🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
350-401
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
350-401 Cisco Systems Coming Soon

CCNP Enterprise Core

Students master core CCNP Enterprise concepts—architecture, virtualization, infrastructure, network assurance, and security—through hands‑on labs and scenario‑based troubleshooting, preparing them to design, implement, and secure enterprise networks.

120
Minutes
103
Questions
$400
Exam Cost

Who Should Take This

Network engineers with three to five years of enterprise implementation and troubleshooting experience seeking to validate and expand their expertise in advanced routing, automation, and security. They aim to earn the CCNP Enterprise Core certification to qualify for higher‑level responsibilities and career advancement within large‑scale network environments.

What's Covered

1 All domains in the Cisco CCNP Enterprise Core (ENCOR 350-401) exam: Architecture
2 , Virtualization
3 , Infrastructure
4 , Network Assurance
5 , Security
6 , and Automation

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

72 learning goals
1 Domain 1: Architecture
4 topics

Enterprise network design

  • Evaluate hierarchical network design principles including access, distribution, and core layers to recommend a campus architecture that meets scalability and convergence requirements.
  • Design a collapsed core architecture for small-to-medium enterprise campuses, selecting appropriate switching platforms and uplink capacities to meet bandwidth and redundancy requirements.
  • Implement high availability mechanisms including HSRP, VRRP, and GLBP to provide gateway redundancy for enterprise endpoints across multiple distribution switches.
  • Analyze the impact of Stateful Switchover and Nonstop Forwarding on control plane and data plane convergence during supervisor failover events in enterprise chassis switches.

SD-WAN architecture

  • Implement Cisco SD-WAN overlay topology using vManage, vBond, vSmart, and vEdge/cEdge components to establish secure fabric connectivity across branch sites.
  • Configure SD-WAN application-aware routing policies to steer traffic based on SLA metrics including latency, jitter, and packet loss across multiple WAN transports.
  • Evaluate SD-WAN control plane operations including OMP route advertisement, TLOC extensions, and vSmart policy distribution to assess overlay path selection behavior.

SD-Access architecture

  • Implement Cisco SD-Access fabric using DNA Center to provision underlay, overlay, and policy planes for automated campus segmentation and endpoint onboarding.
  • Configure SD-Access fabric roles including control plane nodes, border nodes, and edge nodes to establish LISP-based host mobility and VXLAN data plane forwarding.
  • Design an SD-Access migration strategy from traditional campus to fabric-enabled campus, planning phased deployment of fabric domains and external connectivity.

Wireless architecture

  • Deploy Cisco wireless LAN controllers in centralized and Flex Connect modes, configuring AP join profiles, high availability SSO pairs, and mobility groups.
  • Evaluate wireless deployment models including centralized, distributed, and cloud-managed architectures to recommend the optimal model for a given enterprise environment.
2 Domain 2: Virtualization
4 topics

VRF and Layer 3 virtualization

  • Configure VRF-Lite on Layer 3 switches and routers to create isolated routing tables for multi-tenant or segmented enterprise environments without MPLS dependency.
  • Implement inter-VRF route leaking using static routes and route targets to enable controlled communication between isolated routing domains in a multi-VRF campus design.
  • Analyze VRF-aware routing protocol behavior with OSPF and EIGRP to evaluate route propagation and convergence within and between virtual routing instances.

Tunneling technologies

  • Configure GRE tunnels between enterprise routers to transport multiprotocol traffic over an IP backbone, including recursive routing prevention and tunnel keepalive mechanisms.
  • Implement IPsec site-to-site VPN tunnels using IKEv2 with pre-shared keys and certificate-based authentication to encrypt enterprise WAN traffic between branch offices.
  • Compare GRE over IPsec, native IPsec tunnel mode, and DMVPN Phase 3 to recommend the optimal VPN architecture for a multi-site enterprise with dynamic spoke-to-spoke requirements.

Overlay technologies

  • Implement LISP control plane operations including map-server registration, map-resolver lookups, and EID-to-RLOC mappings for host mobility across enterprise routed domains.
  • Configure VXLAN with BGP EVPN control plane to extend Layer 2 domains across a Layer 3 underlay, enabling workload mobility and multi-tenancy in enterprise data center interconnect scenarios.
  • Evaluate the tradeoffs between LISP-based and VXLAN/EVPN-based overlay fabrics for enterprise campus segmentation, considering scalability, control plane complexity, and integration with SD-Access.

Path virtualization

  • Design a network virtualization strategy combining VRF segmentation, overlay tunnels, and policy-based routing to meet enterprise multi-tenancy and compliance isolation requirements.
3 Domain 3: Infrastructure
8 topics

Spanning Tree Protocol

  • Configure RSTP and MST on enterprise switches to achieve rapid convergence and VLAN-to-instance mapping that reduces the number of spanning tree instances while maintaining loop-free topologies.
  • Analyze spanning tree topology changes, root bridge elections, and port state transitions to diagnose convergence delays and suboptimal forwarding paths in multi-switch environments.
  • Implement STP protection mechanisms including BPDU Guard, Root Guard, and Loop Guard to prevent unauthorized root bridge claims and unidirectional link failures.

