CCNP ENCOR (350-401) – Updated Practice Exam Questions with Detailed Answers 2025
Welcome to our comprehensive guide for the Cisco Certified Network Professional (CCNP) Enterprise Core (ENCOR) exam 350-401. This updated collection includes the latest practice questions with detailed answers and explanations to help you prepare thoroughly before your final exam.
Overview of CCNP ENCOR 350-401
The CCNP ENCOR exam validates your skills in implementing, managing, and monitoring Cisco enterprise networks. This exam covers key technologies including switching, routing, security, network architecture, and more.
Practice Exam Questions Section 1: Network Architecture & Design
Question 1: VXLAN Architecture
Question: In a VXLAN network, what is the primary purpose of the VTEP (VXLAN Tunnel Endpoint)?
A. To encrypt VXLAN traffic
B. To encapsulate Layer 2 frames into Layer 3 UDP packets
C. To manage VLAN trunks
D. To perform MAC address filtering
Correct Answer: B
Explanation: A VTEP is responsible for encapsulating Ethernet frames into VXLAN packets (UDP port 4789) for transmission over Layer 3 networks. This allows Layer 2 connectivity across Layer 3 boundaries, creating scalable data center networks. VTEPs do not encrypt traffic by default, manage VLAN trunks directly, or perform MAC filtering.
Question 2: Routing Protocols
Question: Which OSPF component is responsible for preventing routing loops in OSPF v3?
A. Database descriptor packets
B. Link State Advertisement (LSA)
C. Sequence numbers and age field
D. Router ID
Correct Answer: C
Explanation: The sequence numbers and age field in Link State Advertisements (LSAs) prevent routing loops in OSPF. The sequence number increments with each new LSA, and the age field decrements to ensure old information is eventually discarded. This combination prevents older, potentially looping routes from being used.
Practice Exam Questions Section 2: Infrastructure Security
Question 3: Access Control Lists
Question: In a standard access control list (ACL), how many parameters are used to define matching criteria?
A. Only source IP address
B. Source and destination IP addresses
C. Source IP, destination IP, and protocol
D. Source IP, destination IP, protocol, and port numbers
Correct Answer: A
Explanation: Standard ACLs only filter based on the source IP address. Extended ACLs can filter on source IP, destination IP, protocol, and port numbers. Named ACLs, which can be either standard or extended, follow the same filtering rules as their respective types.
Question 4: AAA Implementation
Question: In a RADIUS configuration, which of the following statements is true about the RADIUS server response?
A. RADIUS uses TCP port 1812 for authentication
B. RADIUS uses UDP port 1812 for authentication responses
C. RADIUS uses TCP for all communication
D. RADIUS always encrypts the entire packet
Correct Answer: B
Explanation: RADIUS uses UDP (not TCP) for communication, specifically port 1812 for authentication responses (port 1813 for accounting). While the shared secret is used to encrypt the password field, RADIUS does not encrypt the entire packet by default. UDP provides faster, connectionless communication suitable for AAA services.
Practice Exam Questions Section 3: Network Management
Question 5: SNMP Operations
Question: What is the difference between SNMP GETNEXT and GETBULK operations?
A. GETBULK uses TCP while GETNEXT uses UDP
B. GETNEXT retrieves multiple objects sequentially, while GETBULK retrieves multiple objects in a single request
C. GETBULK retrieves multiple objects in a single request, while GETNEXT retrieves one object at a time
D. There is no functional difference
Correct Answer: C
Explanation: GETNEXT retrieves one object and the next object in the MIB, requiring multiple requests for bulk data retrieval. GETBULK (introduced in SNMPv2c) allows retrieving multiple objects in a single request with specified repetition count, reducing network traffic and improving efficiency.
Question 6: Syslog Configuration
Question: In Cisco syslog, which severity level represents debugging information?
A. Level 3 (Errors)
B. Level 4 (Warnings)
C. Level 6 (Informational)
D. Level 7 (Debugging)
Correct Answer: D
Explanation: Syslog severity levels range from 0 (Emergency) to 7 (Debugging). Level 7 is the highest severity level and includes detailed debugging information. Severity levels 0-3 represent critical issues, while levels 4-7 represent operational information, with level 7 being the most detailed.
Practice Exam Questions Section 4: Advanced Switching
Question 7: Spanning Tree Protocol
Question: In RSTP, what is the maximum age for a BPDU before it is discarded?
A. 10 seconds
B. 15 seconds
C. 20 seconds
D. 30 seconds
Correct Answer: C
Explanation: In RSTP (Rapid Spanning Tree Protocol), the maximum age for a BPDU is 20 seconds. This is significantly faster than the 20-second maximum age in STP, which is determined by the max age timer (default 20 seconds). If a switch does not receive a BPDU within this time, the port information is considered expired.
