How to Pass the CCNP ENCOR (350-401) Exam
Master the CCNP ENCOR exam with proven strategies and real CLI practice.
The Cisco CCNP ENCOR (350-401) exam is the core exam for the CCNP Enterprise certification. It covers a wide range of topics including Layer 2 and Layer 3 technologies, VPNs, wireless, automation, and security. With a passing score of 825 out of 1000 and 102 questions in 120 minutes, preparation requires both theoretical knowledge and hands-on CLI proficiency. This guide provides a step-by-step approach to mastering the exam, including real Cisco IOS commands, configuration snippets, and study tips from certified professionals.
Understand the Exam Blueprint and Domains
Start by reviewing the official Cisco exam blueprint. The ENCOR exam has six domains: Architecture (15%), Virtualization (10%), Infrastructure (30%), Network Assurance (10%), Security (20%), and Automation (15%). Focus on Infrastructure (OSPF, EIGRP, BGP, STP, VLANs) and Security (CoPP, ACLs, 802.1X). Use the Cisco Learning Network to download the latest exam topics.
Exam domains and weight:
- Architecture: 15%
- Virtualization: 10%
- Infrastructure: 30%
- Network Assurance: 10%
- Security: 20%
- Automation: 15%Print the blueprint and check off topics as you study. Spend extra time on Infrastructure and Security.
The blueprint is updated periodically. Always verify you have the latest version from Cisco.
Master OSPF Configuration and Troubleshooting
OSPF is a core topic. Practice configuring single-area and multi-area OSPF, including passive interfaces, authentication, and route summarization. Use real Cisco IOS commands in a lab environment (e.g., EVE-NG or Packet Tracer). Understand show commands like 'show ip ospf neighbor' and 'show ip route ospf'.
! Configure OSPF on a router
router ospf 1
router-id 1.1.1.1
network 10.0.0.0 0.255.255.255 area 0
passive-interface GigabitEthernet0/1
authentication message-digest
area 0 authentication message-digest
!
! Verify OSPF neighbors
show ip ospf neighbor
! Output example:
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DR 00:00:35 10.0.12.2 GigabitEthernet0/0Use 'debug ip ospf events' sparingly in a lab to understand OSPF adjacency formation.
Never enable OSPF debugging on a production router — it can spike CPU usage.
Configure EIGRP with Named Mode
EIGRP named mode is the modern way to configure EIGRP. Practice setting up EIGRP for IPv4 and IPv6, using named configurations, and verifying with 'show eigrp neighbors'. Understand metrics, feasible successors, and route summarization.
! Configure EIGRP named mode
router eigrp TEST
address-family ipv4 unicast autonomous-system 100
network 192.168.1.0 0.0.0.255
network 10.0.0.0 0.255.255.255
eigrp router-id 3.3.3.3
metric weights 0 1 0 1 0 0
!
! Verify EIGRP neighbors
show eigrp neighbors
! Output example:
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.12.2 Gi0/0 13 00:12:34 12 200 0 45Named mode is preferred in the exam. Practice converting classic EIGRP to named mode.
EIGRP is being phased out in some networks; focus on OSPF and BGP as primary IGP.
Implement BGP for Enterprise Connectivity
BGP is essential for CCNP. Configure eBGP between autonomous systems, set up iBGP with a route reflector, and manipulate path selection using AS-path prepending and MED. Use 'show bgp summary' and 'show bgp neighbors' for verification.
! Configure eBGP on router R1
router bgp 65001
bgp router-id 1.1.1.1
neighbor 10.0.12.2 remote-as 65002
neighbor 10.0.12.2 password Cisco123
!
! Configure iBGP with route reflector
router bgp 65001
neighbor 10.0.1.2 remote-as 65001
neighbor 10.0.1.2 route-reflector-client
!
! Verify BGP summary
show bgp summary
! Output example:
BGP router identifier 1.1.1.1, local AS number 65001
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.0.12.2 4 65002 1234 1235 5 0 0 00:34:12 3Memorize BGP states (Idle, Connect, Active, OpenSent, OpenConfirm, Established) for troubleshooting questions.
BGP timers (keepalive 60, hold 180) are default. Changing them can cause instability.
Secure the Network with CoPP and ACLs
Security is 20% of the exam. Practice configuring Control Plane Policing (CoPP) to protect the router CPU, and extended ACLs to filter traffic. Understand 802.1X for port-based authentication and how to configure a RADIUS server.
! Configure CoPP
access-list 100 permit udp any any eq 123
access-list 100 deny ip any any
!
class-map match-all COPP-CLASS
match access-group 100
!
policy-map COPP-POLICY
class COPP-CLASS
police 100000 15000 conform-action transmit exceed-action drop
!
control-plane
service-policy input COPP-POLICY
!
