Exam weight: 15% | Labs: 5 | ← Back to CCNP ENCOR
1.1 Enterprise Network Design Principles
Three-Tier Architecture
- Access Layer: Connects end devices; enforces QoS and port security
- Distribution Layer: Aggregates access switches; handles inter-VLAN routing and policy
- Core Layer: High-speed backbone; optimized for packet switching
Two-Tier (Collapsed Core)
Merges core and distribution layers; ideal for medium campuses with fewer than 200 switches; reduces costs and simplifies management.
Spine-Leaf (Fabric)
- Every leaf connects to every spine (full mesh)
- Maximum 3 hops between any two leaf switches
- Predictable latency and non-blocking bandwidth
- No spanning tree dependency; uses Layer 3 routing
High Availability Features
- FHRPs (HSRP, VRRP, GLBP): Provide default gateway redundancy
- SSO (Stateful Switchover): Synchronizes supervisors for zero packet loss
- NSF/GR: Routing peers hold routes during restart
- BFD: Enables sub-second failure detection
1.2 WLAN Deployment Design
Six Deployment Models
- Centralized: WLC in data center; all AP traffic tunneled via CAPWAP
- FlexConnect/Distributed: APs switch traffic locally; WAN-failure resilient
- Autonomous/Controller-Less: Self-managed APs; no WLC required
- Controller-Based: Dedicated physical WLC; standard enterprise model
- Cloud-Managed: Meraki or Catalyst Center-hosted WLC
- Remote Branch (EWC): Embedded controller in AP or switch
CAPWAP Protocol
Uses UDP 5246 (control, DTLS-encrypted) and UDP 5247 (data channels).
Location Services
- RSSI Triangulation: ~10–15 metres accuracy
- FastLocate/AOA: ~1–3 metres
- BLE Beacon: ~2–5 metres
- Ultra-Wideband: <1 metre
- Minimum 3 APs required for triangulation
1.3 On-Premises vs Cloud Infrastructure
- On-Premises: Full organizational control; high CapEx; longer deployment
- Cloud: OpEx model; rapid elasticity; shared security responsibility
Service Models
- IaaS: Customer manages OS, apps, data; provider manages infrastructure
- PaaS: Customer manages applications; provider manages OS and runtime
- SaaS: Provider manages nearly everything; customer manages partial data
1.4 Cisco SD-WAN Solution
Architecture Components
- vManage (Management): GUI, REST API, configuration templates
- vBond (Orchestration): Authentication, NAT traversal; requires public IP
- vSmart (Control): Route reflector using OMP protocol
- vEdge/cEdge (Data): WAN edge routers; build IPsec tunnels
OMP Protocol: The control plane protocol — similar to BGP; runs over TLS between vSmart and edge routers.
1.5 Cisco SD-Access Solution
Architecture Layers
- Underlay: IP-routed L3 foundation; typically IS-IS or OSPF
- Overlay: LISP control plane; VXLAN data plane
- Management: Catalyst Center via NETCONF/RESTCONF
LISP (Locator/ID Separation Protocol)
Separates EID (Endpoint Identifier — client IP) from RLOC (Routing Locator — VTEP IP). Enables client mobility without IP reassignment.
VXLAN (Virtual Extensible LAN)
- MAC-in-UDP encapsulation on UDP port 4789
- Supports 24-bit VNID (16 million virtual networks vs. VLAN’s 4,094)
- Carries original Ethernet frame and SGT headers
Cisco TrustSec/SGT
Embeds Scalable Group Tags in VXLAN headers for identity-based micro-segmentation without complex ACLs.
1.6 Hardware & Software Switching Mechanisms
| Table | Layer | Contents | Location |
|---|---|---|---|
| RIB | L3 | All protocol routes; best routes selected | Software/RAM |
| FIB | L3 | CEF-optimized forwarding decisions | Hardware TCAM |
| Adjacency | L2/L3 | Next-hop IP → MAC rewrite info | Hardware |
| CAM | L2 | MAC→port mapping | Hardware ASIC |
| TCAM | L3/ACL | Ternary matching for FIB and ACLs | Hardware ASIC |
CEF (Cisco Express Forwarding): Default switching mechanism; pre-computes forwarding decisions in FIB and Adjacency Table; enables hardware-speed forwarding without per-packet CPU involvement.
Hands-On Labs
Lab 1: HSRP Active/Standby Configuration
Configure two routers with HSRP group 10; virtual IP 192.168.10.1; R1 as active (priority 110); R2 as standby (default 100); enable preemption and MD5 authentication.
Lab 2: CEF Forwarding Table Verification
Inspect RIB (show ip route), FIB (show ip cef), Adjacency Table (show adjacency), and CAM table (show mac address-table) to understand the forwarding pipeline.
Lab 3: Three-Tier Campus Design
Build multi-layer topology with access VLANs, distribution SVIs, OSPF routing between distribution and core, and inter-VLAN routing.
Lab 4: SD-WAN OMP Route Verification
Verify OMP peer status (show sdwan omp summary), advertised routes, transport locators (TLOCs), IPsec tunnel health, and centralized policies.
Lab 5: SD-Access LISP/VXLAN Fabric Verification
Confirm LISP endpoint registration, map-cache queries, VXLAN tunnel status, NVE peers, and VNI configuration.
