication key-chain'; EIGRP named mode and BGP also support authentication.
uRPF (Unicast Reverse Path Forwarding) mitigates source-IP spoofing by checking the source against the FIB: strict mode ('rx') requires the return path out the receiving interface, while loose mode ('ip verify unicast source reachable-via any') only requires a route to exist.
DHCP snooping is an L2 feature distinguishing trusted ports (toward legitimate servers/uplinks) from untrusted access ports; it drops DHCP OFFER/ACK on untrusted ports to block rogue DHCP servers and builds a binding table.
Infrastructure ACLs (iACLs) at network edges filter traffic destined to infrastructure device addresses from untrusted sources, while permitting transit traffic, to shield the control and management planes.
Combine CoPP, routing-protocol authentication, iACLs, and uRPF for layered control-plane and data-plane protection; verify with 'show access-lists', 'show policy-map control-plane', and 'show ip cef' for uRPF/FIB checks.

Domain 4: Infrastructure Services

Key concepts you must know · 183 practice questions

NTP (RFC 5905) is a hierarchical clock-sync protocol over UDP 123; stratum 1 servers sync from authoritative sources (GPS/atomic) and lower devices sync downstream. Accurate time is essential for log correlation, certificates, and Kerberos.
Configure a device as an NTP client with 'ntp server <ip>'; NTP authentication ('ntp authenticate', 'ntp authentication-key', 'ntp trusted-key') prevents spoofed time sources; using a few local stratum servers reduces WAN query cost.
FHRPs provide default-gateway redundancy via a shared virtual IP/MAC: HSRP (Cisco-proprietary), VRRP (open standard, RFC 5798/3768), and GLBP (Cisco, load-balances across multiple active forwarders).
HSRP elects an active router by highest priority (default 100), then highest IP; configure with 'standby 1 ip <vip>', 'standby 1 priority 110', and 'standby 1 preempt' to let a recovered higher-priority router reclaim active.
HSRP and VRRP forward through a single active/master router (others standby), whereas GLBP uses an AVG to assign multiple AVFs so several routers forward simultaneously for true load sharing.
The 'ip helper-address <server>' command makes a router a DHCP relay agent, converting client broadcasts into unicasts to a DHCP server on another subnet (also forwards several other UDP broadcast services by default).
A router can be a DHCP server with 'ip dhcp pool', defining network, default-router, and dns-server; 'ip dhcp excluded-address' reserves addresses (like gateways and servers) from being leased - a cost-effective branch design.
NetFlow / Flexible NetFlow captures flow metadata (source/dest IP, ports, protocol, byte/packet counts, timestamps) and exports it to a collector for capacity planning and anomaly detection; sampled NetFlow reduces storage and export load while preserving trends.
SNMPv3 adds authentication and encryption with three levels - noAuthNoPriv, authNoPriv (HMAC-MD5/SHA), and authPriv (auth plus DES/AES) - unlike SNMPv1/v2c which use plaintext community strings; use SNMP traps/informs and longer poll intervals to reduce overhead.
Syslog severity levels run 0 (emergency) to 7 (debug); set an appropriate level (e.g., 'logging trap notifications') so only relevant messages go to the central collector, and use NTP-synced timestamps for correlation.
Model-driven telemetry (MDT) uses push-based streaming of YANG-modeled data over gRPC/NETCONF, which is more efficient and scalable than SNMP polling for high-frequency interface and platform metrics.
DNS caching on the local router or resolver reduces redundant external query latency; configure with 'ip domain lookup' and 'ip name-server'.
Object tracking ('track' objects) can tie FHRP priority to interface or route state so HSRP/VRRP fails over when an uplink goes down ('standby 1 track <obj> decrement <n>').
Key verification commands: 'show ntp status'/'show ntp associations', 'show standby', 'show ip dhcp binding', 'show flow monitor', and 'show snmp'.

Cisco CCNP ENARSI (300-410) exam tips

Expect heavy troubleshooting on this exam: practice reading 'show' and 'debug' output to diagnose broken EIGRP/OSPF adjacencies, BGP sessions stuck below Established, and redistribution loops rather than just memorizing configuration.
Master the full BGP best-path decision list and the OSPF LSA types (1-5 and 7) cold - these are recurring high-yield topics that distinguish passing candidates.
Build a lab (CML, EVE-NG, or GNS3) and configure DMVPN end to end, including NHRP, tunnel protection, and routing over the tunnel; verify with 'show dmvpn' and 'show crypto ipsec sa' so the moving parts stick.
Know the exact filtering tool for each context: prefix lists with ge/le for route filtering, distribute-lists for IGP updates, route-maps for BGP attributes and PBR, and the difference between standard and extended ACLs.
Memorize default Administrative Distances and FHRP/timer/port defaults (NTP UDP 123, BGP TCP 179, TACACS+ TCP 49, HSRP priority 100); the exam frequently hinges on a single default value.

Study guide FAQ

What are the prerequisites and exam logistics for the 300-410 ENARSI?

There are no formal prerequisites, but ENARSI is a CCNP Enterprise concentration exam, so you must also pass the 350-401 ENCOR core exam to earn the CCNP Enterprise certification. The exam is 90 minutes with roughly 55-65 questions, including multiple choice, drag-and-drop, and testlet-style items. Cisco does not publish a fixed passing score percentage; scores are scaled.

How is ENARSI different from the ENCOR core exam?

ENCOR (350-401) is broad, covering architecture, virtualization, wireless, automation, and security across enterprise networks. ENARSI (300-410) goes deep on advanced routing - EIGRP, OSPF, BGP, redistribution, DMVPN, MPLS L3VPN, infrastructure security, and services - with a strong troubleshooting emphasis. ENARSI assumes you already understand the routing fundamentals ENCOR introduces.

How much of the exam is configuration versus troubleshooting?

ENARSI is troubleshooting-heavy. Many questions present 'show'/'debug' output or a topology and ask you to identify why a protocol is failing or which command fixes it. You should be fluent at interpreting EIGRP topology tables, OSPF neighbor states, BGP session states, and IPsec/DMVPN status output - not just typing configuration from memory.

What is the most effective way to prepare for the Layer 3 and VPN domains?

Lab everything. Use CML, EVE-NG, or GNS3 to build EIGRP/OSPF/BGP redistribution scenarios and deliberately break them (mismatched K-values, area mismatches, missing feasible successors) so you learn the failure signatures. For VPN, configure DMVPN phases 1-3 with NHRP and IPsec tunnel protection and confirm spoke-to-spoke tunnels form, since hands-on repetition is what makes these topics stick under exam pressure.

Test yourself: 623 Cisco CCNP ENARSI (300-410) practice questions