EtherChannel and link aggregation

  • Configure LACP and PAgP EtherChannel bundles between switches, verifying port-channel load balancing algorithms and troubleshooting member port inconsistencies.
  • Evaluate EtherChannel hash distribution across member links to assess traffic balancing effectiveness and recommend load-balancing method adjustments for specific traffic patterns.

OSPF routing

  • Configure OSPFv2 and OSPFv3 multi-area deployments with area types including stub, totally stubby, and NSSA to optimize LSA flooding and routing table size in enterprise networks.
  • Implement OSPF route summarization at ABR and ASBR boundaries to reduce routing table entries and improve convergence times across a hierarchical area design.
  • Analyze OSPF neighbor adjacency formation, LSA types (1-5, 7), and SPF calculation behavior to diagnose routing anomalies in complex multi-area topologies.
  • Design an OSPF area hierarchy for a large enterprise campus, planning area boundaries, virtual links, and redistribution points to balance scalability with convergence performance.

EIGRP routing

  • Configure EIGRP named mode for IPv4 and IPv6 with authentication, stub routing, and route summarization to build a scalable hub-and-spoke enterprise routing domain.
  • Analyze EIGRP DUAL finite state machine behavior including feasibility conditions, successor and feasible successor selection, and active query scoping to diagnose convergence issues.

BGP routing

  • Configure eBGP peering between the enterprise edge and ISP routers, applying prefix lists, route maps, and AS-path filters to control inbound and outbound route advertisements.
  • Implement iBGP with route reflectors to distribute external prefixes within the enterprise autonomous system without requiring a full mesh of iBGP peerings.
  • Evaluate BGP path selection attributes including weight, local preference, AS-path length, MED, and origin to predict and influence traffic forwarding decisions across multiple ISP connections.
  • Design a BGP multihoming strategy for enterprise dual-ISP connectivity, planning local preference and MED manipulation to achieve primary/backup or load-sharing traffic patterns.

Route redistribution and filtering

  • Implement mutual route redistribution between OSPF and EIGRP with route maps and prefix lists to prevent routing loops and suboptimal path selection at redistribution boundaries.
  • Analyze route redistribution feedback loops and administrative distance conflicts to diagnose and resolve path oscillation in multi-protocol enterprise routing environments.

Wireless infrastructure

  • Configure wireless RF management features including dynamic channel assignment, transmit power control, and RRM to optimize coverage and minimize co-channel interference.
  • Implement wireless roaming mechanisms including intra-controller, inter-controller, and Layer 3 roaming to maintain client connectivity during AP transitions in multi-WLC deployments.
  • Assess wireless site survey data including signal strength heat maps, SNR measurements, and client density metrics to evaluate RF design adequacy and recommend adjustments.
  • Deploy AP modes including local, FlexConnect, bridge, and monitor to address diverse site connectivity requirements from headquarters to remote branch locations.

IP services

  • Configure enterprise DHCP services including relay agents, option 82, and DHCP snooping to provide dynamic address allocation with security hardening across VLAN segments.
  • Implement NAT and PAT configurations including static, dynamic, and policy-based NAT to translate addresses at enterprise network boundaries while maintaining application compatibility.
  • Configure NTP hierarchical architecture with authentication to synchronize time across all enterprise network devices for accurate logging, certificate validation, and protocol timing.
4 Domain 4: Network Assurance
3 topics

Monitoring and troubleshooting tools

  • Configure SNMPv2c and SNMPv3 with authentication and encryption on enterprise devices to enable centralized monitoring while protecting management plane data from interception.
  • Implement Flexible NetFlow to collect and export traffic flow records for bandwidth utilization analysis, application identification, and anomaly detection across enterprise segments.
  • Configure SPAN, RSPAN, and ERSPAN sessions to capture traffic for packet analysis, selecting appropriate source and destination parameters for local and remote monitoring scenarios.
  • Implement IP SLA probes including ICMP echo, UDP jitter, and HTTP operations to measure network performance metrics and trigger failover actions based on threshold violations.

Network assurance platforms

  • Apply Cisco DNA Center Assurance dashboards and issue correlation to identify, prioritize, and remediate network health degradations across wired and wireless infrastructure.
  • Evaluate streaming telemetry with model-driven subscriptions using gRPC and YANG models as a replacement for SNMP polling to achieve near-real-time network state visibility.
  • Analyze syslog severity levels, structured logging formats, and centralized log aggregation architectures to assess enterprise event correlation and root cause analysis capabilities.

Assurance strategy

  • Design a comprehensive network assurance strategy integrating SNMP, NetFlow, syslog, IP SLA, and streaming telemetry to provide layered visibility from device health to application performance.
5 Domain 5: Security
3 topics

Network access control

  • Implement Cisco ISE for 802.1X wired and wireless authentication using RADIUS, configuring authentication policies, authorization profiles, and posture assessment.
  • Configure TrustSec with Scalable Group Tags to enforce identity-based micro-segmentation policies across the enterprise fabric without relying on IP-based access control lists.
  • Evaluate the effectiveness of MAB, WebAuth, and 802.1X authentication methods to recommend a phased network access control deployment for environments with diverse endpoint types.