Question 8: VLAN Trunking
Question: Which encapsulation method is native to Cisco switches for VLAN trunking?
A. 802.1Q
B. ISL (Inter-Switch Link)
C. VTP (VLAN Trunking Protocol)
D. Both A and B are native
Correct Answer: B
Explanation: ISL (Inter-Switch Link) is Cisco’s proprietary VLAN trunking protocol and was the original native method on Cisco switches. Although 802.1Q is now the IEEE standard and more widely used, ISL remains Cisco’s native protocol. Most modern deployments use 802.1Q for inter-vendor compatibility.
Practice Exam Questions Section 5: Routing Protocols & Services
Question 9: BGP Path Selection
Question: In BGP, what is the first criterion used in the BGP path selection algorithm?
A. AS Path length
B. Neighbor IP address
C. Preferred value (weight)
D. Local preference
Correct Answer: C
Explanation: BGP uses a specific preference order: 1) Weight (Cisco-specific, locally significant), 2) Local Preference (organizational preference), 3) Locally originated paths, 4) AS Path length, 5) Origin code, 6) MED, 7) eBGP over iBGP, 8) IGP metric to next hop, 9) Stability (older routes preferred), 10) Router ID. Weight is the first criterion and is only locally significant on a Cisco device.
Question 10: EIGRP Metrics
Question: Which components are used in the default EIGRP metric calculation?
A. Bandwidth and Delay
B. Bandwidth, Delay, and Reliability
C. Bandwidth, Delay, Reliability, and Load
D. All of the above including Hop Count
Correct Answer: C
Explanation: The default EIGRP metric calculation uses bandwidth, delay, reliability, and load. The formula is: Metric = [K1 × Bandwidth + (K2 × Bandwidth) / (256 – Load) + K3 × Delay] × (K5 / (K4 + Reliability)). By default, K1=1, K3=1, and K2=K4=K5=0, so only bandwidth and delay are used. However, all four components are configurable and can affect the calculation.
Practice Exam Questions Section 6: Security & Threat Mitigation
Question 11: IPSec Protocols
Question: What is the primary difference between AH (Authentication Header) and ESP (Encapsulating Security Payload) in IPSec?
A. AH provides encryption while ESP provides authentication
B. AH provides authentication only, while ESP can provide authentication and encryption
C. AH is used for tunnel mode only
D. ESP is deprecated in modern IPSec implementations
Correct Answer: B
Explanation: AH (Authentication Header) provides authentication and integrity checking but no encryption. ESP (Encapsulating Security Payload) can provide confidentiality (encryption), authentication, and integrity checking. In most modern implementations, ESP is preferred because it can do both encryption and authentication, while AH alone cannot encrypt.
Question 12: Threat Defense
Question: Which Cisco security appliance is designed specifically for next-generation firewall capabilities including application visibility and control?
A. Cisco ASA
B. Cisco Firepower
C. Cisco ISR
D. Cisco Cat 6800
Correct Answer: B
Explanation: Cisco Firepower is designed as a next-generation firewall (NGFW) platform providing advanced threat defense, application visibility and control, intrusion prevention, and threat intelligence integration. The ASA provides traditional firewall services, ISR is an integrated services router, and Cat 6800 is a campus access switch.
Key Topics Covered in This Practice Set
- Network Architecture: VXLAN, SD-WAN fundamentals, network virtualization
- Routing: OSPF, EIGRP, BGP, routing protocol selection
- Switching: VLAN configuration, Spanning Tree Protocol, trunking
- Security: ACLs, AAA services, IPSec, threat defense, security best practices
- Management: SNMP, Syslog, NetFlow, configuration management
Study Tips for CCNP ENCOR Exam Success
- Review practice questions regularly: Repeat these questions multiple times until you can answer them without hesitation
- Understand the “why”: Don’t just memorize answers; understand the underlying concepts and protocols
- Use network simulation labs: Cisco Packet Tracer and GNS3 are excellent for hands-on practice
- Focus on weak areas: Identify topics where you struggle and dedicate extra study time
- Review official Cisco documentation: Use the Cisco IOS and IOS XE command references
- Join study groups: Collaborate with other candidates preparing for the exam
- Take timed practice exams: Simulate real exam conditions to build time management skills
Additional Resources
For more comprehensive study materials, visit these recommended resources:
- CertPreps CCNP exam collection
- CertYIQ advanced practice questions
- Official Cisco Learning Network
- Cisco Learning Repository
Conclusion
Preparing for the CCNP ENCOR 350-401 exam requires dedication and comprehensive study of enterprise networking topics. This updated practice question set covers the latest exam objectives and real-world scenarios. Practice these questions regularly, understand the underlying concepts, and use hands-on lab experience to reinforce your learning.
Good luck with your CCNP ENCOR exam preparation! Remember, consistent practice and understanding are key to success.