Cisco Study Guide

Cisco CCNP ENCOR 350-401 Study Guide

The Cisco CCNP ENCOR 350-401 exam validates the skills needed to design, deploy, operate, and secure enterprise networks across wired and wireless infrastructure, plus modern overlays, security, and automation. It is a 120-minute, ~654-question pool covering architecture, virtualization, infrastructure, network assurance, security, and automation, and it serves as the core exam for the CCNP Enterprise certification and a qualifying exam for CCIE Enterprise. It is aimed at experienced network engineers (typically 3-5 years) responsible for enterprise networking technologies.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 Domain 6

Practice Cisco CCNP ENCOR 350-401 questions free Create free account

Domain 1: Architecture

Key concepts you must know · 99 practice questions

Enterprise campus design uses access, distribution, and core layers; the distribution layer is the boundary for ACLs, QoS marking, route summarization, and the Layer 2/Layer 3 demarcation.
Cisco SD-Access uses a VXLAN data plane (for encapsulation/tunneling) plus a LISP control plane (for endpoint tracking and host mobility), with the underlay typically running IS-IS for reachability between fabric nodes.
VXLAN's 24-bit VNI supports about 16 million segments, overcoming the 4,094 usable VLAN limit of the 12-bit 802.1Q VLAN ID, and it encapsulates Layer 2 frames in UDP/IP (destination UDP port 4789).
In SD-Access, the Fabric Control Plane Node runs the LISP Map-Server/Map-Resolver, registering endpoint EID-to-RLOC mappings and resolving lookups; the Fabric Edge node is the ingress/egress for endpoints and sends Map-Requests when it lacks a mapping.
The Fabric Border Node connects the SD-Access fabric to external networks and performs VXLAN-to-IP translation; internal borders connect to known routes, external (default) borders are the gateway of last resort.
LISP separates endpoint identity (EID) from routing location (RLOC), providing endpoint-independent mapping that enables seamless host and wireless roaming across the fabric.
Cisco SD-WAN separates control and data planes: vSmart is the centralized policy/control brain that uses OMP (Overlay Management Protocol) sessions with WAN Edge (vEdge/cEdge) routers to push control, data-plane, and application-aware routing (AAR) policies.
vBond is the SD-WAN orchestrator that authenticates devices and handles initial onboarding (it must be reachable on a public IP); vManage is the centralized GUI/management and configuration plane.
SD-WAN onboarding uses Zero-Touch Provisioning with certificate-based authentication; a device's chassis/serial number must be in the vManage authorized/allowed device list before it can join the fabric.
BGP EVPN is the control plane for VXLAN in the data center; EVPN Type-2 (MAC/IP) routes distribute host MAC/IP bindings, enabling ARP suppression where a VTEP answers ARP locally from cached bindings.
QoS DiffServ provides per-hop behavior (PHB) using the 6-bit DSCP field; DSCP 46 = Expedited Forwarding (EF) for real-time voice, and CS class selectors map to legacy IP precedence.
Congestion management/avoidance: CBWFQ allocates guaranteed bandwidth to traffic classes, LLQ adds strict priority for voice, and WRED selectively drops to prevent TCP global synchronization, all applied egress.
Wireless QoS uses WMM with four access categories; AC_VO (Voice) has the highest priority, followed by AC_VI (Video), AC_BE (Best Effort), and AC_BK (Background).
OSPF area types: a stub area blocks Type 5 (external) LSAs; a totally stubby area blocks Type 3, 4, and 5 LSAs and injects only a default route; an NSSA allows external routes as Type 7 LSAs translated to Type 5 at the ABR.

