Level 3: CCNP Enterprise — Syllabus, Labs & Tools

# Core Exam Syllabus — ENCOR 350-401

The six official ENCOR domains. Infrastructure is the monster at 30% — budget your time accordingly.

My CCNP progress0 / 0

1. Architecture 15%

Enterprise design principles: 2/3-tier, fabric, cloud/hybrid; high availability (redundancy, FHRP, SSO)

Wireless design: WLC deployment models, AP density, roaming (L2/L3), location services

Cisco SD-WAN: control vs data plane components (vManage, vSmart, vBond, cEdge) Real world: SD-WAN is the default way enterprises now connect branches — huge interview topic.

Cisco SD-Access: control/data plane, fabric, LISP, VXLAN, traditional campus interoperation

QoS architecture: wired/wireless QoS, components and policy

Hardware vs software switching: CEF, CAM/TCAM, FIB vs RIB

2. Virtualization 10%

Device virtualization: hypervisor types, VMs, virtual switching

Data path virtualization: VRF, GRE and IPsec tunneling Real world: VRFs keep customers separated on shared infrastructure — every service provider and many enterprises use them.

Network virtualization concepts: LISP and VXLAN

3. Infrastructure 30%

Layer 2: 802.1Q trunking, EtherChannel, RSTP/MST tuning

OSPF advanced: multi-area, network types, summarization, filtering, virtual links Real world: multi-area OSPF design is the backbone of large campus networks.

eBGP: peering, path selection basics, configure/verify neighbors Real world: BGP runs the internet. Cloud peering, ISP links, multihoming — all BGP.

EIGRP: configure/verify, compare to OSPF

Wireless: RF principles (RSSI, SNR, interference), AP join process, WLC HA, troubleshooting clients

IP services: NTP/PTP, NAT/PAT, FHRP (HSRP/VRRP/GLBP), multicast basics (IGMP, PIM)

4. Network Assurance 10%

Diagnose issues with debugs, conditional debugs, ping/traceroute variations

SPAN/RSPAN/ERSPAN port mirroring for traffic analysis

NetFlow / Flexible NetFlow for visibility Real world: "what's eating the WAN link?" — NetFlow answers it in minutes.

IP SLA and syslog for proactive monitoring

Cisco DNA Center / Catalyst Center workflows for assurance and management

5. Security 20%

Device access control: lines, password protection, AAA (TACACS+/RADIUS)

Infrastructure security: ACLs, CoPP (Control Plane Policing)

REST API security: tokens, certificates

Wireless security: EAP, WebAuth, PSK, 802.1X Real world: 802.1X (NAC) rollouts are major enterprise projects you can lead with this knowledge.

Threat defense components: Cisco TrustSec, MACsec, network access control with 802.1X/MAB/WebAuth

6. Automation 10%

Python components and scripts: interpret and build basic device-interaction code

JSON, and constructing valid JSON payloads for APIs

YANG data models; NETCONF vs RESTCONF Real world: model-driven management is replacing CLI scraping across the industry.

APIs of DNA Center / Catalyst Center and vManage; interpret REST API responses

EEM applets; Ansible/Chef/Puppet for orchestration

# Pick One Concentration Exam

Core + any one of these = CCNP Enterprise. The Automation track is the demand magnet.

Exam	Track	Best for
300-435 ENAUTO ⭐	Automation (former DevNet)	The 25%-demand-spike track: Python, APIs (IOS-XE, DNA Center, SD-WAN), NETCONF/RESTCONF, Ansible. My pick.
300-410 ENARSI	Advanced Routing & Services	The classic deep-routing path (BGP, OSPF, EIGRP, VPN, MPLS basics). Best base if CCIE Enterprise is the goal.
300-415 ENSDWI	SD-WAN	Branch-connectivity specialists; very hot in large retail/banking.
300-420 ENSLD	Network Design	Pre-architect path; pairs well with the Level 5 goal.
300-425 / 300-430	Wireless Design / Implementation	Wi-Fi specialists (stadiums, hospitals, campuses).

# Hands-On Labs

CCNP labs outgrow Packet Tracer — this level moves to EVE-NG/CML with realistic multi-site topologies, plus the free Cisco DevNet sandboxes for automation.

LAB 01 — Multi-Area OSPF Enterprise Campus

8+ routers: backbone area 0, two branch areas, summarization at ABRs, a stub area, and route filtering. Then injure it: mismatched area types, missing virtual link — and repair.

Real-world case: A national company with HQ + regional offices — exactly how their routing is structured, including why summarization keeps routing tables sane.

EVE-NG / CMLCampus routing design

LAB 02 — BGP to Two ISPs (Multihoming)

Your edge AS peers with two simulated ISPs. Configure eBGP, influence outbound path with local-preference and inbound with AS-path prepending. Fail ISP-A and watch traffic shift.

Real-world case: Every serious business has two internet providers. Knowing how to steer traffic between them is one of the most valuable skills in networking.

EVE-NG / CMLISP multihoming

LAB 03 — VRF + GRE/IPsec: Two Tenants, One Network

Carry two isolated customer networks (VRFs) across shared routers, then connect sites over an encrypted GRE-over-IPsec tunnel across a simulated internet.

Real-world case: A managed service provider hosting two clients on shared hardware with contractual isolation — VRFs are the answer auditors accept.

