Cisco

CCIE Enterprise

Cisco Certified Internetwork Expert Enterprise Infrastructure

Expert 350-401 ENCOR (written qualifier) + CCIE Enterprise Infrastructure Lab Content Available

The gold standard of enterprise networking expertise — prove mastery with an 8-hour hands-on lab.

Practice CCIE Enterprise Questions Study Notes Exam Topics
Exam Code
350-401 ENCOR (written qualifier) + CCIE Enterprise Infrastructure Lab
Duration
120 min (written) / 8 hours (lab)
Questions
90–110 (written) / Practical scenarios (lab)
Passing Score
825 / 1000 (written) / Variable cut score (lab)
Validity
3 years
Exam Cost
$400 USD (written) + $1,600 USD (lab)
Overview

About CCIE Enterprise

The Cisco CCIE Enterprise Infrastructure certification is the most prestigious expert-level networking credential in the industry. It requires passing the 350-401 ENCOR written exam followed by a gruelling 8-hour hands-on lab exam in which candidates configure, troubleshoot, and optimise complex enterprise network scenarios in real time. The CCIE lab exam tests deep knowledge of advanced routing (BGP, OSPF, EIGRP), MPLS/MPLS VPN, SD-WAN, complex QoS policies, network security (ISE, ZBFW, MACsec), advanced wireless, and network automation including EEM scripting, Python tools, and Ansible playbooks. CCIE holders are recognised globally as the top tier of network engineering talent. The certification is held by fewer than 1% of all Cisco-certified professionals and commands significant career and salary advantages. It is renewed every three years through continuing education or re-examination.

Prerequisites
CCNP Enterprise or equivalent expert-level experience Deep hands-on experience with Cisco IOS, IOS-XE, and IOS-XR Strong understanding of BGP, OSPF, MPLS, and SD-WAN technologies Familiarity with network automation tools (Python, Ansible, EEM) Typically 5–7 years of advanced networking experience recommended
Exam Domains

What you need to know

6 domains, 65 objectives. Click a domain to expand its topics.