Domain 2: Virtualization

Key concepts you must know · 87 practice questions

VRF-Lite creates multiple isolated routing/forwarding tables on a single device without MPLS, using 802.1Q subinterfaces; each VRF has its own table so overlapping address space can coexist.
A VRF definition requires the VRF name, a route distinguisher (RD), and an address-family (e.g. address-family ipv4) before interfaces can be associated with it.
Inter-VRF communication is not automatic; it requires route leaking via MP-BGP import/export route targets (RT) or hair-pinning traffic through an external device or firewall.
GRE tunnels encapsulate many protocols but provide no encryption; the optional 32-bit GRE key field distinguishes multiple logical flows sharing the same tunnel endpoints.
IPsec tunnel mode encapsulates the entire original IP packet behind a new outer IP header (used for site-to-site VPNs), while transport mode protects only the payload and keeps the original IP header.
DMVPN combines multipoint GRE (mGRE), NHRP for dynamic spoke mapping, and IPsec for encryption; Phase 3 enables direct spoke-to-spoke tunnels using NHRP redirect/shortcut and supports route summarization at the hub.
IKEv2 is more efficient than IKEv1: the initial IKE_SA_INIT and IKE_AUTH exchanges establish the IKE SA and negotiate the first CHILD_SA (IPsec SA) together, reducing round trips.
A VTEP (VXLAN Tunnel Endpoint) performs VXLAN encapsulation/decapsulation of Ethernet frames into UDP/IP packets; on Nexus, a loopback configured as the NVE source interface is required to source VXLAN traffic.
VXLAN adds roughly 50 bytes of overhead, so the underlay MTU must be increased (e.g. 1600+ or jumbo); an undersized underlay MTU is a common cause of inter-leaf VXLAN communication failure.
GRE-over-IPsec in ESP tunnel mode with AES-256 adds substantial overhead (about 74+ bytes), which can fragment packets unless MTU/MSS is adjusted (e.g. ip tcp adjust-mss 1360).
Catalyst 9800 WLC High Availability SSO (Stateful Switchover) pairs an active and standby WLC over a dedicated redundancy port (RP), synchronizing client and configuration state for zero/near-zero client disconnection on failover.
FlexConnect (formerly H-REAP) lets remote/branch APs locally switch client traffic and continue serving clients in standalone mode during a WAN outage to the WLC, depending on WLAN switching mode.
VRF instance limits on Cisco platforms are not fixed by the protocol; they are platform-dependent, constrained by available memory and TCAM resources.
Data Center Interconnect options include OTV, which extends Layer 2 across a Layer 3 network with built-in loop prevention and unknown-unicast flood suppression, and VXLAN/EVPN for scalable multi-tenant fabrics.

Domain 3: Infrastructure

Key concepts you must know · 117 practice questions

OSPF route preference (lowest is best): intra-area (O) over inter-area (O IA) over external Type 1 (E1, includes internal cost) over external Type 2 (E2, fixed external cost); a Type 3 Summary LSA is generated by an ABR to advertise inter-area summaries.
OSPF default administrative distance is 110, EIGRP internal is 90 (external 170), iBGP 200, eBGP 20, RIP 120, and static 1; a lower AD or a more specific route prevents a competing route from being installed.
EIGRP requires matching AS numbers and matching K-values to form an adjacency; mismatched K-values block neighborship even when AS numbers match, and EIGRP cannot peer across different ASes.
An EIGRP route goes Active (sends Queries) when it loses its successor and has no feasible successor; if a neighbor does not Reply before the active timer (default 3 minutes), the route is declared Stuck-in-Active (SIA).
An EIGRP summary (or auto-summary) route installs a discard route to Null0 with an administrative distance of 5 to prevent routing loops for the summarized block.
BGP best-path selection order starts with highest Weight (Cisco-local, default 0), then highest Local Preference (default 100), then locally originated, then shortest AS-path; use a route-map to set higher weight for routes from a specific neighbor.
A BGP RIB-failure (status code 'r') means BGP selected the best path but the RIB rejected it because another protocol's route has a lower AD; a BGP neighbor stuck in Active state usually means the peer lacks a matching neighbor statement.
HSRPv2 supports up to 4096 groups (vs 256 in v1) and millisecond timers; active-active load sharing is achieved by running multiple HSRP groups and making different switches active for different VLANs.
PIM Sparse Mode uses an explicit-join model: receivers signal membership via IGMP, routers send PIM Joins toward the RP to build the shared (RPT) tree, and first-hop routers register sources with the RP before a switch to the shortest-path tree (SPT).
RSTP/Rapid PVST+ consolidates the legacy 802.1D Disabled, Blocking, and Listening states into a single Discarding state; port roles are Root, Designated, Alternate, and Backup.
STP protection: BPDU Guard err-disables an access (PortFast) port that receives a BPDU, Root Guard prevents a port from becoming root if a superior BPDU arrives, and Loop Guard prevents alternate/root ports from transitioning on BPDU loss.
EtherChannel load balancing on Catalyst switches can use source MAC, destination MAC, source/dest MAC, or source/dest IP; LACP (802.3ad) and PAgP (Cisco) negotiate bundles, and mismatched parameters keep links out of the channel.
default-information originate injects a default route into OSPF (add 'always' to advertise even without a local default); the DMVPN hub commonly uses OSPF network type point-to-multipoint to avoid DR/BDR issues over mGRE.
Wireless RRM uses DCA (Dynamic Channel Assignment) and TPC (Transmit Power Control) to minimize co-channel interference; an intra-controller roam is movement between APs on the same WLC, while inter-controller roams cross WLCs (Layer 2 or Layer 3).

