What does the ENARSI 300-410 exam cover?
The CCNP Enterprise ENARSI (300-410) concentration exam covers advanced routing and services topics including EIGRP, OSPF, BGP, route redistribution, path control, VPN technologies, infrastructure security, and services. It is one of the concentration options for completing the CCNP Enterprise certification after passing the ENCOR core exam. The exam costs $300 USD and is 90 minutes long.
The Cisco CCNP Enterprise ENARSI 300-410 (Implementing Cisco Enterprise Advanced Routing and Services) is the routing and switching concentration exam for the CCNP Enterprise certification. It goes deep into the routing protocols and network services that senior network engineers manage daily in enterprise environments, focusing on advanced configuration, optimization, and troubleshooting.
ENARSI is the most popular CCNP Enterprise concentration because routing is a foundational skill for enterprise network engineers. Engineers who complete ENCOR + ENARSI demonstrate comprehensive enterprise networking expertise. The exam costs $300 USD and is 90 minutes long.
Exam Overview
| Detail | Information |
|---|---|
| Exam Code | 300-410 ENARSI |
| Full Name | Implementing Cisco Enterprise Advanced Routing and Services |
| Number of Questions | 55-65 |
| Time Limit | 90 minutes |
| Passing Score | ~825/1000 |
| Cost | $300 USD |
| Prerequisites | ENCOR 350-401 core exam must be passed |
| Certification | Completes CCNP Enterprise with ENCOR |
| Validity | 3 years |
The exam covers four domains:
- Layer 3 technologies (40%)
- VPN technologies (20%)
- Infrastructure security (20%)
- Infrastructure services (20%)
"ENARSI is a specialist exam. Every question is about advanced routing. The candidate who has built and troubleshot EIGRP, OSPF, and BGP in real environments will find the questions familiar. The candidate who has only studied from books will find that the configuration and troubleshooting scenarios expose gaps that reading alone cannot fill." -- CCNP routing specialist community
Domain 1: Layer 3 Technologies (40%)
EIGRP Advanced Operations
EIGRP Named Mode is the modern configuration style:
router eigrp ENTERPRISE
address-family ipv4 unicast autonomous-system 100
network 10.0.0.0 0.255.255.255
eigrp stub connected summary
af-interface GigabitEthernet0/0
authentication mode md5
authentication key-chain EIGRP-KEYS
topology base
redistribute ospf 1 metric 10000 100 255 1 1500
EIGRP route filtering with distribute lists and prefix lists controls which routes are advertised or accepted:
- Distribute lists reference ACLs or prefix lists
- Route maps provide more granular matching and modification
- Offset lists adjust EIGRP metric for specific routes
OSPF Advanced Operations
OSPF virtual links connect areas that cannot physically connect to Area 0, using another area as a transit. The virtual link command specifies the remote ABR's router ID and the transit area.
OSPF route filtering:
distribute-listwith ACL or prefix-list: Filters routes from being installed in the routing table (does not prevent LSA propagation)- Type 3 LSA filtering at ABRs: Filters summary LSAs from being sent into areas
- Type 5/Type 7 filtering at ASBRs: Filters external routes
OSPF path manipulation:
- Interface cost modification
- Reference bandwidth adjustment (
auto-cost reference-bandwidth) - Summarization at ABRs (
area X range) and ASBRs (summary-address)
BGP Advanced Configuration
BGP route reflectors solve the IBGP full-mesh requirement:
- Route reflectors re-advertise IBGP-learned routes to other IBGP peers (clients and non-clients)
- Cluster-ID: Prevents routing loops in route reflector clusters
- Originator-ID: Prevents loops by marking the originating router
BGP route filtering and path manipulation:
| Tool | What It Does | Scope |
|---|---|---|
| Prefix list | Match specific prefixes with ge/le operators | Most efficient prefix filtering |
| AS-path ACL | Filter based on AS-path regular expressions | Filter by origin or transit AS |
| Route map | Multi-attribute matching and modification | Most flexible; can set and match multiple attributes |
| Community strings | Tagging routes for downstream policy | Scalable policy propagation |
BGP communities:
- Standard communities: 32-bit value (AS:value format, e.g., 65001:200)
- Well-known communities: NO_EXPORT, NO_ADVERTISE, LOCAL_AS
- Extended communities: Used for MPLS VPN route targets
Route Redistribution
Route redistribution connects different routing domains:
router ospf 1
redistribute eigrp 100 subnets route-map EIGRP-TO-OSPF
route-map EIGRP-TO-OSPF permit 10
match ip address prefix-list EIGRP-PREFIXES
set metric 100
set metric-type type-1
Redistribution challenges:
- Suboptimal routing: Routes may take longer paths due to metric differences
- Routing loops: Bidirectional redistribution without proper filtering can cause routing loops
- Route tagging: Using route tags to identify redistributed routes and prevent re-redistribution
Domain 2: VPN Technologies (20%)
DMVPN (Dynamic Multipoint VPN)
DMVPN provides scalable site-to-site VPN with dynamic spoke-to-spoke tunnels:
- mGRE (multipoint GRE): Hub uses a single tunnel interface for all spoke connections
- NHRP (Next Hop Resolution Protocol): Protocol that enables spokes to discover each other's real IP addresses
- Phase 1: All traffic routes through hub
- Phase 2: Spokes can build direct tunnels after initial hub traversal
- Phase 3: Hierarchical DMVPN with summarization at hub for maximum scalability
IPsec Integration
DMVPN uses IPsec for encryption. The exam tests:
- IKEv2 vs. IKEv1 differences
- IPsec transform sets and profiles
- Crypto map vs. tunnel protection (tunnel protection is the modern approach for DMVPN)
Domain 3: Infrastructure Security (20%)
Control Plane Security
Control Plane Policing (CoPP) protects the router CPU from DoS attacks targeting management protocols:
class-map match-any CRITICAL
match access-group name BGP-PEERS
policy-map COPP-POLICY
class CRITICAL
police rate 64000 bps
class class-default
police rate 8000 bps
control-plane
service-policy input COPP-POLICY
uRPF (Unicast Reverse Path Forwarding) prevents IP spoofing:
- Strict mode: Source IP must be reachable via the interface it arrived on
- Loose mode: Source IP must exist in the routing table (any interface)
Management Plane Security
- SSH: Encrypted remote management (replace Telnet)
- SNMP v3: Authenticated and encrypted SNMP (replace v1/v2c)
- AAA with TACACS+: Centralized authentication, authorization, and accounting for device management
- Management VRF: Isolating management traffic in a dedicated VRF
Domain 4: Infrastructure Services (20%)
Network Address Translation
| NAT Type | Description | Use Case |
|---|---|---|
| Static NAT | One-to-one permanent mapping | Server requiring fixed public IP |
| Dynamic NAT | Pool of public IPs assigned dynamically | Multiple internal hosts needing internet |
| PAT/NAT Overload | Many-to-one using port numbers | Most enterprise internet connections |
| NAT64 | IPv6-to-IPv4 translation | Transitioning environments |
Quality of Service
Modular QoS CLI (MQC) is the Cisco standard for QoS configuration:
- Class maps: Define traffic classes using match criteria
- Policy maps: Define actions for each class
- Service policies: Apply policy maps to interfaces (in or out direction)
CBWFQ (Class-Based Weighted Fair Queuing) provides minimum bandwidth guarantees per class. LLQ (Low Latency Queuing) adds a strict priority queue for voice traffic.
First Hop Redundancy Protocols
HSRP (Hot Standby Router Protocol):
- Cisco-proprietary
- Virtual IP and virtual MAC
- Active router handles traffic; standby router monitors
- Preemption configuration determines whether a router takes active role when it recovers
VRRP (Virtual Router Redundancy Protocol):
- Industry-standard (RFC 5798)
- The router with the virtual IP as its real IP automatically becomes master
- Similar functionality to HSRP
GLBP (Gateway Load Balancing Protocol):
- Cisco-proprietary
- Unique: all routers can forward traffic simultaneously
- AVG (Active Virtual Gateway) assigns different virtual MACs to each AVF (Active Virtual Forwarder)
- Provides both redundancy and load balancing
Frequently Asked Questions
How does ENARSI differ from ENCOR for routing topics? ENCOR covers routing protocols at an advanced conceptual level, testing design decisions and troubleshooting methodology. ENARSI goes deeper into the specific configurations, filtering mechanisms, and protocol details. ENCOR tests the "what and why" of routing; ENARSI tests the "exactly how to configure and troubleshoot." Both require hands-on lab practice, but ENARSI demands even more time with specific commands and protocol behaviors.
What is the best lab topology for ENARSI preparation? A topology with at least four routers running EIGRP, OSPF, and BGP in different areas, connected through redistribution points, provides the most coverage. Adding a DMVPN hub-and-spoke overlay, route filtering scenarios, and infrastructure security configurations creates a comprehensive practice environment. Cisco Modeling Labs (CML) or EVE-NG with Cisco IOS-XE images are recommended platforms for building this topology.
Can ENARSI be used toward CCIE? Passing the CCNP Enterprise ENCOR core exam (350-401) satisfies the written exam requirement for CCIE Enterprise Infrastructure. Passing ENARSI is not a requirement for CCIE but represents complementary study that strengthens the routing knowledge tested in the CCIE lab exam. Many CCIE candidates pursue CCNP Enterprise (ENCOR + ENARSI) as part of their CCIE preparation path.
References
- Cisco. (2025). 300-410 ENARSI Exam Topics. https://learningnetwork.cisco.com/s/enarsi-exam-topics
- Teare, D., Vachon, B., & Graziani, R. (2023). CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide. Cisco Press.
- Doyle, J., & Carroll, J. (2022). Routing TCP/IP, Volume 1 (3rd ed.). Cisco Press.
- Cisco. (2025). DMVPN Configuration Guide. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/
- Cisco. (2025). BGP Best Practices. https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/
- Cisco. (2025). Control Plane Policing Configuration Guide. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_plcshp/configuration/