EVE-NG / CMLMulti-tenant isolation

LAB 04 — NetFlow + IP SLA: Find the Bandwidth Hog

Enable Flexible NetFlow, export to a collector, generate mixed traffic, identify the top-talker. Add IP SLA probes that alert when latency to a "datacenter" exceeds threshold.

Real-world case: "The network is slow" at month-end close. NetFlow shows it's a backup job running at noon — you reschedule it and look like a hero.

EVE-NG + collectorPerformance forensics

LAB 05 — RESTCONF/NETCONF Against Real IOS-XE

Use the free DevNet always-on IOS-XE sandbox: retrieve interface config via RESTCONF (YANG model), modify a description via NETCONF from Python, verify on-box.

Real-world case: Modern network platforms (and your future employer's tooling) talk YANG models, not screen-scraped CLI.

DevNet SandboxPython + requests/ncclientModel-driven config

LAB 06 — Ansible Configuration Factory

Inventory of 10 lab devices. Playbooks that: deploy standard SNMP/NTP/syslog config, verify compliance, and roll back drift. Store everything in Git with meaningful commits.

Real-world case: Config drift across hundreds of devices causes outages and audit failures. "Network as code" teams exist in every Fortune 500 now.

Ansible + EVE-NGGitConfig compliance

LAB 07 — SD-WAN on the DevNet Sandbox

Use the reservable Cisco SD-WAN sandbox: explore vManage, build a policy, then pull device inventory and stats via the vManage REST API with Python.

Real-world case: A retailer replacing MPLS at 300 stores with SD-WAN — the single most common enterprise WAN project of the decade.

DevNet SD-WAN SandboxBranch transformation

LAB 08 — 802.1X Network Access Control

Configure 802.1X with a RADIUS server: a corporate laptop authenticates onto the staff VLAN, an unknown device lands in a quarantine VLAN via MAB fallback.

Real-world case: Zero-trust initiatives start at the switch port. NAC rollout experience is heavily requested in security-conscious industries.

EVE-NG + FreeRADIUS/ISEZero-trust access

# Tools & Simulators for This Level

EVE-NG (Community)

The CCNP workhorse — big topologies, multiple vendors, snapshots. Needs a decent PC (32 GB RAM recommended) or a cheap dedicated mini-PC.

Free

Cisco Modeling Labs (CML) Personal

Legal, current IOS-XE/NX-OS images straight from Cisco. Worth every dollar at this level.

Paid

Cisco DevNet Sandboxes

Free always-on and reservable labs: IOS-XE RESTCONF, DNA Center, SD-WAN. No hardware needed for the entire automation domain.

Free

Python + Netmiko / ncclient / requests

Your automation toolkit. Add pyATS/Genie for parsing — it's Cisco's own test framework.

Free

Ansible

cisco.ios collections for config management. Pairs with Git for the "network as code" workflow employers want.

Free

CBT Nuggets / INE / OCG books

Structured ENCOR video courses + the Official Cert Guide as reference. Boson ExSim again for practice exams.

Paid

Reality check: 6–12 months while working a CCNA-level job. The job experience and the cert reinforce each other — don't study this in a vacuum.

# Growth Check — After This Level

Skills I Now Own

Design multi-area OSPF and a dual-ISP BGP edge, steering traffic with local-preference and AS-path prepending.
Isolate tenants with VRFs and connect sites over GRE/IPsec tunnels.
Automate at scale: Ansible playbooks for compliance, RESTCONF/NETCONF with YANG models, all version-controlled in Git.
See the network: NetFlow, IP SLA and packet-level evidence instead of guesswork.

Self-Check Before the Exams

Can I recite the BGP path-selection order and predict which route wins in a given table?
Can I explain SD-WAN's control vs data plane (vManage, vSmart, vBond, OMP) on a whiteboard?
Can I write an Ansible playbook from a blank file, without copying an old one?
Given a broken 802.1X port, do I know the auth flow well enough to find where it fails?

My Next Growth Step

Go deep on my chosen concentration (Automation ⭐) — depth in one track beats shallow coverage of all five.
Automate one real, repetitive task in my daily work or home lab — applied learning sticks hardest.
Begin Phase 1 technology drilling for CCIE: one protocol at a time, to exhaustion.

Cisco Certified Network Professional (CCNP Enterprise)

# Core Exam Syllabus — ENCOR 350-401

# Pick One Concentration Exam

# Hands-On Labs

LAB 01 — Multi-Area OSPF Enterprise Campus

LAB 02 — BGP to Two ISPs (Multihoming)

LAB 03 — VRF + GRE/IPsec: Two Tenants, One Network

LAB 04 — NetFlow + IP SLA: Find the Bandwidth Hog

LAB 05 — RESTCONF/NETCONF Against Real IOS-XE

LAB 06 — Ansible Configuration Factory

LAB 07 — SD-WAN on the DevNet Sandbox

LAB 08 — 802.1X Network Access Control

# Tools & Simulators for This Level

EVE-NG (Community)

Cisco Modeling Labs (CML) Personal

Cisco DevNet Sandboxes

Python + Netmiko / ncclient / requests

Ansible

CBT Nuggets / INE / OCG books

# Growth Check — After This Level

Skills I Now Own

Self-Check Before the Exams

My Next Growth Step