Domain 4: Network Assurance

Key concepts you must know · 123 practice questions

Cisco IP SLA generates synthetic test traffic; the UDP Jitter (and UDP Jitter for VoIP) operation measures latency, jitter, and packet loss, making it the right choice for assessing voice/VoIP quality.
IP SLA combined with object tracking enables failover: a track object follows the probe result, and a primary static route configured with the track keyword is withdrawn when the probe fails, promoting a floating backup route.
Flexible NetFlow (NetFlow v9 and IPFIX/v10) uses a template-based architecture where the flow record defines exactly which key and non-key fields identify and describe a flow (custom records vs the fixed v5 7-tuple).
Traditional NetFlow v5 keys on a 5-tuple plus ingress interface and ToS, but DSCP is not part of the classic key fields; Flexible NetFlow lets you add DSCP and many other fields as keys.
SNMPv3 adds security over SNMPv2c's cleartext community strings using the User-based Security Model (USM): noAuthNoPriv, authNoPriv (HMAC-MD5/SHA), and authPriv (auth plus AES/DES payload encryption).
SNMP Inform messages are acknowledged (reliable, request-response) while Traps are unacknowledged UDP and can be lost; Informs cost more resources because the sender retransmits until acknowledged.
Syslog severity levels run 0-7: 0 Emergency, 1 Alert, 2 Critical, 3 Error, 4 Warning, 5 Notification, 6 Informational, 7 Debug; lower numbers are more severe.
SPAN mirrors traffic between ports on the same switch; RSPAN extends mirroring across switches using a dedicated RSPAN VLAN; ERSPAN encapsulates mirrored traffic in GRE to transport it across a routed (Layer 3) network.
Cisco DNA Center (Catalyst Center) AI-Driven Network Analytics and Assurance baselines normal behavior with machine learning and performs automated root cause analysis for connectivity and client issues.
The DNAC Client Health dashboard gives a holistic wired/wireless client health score; onboarding failures should be investigated starting with the AAA authentication and DHCP phases.
AI-Driven Issues and Insights uses ML to set dynamic baselines and detect anomalies, surfacing actionable issues rather than just raw counters.
High-volume flows to TCP port 445 (SMB) spread across many destination hosts is a classic NetFlow signature of a worm or malware performing lateral movement.
NETCONF/RESTCONF and model-driven streaming telemetry are replacing SNMP polling for high-frequency, push-based monitoring at scale.
Debug commands and conditional debugging are powerful but CPU-intensive; use debug sparingly on production devices and prefer logging, SPAN, IP SLA, or NetFlow for ongoing assurance.