🏗️
Architecture
Complex enterprise network designs, migration strategies, and Cisco SD-WAN vManage/vSmart/vEdge.
15%
  • Design complex enterprise network architectures with dual-stack IPv4/IPv6 support
  • Implement Cisco SD-WAN overlay fabric using vEdge/cEdge routers with OMP routing protocol
  • Configure vManage, vSmart (policy plane), vBond (orchestration), and vEdge (data plane) components
  • Implement SD-WAN policies including data policies, application-aware routing, and SLA profiles
  • Design and implement SD-WAN migration strategies from traditional MPLS/WAN to SD-WAN overlay
  • Configure SD-WAN security (IKEv2 tunnels, Umbrella integration, ZBF on vEdge)
  • Implement complex hierarchical QoS policies aligned to SD-WAN SLA requirements
  • Design highly available enterprise architectures (dual ISP, FHRP, BFD)
  • Configure SD-WAN direct internet access (DIA) and cloud-gateway deployments
  • Troubleshoot complex SD-WAN control plane issues (BFD sessions, OMP route advertisements)
☁️
Virtualization
DMVPN, FlexVPN, LISP, VXLAN, and advanced VRF-Lite implementations.
10%
  • Configure and verify DMVPN Phase 1 (hub-to-spoke), Phase 2 (spoke-to-spoke), and Phase 3 (hierarchical)
  • Configure and verify FlexVPN (IKEv2 smart defaults, virtual tunnel interfaces, AAA-based authorisation)
  • Implement DMVPN with NHRP, IPsec profiles, and routing protocol integration (EIGRP/OSPF/BGP)
  • Configure and verify LISP for host mobility and mapping system operation
  • Configure and verify VXLAN with BGP EVPN control plane for enterprise DC/campus fabric
  • Implement complex VRF-Lite topologies with route leaking and inter-VRF traffic control
  • Configure and verify GET VPN (GDOI group encryption) for private WAN encryption
  • Troubleshoot complex DMVPN and FlexVPN issues (NHRP registration, tunnel flapping)
  • Design multi-VRF topologies for customer segmentation and shared services
🔧
Infrastructure
Advanced OSPF, BGP (reflectors, confederations), MPLS/MPLS VPN, redistribution, and advanced wireless.
30%
  • Configure and verify advanced OSPF (all LSA types 1-7, NSSA, totally stubby, virtual links, sham links)
  • Configure and verify OSPF route summarisation, filtering (distribute-list, route-map, prefix-list), and authentication
  • Configure and verify advanced BGP (iBGP full mesh, route reflectors, confederations)
  • Configure and verify BGP path selection manipulation (weight, local preference, AS-path prepend, MED, communities)
  • Configure and verify BGP communities (standard, extended, large) and community-based policies
  • Configure and verify BGP policy (route-maps, prefix-lists, filter-lists) for inbound/outbound traffic engineering
  • Configure and verify MPLS LDP label distribution and MPLS forwarding (FIB, LFIB)
  • Configure and verify MPLS Layer 3 VPN (PE-CE routing, VPNv4 address family, RD/RT)
  • Configure and verify complex route redistribution with metric manipulation and loop prevention
  • Configure and verify advanced EIGRP (named mode, stub routing, summarisation, authentication, wide metrics)
  • Configure and verify advanced MST (instance mapping, IST, CST, CIST root election, port roles)
  • Troubleshoot complex BGP neighbour issues (open message errors, update failures, path selection problems)
  • Configure and verify advanced wireless (RF profiles, AP groups, flex groups, high-density design)
  • Configure and verify wireless security (WPA3, 802.11w PMF, WIDS/WIPS policies)
  • Implement QoS end-to-end including DSCP marking, queuing (LLQ, CBWFQ), and WRED
📊
Network Assurance
Complex NetFlow, IP SLA with tracking, EEM scripting, and advanced SNMP/telemetry.
10%
  • Configure and verify flexible NetFlow with custom flow records and IPFIX export
  • Configure and verify IP SLA with object tracking for failover automation
  • Write and verify EEM applets triggered by syslog, CLI, SNMP, and timer events
  • Write EEM TCL policies for advanced event correlation and automated remediation
  • Configure and verify SNMP v3 with authentication and encryption (authPriv mode)
  • Configure and verify streaming telemetry with gRPC and gNMI dial-out subscriptions
  • Troubleshoot complex NetFlow export issues (flow cache, exporter reachability)
  • Configure and verify Cisco DNA Center assurance policies and issues correlation
  • Implement IP SLA proactive threshold monitoring and reaction configurations
🔒
Security
Complex ACLs, CoPP, ZBFW with advanced policies, ISE integration, MACsec, and DNSSEC.
20%
  • Configure and verify complex IPv4/IPv6 ACLs including time-based ACLs and reflexive ACLs
  • Configure and verify Control Plane Policing (CoPP) with graduated rate limits per protocol
  • Configure and verify zone-based firewall (ZBFW) with advanced parameter maps and inspection policies
  • Configure and verify ZBFW with URL filtering, TCP normalization, and DNS guard
  • Configure and verify Cisco ISE integration for 802.1X with Change of Authorization (CoA)
  • Implement TrustSec including SGT assignment, SGACL enforcement, and SXP peering
  • Configure and verify MACsec with 802.1AE encryption on switch-to-switch uplinks
  • Describe DNSSEC concepts and the role of RRSIG, DNSKEY, and DS records
  • Configure and verify uRPF (Unicast Reverse Path Forwarding) for anti-spoofing
  • Implement BGPSEC and RPKI concepts for BGP route origin validation
  • Configure and verify AAA with TACACS+ for device administration and command authorisation
🤖
Automation
EEM applets, TCL scripting, complex Ansible playbooks, advanced NETCONF/RESTCONF, and custom Python tools.
15%
  • Write complex EEM applets using multiple event detectors and environment variables
  • Write EEM TCL scripts for multi-step automation and external tool integration
  • Write and execute Ansible playbooks targeting Cisco IOS/IOS-XE with ios_command, ios_config modules
  • Implement Ansible roles, handlers, and vault for modular enterprise automation
  • Configure and verify NETCONF sessions using subtree and XPath filtering with ncclient library
  • Configure and verify RESTCONF with YANG model-driven configuration (IOS-XE)
  • Write Python scripts using Netmiko for multi-device configuration management
  • Write Python scripts using NAPALM for multi-vendor network state retrieval and diffing
  • Describe YANG model structure (container, leaf, list, leaf-list) and OpenConfig vs Cisco native models
  • Interact with Cisco DNA Center APIs for device inventory, topology, and command runner
  • Implement GitOps workflows for network configuration management with git and CI/CD pipelines
Resources

Study & Practice

Practice CCIE Enterprise Questions Official Cisco CCIE Enterprise Page CCIE Enterprise Lab Exam Topics Cisco Learning Network — CCIE Community Official Cisco Certification Tracking Book your Official Cisco CCIE Lab Exam