CCNP Enterprise: Advanced Routing and Switching

You passed CCNP core (ENCOR) and now you're picking an elective — or maybe you're already studying both. Either way, CCNP Enterprise separates engineers who can configure things from engineers who understand why those configurations behave as they do. That distinction shows up constantly in the exam scenarios.

14 min

4 sections · 6 exam key points

ENCOR Pillars: Architecture, Virtualization, Infrastructure

ENCOR (350-401) tests breadth. Architecture questions ask about SD-WAN topologies, Cisco DNA Center workflows, and when to choose overlay versus underlay designs. Virtualization covers VRF-Lite (route leaking, import/export), NFV placement, and container networking basics. Infrastructure drills OSPF LSA types, BGP path attributes (weight, local-pref, MED, AS-path), EIGRP named mode, and IS-IS. The exam loves multi-protocol redistribution scenarios with unexpected metric and administrative distance interactions. A redistributed OSPF route re-entering the domain via another redistribution point is a classic trick question — know how route tags prevent loops.

SD-WAN: vManage, vSmart, vBond, vEdge

Cisco SD-WAN architecture has four planes. The orchestration plane (vBond) authenticates edges and brokers initial connections. The management plane (vManage) is the GUI/API you use for templates and policy pushes. The control plane (vSmart) distributes OMP routes and policy decisions. The data plane (vEdge/cEdge) forwards actual traffic using BFD to maintain tunnel health. OMP (Overlay Management Protocol) is the SD-WAN routing protocol — it carries prefixes, service routes, and TLOCs (Transport Locators). Understand how data policies (traffic engineering) differ from control policies (route filtering). AppQoE, DPI, and per-application SLAs are high-value exam topics.

Advanced OSPF and BGP

OSPF stub area types: stub (no external LSAs, default route injected), totally stubby (no external or inter-area LSAs, Cisco proprietary), NSSA (allows type-7 LSAs from local ASBR, translated to type-5 at ABR), totally NSSA. Know which LSA types each area blocks and why. BGP communities are frequently tested. Well-known mandatory (AS-path, next-hop, origin), well-known discretionary (local-pref, atomic-aggregate), and optional transitive (community, extended community) versus optional non-transitive (MED, originator-ID). Route reflectors: understand cluster-ID, originator-ID, and the rules that prevent loops when RRs peer with each other.

QoS, Security, and Automation

QoS models: IntServ (RSVP, per-flow, hard guarantees), DiffServ (per-class, scalable, what enterprises actually use). DSCP markings: EF (46, voice), CS3 (24, call signaling), AF41-43 (video), CS6/CS7 (routing/network control). MQC: class-map matches, policy-map actions (police, shape, queue), service-policy application. Automation: NETCONF (XML, RFC 6241), RESTCONF (HTTP/JSON or XML, RFC 8040), gRPC/gNMI for streaming telemetry. Yang models — know the difference between native Cisco models and OpenConfig. Python with netmiko versus ncclient versus requests for different protocols.

Key exam facts — 350-401 / 300-410

ENCOR (350-401) is the mandatory core; you choose one concentration elective (ENARSI 300-410 is most common)

SD-WAN control policy affects OMP route advertisements; data policy affects forwarding decisions at the edge

OSPF type-7 LSAs exist only in NSSA areas and are translated to type-5 by the ABR with the highest router-ID

BGP weight is Cisco-proprietary and local to the router; local-pref is shared within the AS

DSCP remarking at trust boundaries is a favourite scenario — know where markings should be set and reset

NETCONF uses SSH port 830 by default; RESTCONF uses HTTPS 443

Common exam traps

Totally stubby areas work the same across all vendors

Totally stubby areas are Cisco-proprietary — other vendors may not support them, which matters in mixed environments

MED is compared across all AS paths by default

MED is only compared between routes from the same AS unless always-compare-med is configured

SD-WAN vBond can be placed behind NAT like any other component

SD-WAN vBond must have a public IP; it cannot be behind NAT (unless NAT traversal is explicitly configured)