Domain 5: Security

Key concepts you must know · 97 practice questions

IEEE 802.1X uses three roles: the supplicant (endpoint), the authenticator (switch/AP that relays EAP), and the authentication server (RADIUS, typically Cisco ISE); the switch enforces port access based on the server's decision.
802.1X fallback methods are MAB (MAC Authentication Bypass, for non-802.1X devices) and Web Authentication (WebAuth); a common contractor flow is MAB followed by Central Web Authentication (CWA) via an ISE portal.
Host modes on a switchport: single-host, multi-host, multi-auth, and Multi-Domain Authentication (MDA), which authenticates a phone in the voice domain and a PC in the data domain separately on one port.
AAA separates Authentication (who you are), Authorization (what you can do - assigns attributes/permitted commands and dACLs/VLANs), and Accounting (logging of activity).
Cisco TrustSec uses Security Group Tags (SGTs) to enforce policy by user/device role instead of IP; the SGT is carried inline in the Cisco MetaData (CMD) field between the 802.1Q tag and the Layer 3 header, or propagated out-of-band via SXP.
MACsec (IEEE 802.1AE) provides hop-by-hop Layer 2 encryption between directly connected devices; MKA (MACsec Key Agreement) handles key management and establishes the secure associations.
WPA3-Enterprise 192-bit mode aligns with NSA Suite B, mandating GCMP-256 for encryption and HMAC-SHA-384 for integrity, providing the strongest enterprise Wi-Fi protection on Catalyst 9800 WLCs.
Layer 2 protections: DHCP Snooping blocks rogue DHCP servers and builds an IP-to-MAC binding table; Dynamic ARP Inspection (DAI) validates ARP against that table to stop ARP spoofing/MITM; together they defeat gratuitous-ARP attacks.
IP Source Guard uses the DHCP snooping binding table to filter traffic by source IP/MAC, and port security limits the number of MAC addresses per port to mitigate MAC flooding.
Control Plane Policing (CoPP) applies a QoS policy to traffic destined to the route processor, rate-limiting or dropping control-plane threats (malformed BGP, ICMP floods); routing protocols (OSPF/EIGRP/BGP) get the most permissive class.
Unicast Reverse Path Forwarding (uRPF) checks that a packet's source IP is reachable via the interface it arrived on (strict mode) to mitigate IP spoofing and DoS amplification.
Infrastructure ACLs (iACLs) explicitly permit management (SSH/HTTPS from authorized subnets) and routing-protocol traffic from known peers, then deny other traffic to infrastructure addresses; extended ACLs filter on source/dest IP, protocol, and ports.
Cisco ISE posture assessment checks endpoint compliance (antivirus, OS patch level) before granting full access, quarantining non-compliant hosts to a remediation VLAN until they pass.
Management-plane hardening uses SSH (not Telnet), AAA, role-based CLI access, and disabling unused services; data-plane controls include private VLANs, storm control, and ACLs.

Domain 6: Automation

Key concepts you must know · 131 practice questions

NETCONF is an XML-based protocol that runs over SSH on TCP port 830 and uses RPC operations such as get, get-config, edit-config, and copy-config to manage device configuration and state.
NETCONF edit-config supports per-node operation attributes (merge default, replace, create, delete, remove); operation='replace' on a subtree (e.g. OSPF) atomically swaps that subtree's contents while leaving other config untouched.
NETCONF supports multiple datastores (running, candidate, startup) plus commit and rollback; edit-config and copy-config act on the candidate/running datastore depending on device support.
RESTCONF is a REST/HTTP-based protocol that maps HTTP verbs to operations: GET (retrieve), POST (create, fails if the resource already exists), PUT (create/replace), PATCH (merge), DELETE (remove), accessed under the /restconf/data/ path.
RESTCONF supports JSON and XML encodings; clients set Accept: application/yang-data+json (or +xml) to request the desired response format and Content-Type for the body.
HTTP status codes matter in automation: 200/201 success, 204 no content, 400 bad request, 401 unauthorized, 404 not found, and 409 Conflict signals a state conflict such as creating a VLAN that already exists.
YANG (RFC 6020/7950) is the data-modeling language used by both NETCONF and RESTCONF; it defines a hierarchical tree of containers, lists, leaves, and reusable grouping definitions plus data types and constraints.
Operational vs configuration YANG models differ; to read live BGP neighbor state you query an operational model such as Cisco-IOS-XE-bgp-oper with a NETCONF get and a subtree/XPath filter.
Ansible is agentless, pushing changes over SSH or NETCONF with no software installed on managed nodes; playbooks and inventory are written in YAML, and tasks are idempotent by design.
Puppet (and Chef) traditionally use a pull model with an agent/daemon on each managed node; Puppet manifests use a Ruby-based declarative DSL, contrasting with Ansible's agentless push model.
Netmiko is the Python library for SSH-based CLI interaction with network devices (screen-scraping), while ncclient is the Python library for NETCONF and the requests library is used for RESTCONF calls.
Python list comprehensions efficiently filter API data, e.g. [d['hostname'] for d in data['response'] if d['reachabilityStatus'] == 'Reachable'] returns hostnames of reachable devices from a DNAC response.
Git provides version control for network configurations and Infrastructure-as-Code, tracking changes, enabling branching/rollback, and supporting peer review of automation code.
Common data formats: JSON and XML are structured/machine-parseable while YAML is human-readable and used for Ansible; understanding key-value, list, and nested-object structures is essential for parsing API responses.