! Configure extended ACL
ip access-list extended BLOCK_SSH
deny tcp any host 192.168.1.1 eq 22
permit ip any any
!
interface GigabitEthernet0/0
ip access-group BLOCK_SSH inUse 'show policy-map control-plane' to verify CoPP counters.
CoPP can lock you out if misconfigured. Always test in a lab first.
Automate with REST API and Python Scripts
Automation is 15% of the exam. Learn to interact with Cisco devices using RESTCONF and NETCONF. Write simple Python scripts using the requests library to retrieve interface statistics. Understand YANG models and how to use Postman for API calls.
#!/usr/bin/env python3
import requests
import json
url = "https://10.0.0.1/restconf/data/ietf-interfaces:interfaces"
headers = {
"Accept": "application/yang-data+json",
"Content-Type": "application/yang-data+json"
}
auth = ("admin", "password")
response = requests.get(url, headers=headers, auth=auth, verify=False)
print(json.dumps(response.json(), indent=2))Use Cisco DevNet sandboxes for free API practice. They have pre-configured devices.
Disable SSL verification only in lab environments. In production, use proper certificates.
Practice with Realistic Mock Exams and Labs
Simulate the exam environment using Boson ExSim or Cisco's official practice exams. Aim for 85%+ on each domain. Use EVE-NG or GNS3 to build complex topologies with OSPF, BGP, and MPLS. Time yourself: 120 minutes for 102 questions means about 70 seconds per question.
Sample mock exam schedule:
- Week 1-2: Domain 1-2 (Architecture, Virtualization)
- Week 3-4: Domain 3 (Infrastructure)
- Week 5: Domain 4-5 (Assurance, Security)
- Week 6: Domain 6 (Automation)
- Week 7: Full-length mock exams
- Week 8: Review weak areasJoin the r/ccnp subreddit for free study groups and recent exam feedback.
Avoid brain dumps — Cisco actively tracks and bans candidates using them.
Key tips
Use the Cisco Learning Network's free study groups and webinars — they often cover tricky exam topics.
Lab every protocol at least three times: once following a guide, once from memory, and once troubleshooting a broken config.
Focus on understanding 'show' commands and their output — many exam questions are based on interpreting CLI output.
For automation, practice with DevNet sandboxes daily for at least 30 minutes. RESTCONF and NETCONF are heavily tested.
Create a cheat sheet of key commands (e.g., 'show ip ospf neighbor', 'show bgp summary') and review it during your commute.
Take the exam within 2-3 months of starting study to keep information fresh. Longer gaps lead to forgetting details.
Frequently asked questions
What is the passing score for the CCNP ENCOR 350-401 exam?
The passing score is 825 out of 1000. The exam has 102 questions (mostly multiple-choice, some drag-and-drop and simlets) and you have 120 minutes. Cisco does not publish the exact number of questions per domain, but the blueprint weights are reliable.
Do I need to pass the CCNA before attempting CCNP ENCOR?
No, Cisco removed the formal prerequisite. However, CCNA-level knowledge (VLANs, STP, basic routing) is assumed. Most candidates find it very difficult without CCNA or equivalent experience. It's recommended to have at least 3-5 years of networking experience.
What lab equipment do I need for CCNP ENCOR?
You don't need physical routers. Use EVE-NG (free community edition) or Cisco Packet Tracer for basic labs. For advanced features like BGP and MPLS, EVE-NG with Cisco IOSv images is best. You can also use Cisco DevNet sandboxes for automation practice.
How long should I study for the ENCOR exam?
Most successful candidates study 8-12 weeks, dedicating 10-15 hours per week. This includes reading official guides (OCG), watching video courses (e.g., INE or CBT Nuggets), and labbing daily. Full-time students may complete it in 6 weeks.
Are there any free resources for CCNP ENCOR preparation?
Yes. Cisco Learning Network offers free study groups, webinars, and a community forum. YouTube channels like Keith Barker and David Bombal have free labs. Also, check the r/ccnp subreddit for shared notes and practice questions.
Related glossary terms
Cisco SD-Access
Cisco Software-Defined Access is a network architecture that uses a central controller to automate and secure user and device access across an enterprise network.
First Hop Redundancy Protocol
A First Hop Redundancy Protocol provides automatic backup for the default gateway router on a network so that devices keep working if the primary router fails.
GRE
GRE (Generic Routing Encapsulation) is a tunneling protocol that encapsulates packets inside other packets to transport them across incompatible networks.
Virtual Switch
A virtual switch is a software-based network switch that connects virtual machines within a hypervisor and forwards traffic between them and the physical network.
Fabric Fundamentals
Fabric Fundamentals is the set of core concepts behind a network fabric, where switches and routers form a single logical system that simplifies traffic forwarding and automation.
Underlay vs Overlay Network
An underlay network is the physical infrastructure that carries data, while an overlay network is a virtual network built on top of the underlay to provide additional services and segmentation.
Practice with real exam questions
Apply what you just learned with exam-style practice questions.