350-401 Implementing Cisco Enterprise Network Core Technologies (350-401 ENCOR) Question and Answers

Solution:

R30

show ip access-list

config t

ip access-list extended 120

5 permit eigrp any any

wr

R20

config t

ip access-list extended 100

permit tcp 192.168.25.0 0.0.0.255 any eq 23

class-map match-any TELNET

match access-group 100

policy-map CoPP

class TELNET

police 10000 conform-action transmit exceed-action drop

control-plane

service-policy input CoPP

wr

Solution:

R1

Config t

Flow exporter Export-NetFlowENCOR

destination 10.10.1.110

transport udp 2055

exit

flow moni Monitor-NetFlowENCOR

exit

ip sla 1

http gethttp://10.10.1.100

frequ 300

exit

ip sla schedule 1 life forever start-time now

wr

SW1

Config t

Monitor session 7 source interface e0/0

Monitor session 7 destination interface e1/1

End

Wr

Solution:

VERIFICATION: -

OR

Solution:

R2

R3

access-list-sec-rule, deny, ip, dst-any

The correct answer is B. Time-consuming configuration and maintenance .

In a traditional WAN architecture , configurations are typically performed manually on each device (router-by-router basis) . This leads to:

Increased operational overhead

Slower deployment times

Higher chances of configuration inconsistency

Difficult scalability

According to Cisco ENCOR (350-401) architecture principles, traditional WANs lack centralized orchestration, making configuration and maintenance time-consuming and complex .

In contrast, Cisco Catalyst SD-WAN introduces:

Centralized management and control (via vManage, vSmart, vBond)

Policy-based automation

Zero-touch provisioning (ZTP)

Simplified operations and faster deployment

Now, why the other options are incorrect:

A. Centralized reachability, security, and application policies → This is a defining feature of Cisco SD-WAN , not traditional WAN.

C. Low complexity and increased overall solution scale → SD-WAN is specifically designed to reduce complexity and improve scalability .

D. Operates over DTLS/TLS-authenticated and secured tunnels → Cisco SD-WAN uses secure control connections (DTLS/TLS) , which is not a characteristic of traditional WAN .

Final Concept (ENCOR Exam Focus):

Traditional WAN = Manual, complex, time-consuming

Cisco SD-WAN = Centralized, automated, scalable, secure

The correct answer is B. Template Editor.

Cisco Catalyst Center provides template-based automation to deploy configurations consistently across multiple devices.

The Template Editor is specifically used to:

Create reusable configuration templates

Use variables and parameters for different devices

Apply configurations to multiple devices with similar roles/settings

It supports Jinja2-based templates, enabling dynamic and scalable deployments.

This directly matches the requirement:

“build generic configurations that are able to be applied on devices with similar network settings”

A. Authentication Template This is not a primary Catalyst Center tool for building reusable configuration templates.

C. Application Policies Used for QoS and traffic policies, not for general configuration templating.

D. Command Runner Used to execute ad hoc CLI commands on devices, not to build reusable configurations.

Template Editor = Build reusable configs

Command Runner = Run one-time commands

Application Policies = Define traffic/QoS behavior

Automation in Catalyst Center = Template-based deployment

The correct answer is A. integrated IPS.

A traditional firewall provides:

Stateful inspection

Basic ACL filtering

NAT

Sometimes VPN services

A Next-Generation Firewall (NGFW) adds advanced capabilities such as:

Integrated Intrusion Prevention System (IPS)

Application awareness and control

Advanced malware protection

Integrated IPS (Intrusion Prevention System) is a defining feature of NGFWs.

It allows the firewall to:

Detect and block known and unknown threats

Perform deep packet inspection

Stop attacks in real time

This capability is not part of traditional firewalls, which only inspect traffic based on state and basic rules.