Cisco CCNP ENCOR 350-401 exam tips

Master the SD-Access and SD-WAN component-to-function mapping cold: in SD-Access know LISP=control plane, VXLAN=data plane, and the role of edge/border/control-plane nodes; in SD-WAN know vManage=management, vSmart=control/OMP policy, vBond=orchestrator, WAN Edge=data plane.
Expect drag-and-drop and matching items; memorize ordered lists exactly (BGP best-path order, OSPF route preference, syslog severity 0-7, administrative distance values, and the WMM access-category priorities).
For the automation domain, be able to read code, not just define terms: practice tracing Python dict/list-comprehension output, identifying HTTP verbs/status codes (especially 409), and distinguishing NETCONF edit-config operations (merge vs replace).
Know default values and gotchas precisely - EIGRP active timer (3 min), HSRPv2 group count (4096), NETCONF port 830, DSCP EF=46, VXLAN UDP 4789 and ~50-byte overhead requiring larger underlay MTU - because the exam tests exact numbers.
Budget your 120 minutes: you cannot go back once you submit a question on the Cisco engine, so read carefully the first time, eliminate clearly wrong options, and do not over-invest in any single multi-part simulation.

Study guide FAQ

How long is the exam, how many questions, and what score do I need to pass?

ENCOR 350-401 runs 120 minutes and typically presents around 90-110 scenario, multiple-choice, and drag-and-drop questions (Cisco does not publish a fixed count). Cisco scores on a scaled range; the commonly cited passing target is about 825 out of 1000, though Cisco does not officially confirm a single fixed cut score.

What does ENCOR qualify me for and how does it fit the CCNP Enterprise track?

ENCOR 350-401 is the single core exam for CCNP Enterprise; you pass it plus one concentration exam (such as ENARSI, ENSDWI, or ENAUTO) to earn CCNP Enterprise. ENCOR is also the qualifying core exam for the CCIE Enterprise Infrastructure and CCIE Enterprise Wireless lab tracks.

How much of the exam is automation and programmability, and how deep does it go?

Automation is a substantial domain (roughly 15% of the blueprint). You need working familiarity with NETCONF/RESTCONF, YANG, JSON/XML/YAML, basic Python (interpreting data structures and scripts), and the differences between tools like Ansible, Puppet, Chef, and libraries like Netmiko - you will read short code/config snippets and predict behavior, not write large programs.

Do I need hands-on lab practice, or is reading enough to pass?

Hands-on practice is strongly recommended. Many items are scenario-based and require interpreting CLI output (OSPF/BGP/EIGRP states, STP roles, show command output) and recognizing misconfigurations. Use Cisco Modeling Labs, EVE-NG, or physical gear plus a DevNet sandbox for NETCONF/RESTCONF and DNA Center practice to reinforce the concepts.

Test yourself: 654 Cisco CCNP ENCOR 350-401 practice questions