Infrastructure security

  • Implement Layer 2 security features including DHCP snooping, Dynamic ARP Inspection, and IP Source Guard to protect the access layer from spoofing and man-in-the-middle attacks.
  • Configure MACsec encryption on switch-to-switch and host-to-switch links using Cisco SAP and MKA to protect enterprise LAN traffic from eavesdropping at the data link layer.
  • Apply control plane policing and management plane protection ACLs to harden enterprise routers and switches against denial-of-service attacks targeting the device CPU.
  • Configure wireless security using WPA3-Enterprise with 802.1X and EAP-TLS to provide certificate-based mutual authentication for enterprise wireless clients.

Security architecture

  • Design a zero-trust enterprise security architecture integrating ISE, TrustSec SGTs, MACsec, and NGFW to enforce least-privilege access from endpoint to application across campus and WAN.
6 Domain 6: Automation
4 topics

Network programmability protocols

  • Configure NETCONF sessions to retrieve and modify device configurations using YANG data models, executing get-config, edit-config, and commit operations on IOS-XE devices.
  • Implement RESTCONF API calls to read and write device configuration and operational data using HTTP methods mapped to YANG model paths on enterprise network infrastructure.
  • Compare NETCONF, RESTCONF, and legacy CLI/SNMP approaches to evaluate operational efficiency, transactional reliability, and integration complexity for enterprise automation workflows.

Configuration management and scripting

  • Implement Python scripts using Netmiko and Paramiko libraries to automate bulk configuration changes, show command collection, and compliance auditing across enterprise device fleets.
  • Apply Ansible playbooks with Cisco IOS and NX-OS modules to deploy standardized configurations, enforce desired state, and generate compliance reports across multi-vendor environments.
  • Evaluate configuration management tool tradeoffs between imperative scripting, declarative playbooks, and controller-based automation to recommend an enterprise automation strategy.

Cisco DNA Center automation

  • Apply Cisco DNA Center Intent APIs to programmatically discover devices, provision templates, and retrieve network health data through RESTful API calls with token-based authentication.
  • Design an end-to-end network automation workflow integrating DNA Center APIs, configuration templates, and CI/CD pipelines for infrastructure-as-code enterprise network management.

Data models and encoding

  • Analyze YANG data model structures including containers, lists, leaves, and augmentations to interpret Cisco-native and IETF standard models for device configuration and telemetry.
  • Compare JSON, XML, and YAML data encoding formats for network automation payloads to select appropriate serialization for RESTCONF, NETCONF, and Ansible integration points.

Scope

Included Topics

  • All domains in the Cisco CCNP Enterprise Core (ENCOR 350-401) exam: Architecture (15%), Virtualization (20%), Infrastructure (30%), Network Assurance (10%), Security (10%), and Automation (15%).
  • Enterprise architecture technologies including SD-WAN fabric design, SD-Access campus fabric, hierarchical network design, wired and wireless LAN design, and high availability concepts such as FHRP, SSO, and NSF/GR.
  • Virtualization technologies including VRF-Lite, GRE tunnels, IPsec VPN tunnels, LISP, VXLAN, and network virtualization concepts for segmentation and overlay networking.
  • Enterprise infrastructure protocols and services including OSPF v2/v3, EIGRP, BGP (eBGP and iBGP), STP/RSTP/MST, EtherChannel, wireless infrastructure (Cisco WLC, AP modes, RF management), and IP services (DHCP, DNS, NTP, NAT, FHRP).
  • Network assurance tools and techniques including SNMP v2c/v3, NetFlow/Flexible NetFlow, SPAN/RSPAN/ERSPAN, IP SLA, Cisco DNA Center Assurance, syslog, and streaming telemetry.
  • Enterprise security including next-generation firewalls, Cisco ISE for network access control, TrustSec with SGTs, MACsec, wireless security (WPA3, 802.1X), and AAA frameworks.
  • Network automation and programmability including RESTCONF, NETCONF, YANG models, Cisco DNA Center APIs, Python scripting for network management, configuration management tools, and model-driven telemetry.

Not Covered

  • Service provider specific technologies (MPLS L2VPN/L3VPN, segment routing, carrier ethernet) that are covered by the SPCOR exam rather than ENCOR.
  • Data center specific technologies (NX-OS, ACI, UCS, Fibre Channel) that are covered by the DCCOR exam rather than ENCOR.
  • Deep application-layer security analysis, malware reverse engineering, and SOC operations that fall under the SCOR exam rather than ENCOR.
  • Collaboration-specific protocols and infrastructure (CUCM, SIP trunking, video conferencing) covered by the CLCOR exam.
  • Vendor-specific pricing, licensing models, and rapidly changing commercial terms not tested on the exam.

Official Exam Page

Learn more at Cisco Systems

Visit

350-401 is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

Cisco®, CCNA®, CCNP®, CCIE®, and related marks are registered trademarks of Cisco Technology, Inc. Cisco does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.