B. Stateful firewall policies This is a core feature of traditional firewalls, not unique to NGFWs.

C. SSL VPN VPN functionality exists in both traditional and next-generation firewalls.

D. NAT NAT is a basic firewall/network feature, not exclusive to NGFWs.

Remember the distinction:

Traditional Firewall → Stateful filtering, NAT, VPN

Next-Generation Firewall → Adds IPS + Application Awareness + Advanced Security

NGFW = Traditional Firewall + Advanced Threat Protection

The correct answer is C. The data plane is based on VXLAN.

In Cisco SD-Access, the fabric uses:

LISP for the control plane

VXLAN for the data plane

Cisco TrustSec / SGT-based policy for the policy plane

Cisco documentation explicitly states that SD-Access uses a LISP-based control plane and a VXLAN-based data plane.

VXLAN is the encapsulation technology used to transport user traffic across the SD-Access fabric overlay. This is why the data plane in Cisco SD-Access is based on VXLAN.

A. Dynamic routing is used to discover and provision border and edge switches. Dynamic routing may exist in the underlay, but it is not what “discovers and provisions” border and edge nodes in SD-Access. Provisioning is handled through Cisco DNA Center / Cisco Catalyst Center, not by dynamic routing itself.

B. The control plane is based on VXLAN. This is incorrect because the control plane in SD-Access is based on LISP, not VXLAN.

D. GRE is used as the policy plane. This is incorrect because the policy plane in SD-Access is based on TrustSec/SGT-based policy, not GRE.

ENCOR exam point:

Memorize this SD-Access mapping:

Control plane = LISP

Data plane = VXLAN

Policy plane = Cisco TrustSec / SGT

PROCEDURAL - CHEF

DECALRATIVE – PUPPET

SALTSTACK

The correct answer is C. A point-to-point Layer 3 underlay network with jumbo frames enabled .

In Cisco SD-Access , the fabric is built on top of an underlay network . Cisco documentation states that the SD-Access underlay uses a structured Layer 3 foundation and a Layer 3 routed access design , where the network elements establish IP connectivity through routing rather than relying on Layer 2 adjacency. Cisco Catalyst Center LAN automation documentation also describes the underlay links as point-to-point Layer 3 routed connections .

This makes Option C the best answer because it matches the recommended SD-Access design approach:

Point-to-point Layer 3 links in the underlay

Routed access instead of Layer 2 campus meshing

Jumbo frames enabled to accommodate encapsulation overhead commonly associated with fabric technologies such as VXLAN in software-defined fabrics, which is a standard design consideration in Cisco fabric deployments.

Why the other options are incorrect:

A. A fully meshed Layer 2 topology This is not the SD-Access design model. Cisco SD-Access is not based on a campus-wide Layer 2 mesh; instead, it uses a routed Layer 3 underlay.

B. A fully meshed Layer 3 topology SD-Access does require Layer 3 underlay connectivity, but not a fully meshed Layer 3 topology . Cisco recommends a structured routed access design , not an every-device-to-every-device full mesh.

D. A point-to-point Layer 2 network with LACP between devices for redundancy This contradicts the SD-Access underlay principle. The underlay should be Layer 3 point-to-point , not Layer 2 point-to-point.

ENCOR exam point:

For Cisco SD-Access, remember this core design rule:

Underlay = routed, point-to-point, Layer 3 foundation

Overlay = virtualized fabric services on top of that underlay

Solution:

R3

Int e0/1

Ip ospf priority 255

End

Copy run start

R2

Int e0/1

Ip ospf network point-to-point

End

Copy run start

R10

Int e0/0

Ip ospf network point-to-point

End

Copy run start

Solution:

R1

Config t

Int et0/0

Ip flow monitor Monitor-R1Flow input

Ip flow monitor Monitor-R1Flow output

Exit

Ip sla 1

Icmp-echo 10.12.1.2

Freq 300

Ip sla schedule 1 life foreve start-time now

Sw1

Config t

Monitor session 12 source vlan 12

Monitor session 12 destination interface et1/3

Solution:

R2

config t

username NetworkAdmin privilege 15 password CiscoENCOR

line vty 0 4

login local

transport input telnet rlogin

exec-timepit 20

Solution:

R22

config t

int tunn0

vrf forwarding FINANCE

ip add 10.11.22.2 255.255.255.0

tunn so e0/0

tunn dest 209.165.200.230

no shut

int et0/1

vrf forward FINANCE

ip add 10.22.22.1 255.255.255.252

no shut

ip route vrf FINANCE 10.10.111.0 255.255.255.0 tunn0

wr

Solution:

Copy run start

Verification:

OR

Solution:

Sw10

config t

no int po20

int et0/0

channel-group 20 mode active

no shut

spanning-tree vlan 20 pri 0

wr

Verification:-

Solution:

Solution on R1:

R1# copy run start

Verification:

OR

Solution:

R3

Config#int et0/1

config-if#ip ospf priority 255

wr

R20

clear ip ospf process

yes

R10

int et0/0

ip ospf priority 0

wr

R2

clear ip ospf process

yes

Solution:-

Copy run start

Solution:

R30

Config t

router ospf 100

router-id 10.0.1.30

int ran lo0 , e0/0-1

ip ospf 100 a 0

exit

int et0/2

ip ospf 100 a 50

exit

router ospf 30

area 50 range 10.10.0.0 255.255.192.0

area 50 range 10.50.0.0 255.255.192.0

end

wr

Solution:

R2

show ip access-list

config t

ip access-list extended 151

5 permit eigrp any any

wr

R3

config t

ip access-list extended 100

permit tcp 192.168.211.0 0.0.0.255 any eq 22

class-map match-any SSH

match access-group 100

policy-map CoPP

class SSH

police 8000 conform-action transmit exceed-action drop

control-plane

service-policy input CoPP

Solution:

router bgp 10

bgp router-id 10.1.1.111

no bgp defa ipv4-unicast

nei 209.165.200.226 remote-as 20

nei 209.165.202.130 remote-as 30

address-family ipv4

neigh 209.165.200.226 activate

neigh 209.165.202.130 activate

network 10.1.1.10 mask 255.255.255.255

network 209.165.201.10 mask 255.255.255.255

network 209.165.201.20 mask 255.255.255.255

wr

Solution:

Copy run start

Copy run start

Copy run start

Verification:-

OR

Solution:

R1

config

flow exporter Export-NetFlowENCOR

transport udp 2055

ip sla schedule 100 life forever start-time now

wr

Sw1

monitor session 11 source interface e0/2

monitor session 11 destination interface et1/1

wr

OR

Solution:

R30

Config t

router ospf 10

router-id 10.0.1.30

int ran lo0 , e0/0-1

ip ospf 10 a 0

exit

int et0/2

ip ospf 10 a 50

exit

router ospf 10

area 50 range 10.10.0.0 255.255.128.0

area 50 range 10.50.0.0 255.255.128.0

end

Solution:

Sw10

config t

no int po2

int et0/0

channel-group 2 mode active

no shut

spanning-tree vlan 10a pri 0

wr

Solution:

Copy run start

Verification:

OR

Solution:

R22

int tun0

vrf forwarding FINANCE

ip add 10.10.10.2 255.255.255.0

tunn source e0/0

tunnel dest 209.165.200.230

no shut

ip route vrf FINANCE 10.10.111.0 255.255.255.0 tunn0

int et0/1

vrf forwarding FINANCE

ip address 10.22.22.1 255.255.255.252

wr

Verification:-

Solution: -

Solution:

R1

en

Conf t

Router ospf 10

Router-id 10.x.x.x – lo0 address

Int range lo0, e0/0-1

Ip ospf 10 area 0

Exit

wr

R2

Router ospf 10

Area 10 range 10.1.0.0 255.255.0.0

exit

wr

R3

Router ospf 10

Area 10 range 10.2.0.0 255.255.0.0

Exit

Wr

OR

Solution:

R10

Copy run start

R20

Copy run start

Verification:

Sw10

Config t

no int po1

default int ran et0/0-2

int ran e0/0-2

switchport trunk encap dot1q

switchport mode trunk

channel-group 1 mode active

no shut

wr