5.0 Security
3 min read
ENCOR 350-401 v1.2
Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.
On this page
Security is 20% of ENCOR. Treat it like practical network engineering, not a vocabulary section. You need to know how to lock down the management plane, control who can reach infrastructure, protect the CPU, and explain the major design pieces that reduce risk in an enterprise network.
The exam language matters:
- Configure and verify means you should be comfortable with IOS XE-style configuration and show commands.
- Describe means you need clean mental models, use cases, and tradeoffs. You may not need to type the full config, but you should know where the technology fits and what problem it solves.
Topic map
| Topic | Article | What to be able to do |
|---|---|---|
| 5.1 | Device access control | Secure CLI access and understand AAA flow. |
| 5.1.a | Lines and local user authentication | Configure console/VTY login, SSH, local users, timeouts, and VTY restrictions. |
| 5.1.b | AAA authentication and authorization | Build local/TACACS+/RADIUS method lists and verify login/exec authorization behavior. |
| 5.2 | Infrastructure security features | Use ACLs and CoPP to protect forwarding and control planes. |
| 5.2.a | ACLs | Match traffic accurately, apply ACLs in the right direction, and verify counters. |
| 5.2.b | CoPP | Classify traffic to the route processor and police abusive control-plane traffic. |
| 5.3 | REST API security | Use HTTPS, authentication, authorization, tokens, certificate validation, and safe secret handling. |
| 5.4 | Network security design | Describe threat defense, endpoint security, NGFW, TrustSec, and MACsec. |
How to study this domain
Do not memorize random commands first. Start with the plane you are protecting:
- Management plane: who can log in, from where, and what they are allowed to do.
- Control plane: routing protocols, STP, ARP, ICMP, SNMP, SSH, and other traffic processed by the device CPU.
- Data plane: normal user/application traffic forwarded through the device.
- Policy plane: identity, segmentation, access control, inspection, and encryption decisions.
Then lab the pieces in this order:
- Lock down SSH and local access.
- Add AAA with local fallback.
- Apply an ACL and prove it with counters.
- Add a basic CoPP policy and prove it is hitting the intended class.
- Use a REST API securely with token handling and TLS verification.
- Explain where endpoint security, NGFW, TrustSec, and MACsec fit in the enterprise design.
Exam traps
login localuses the local username database.loginwith only a line password does not.- AAA method lists are tried in order, but failure handling is not the same as user rejection. Know the difference between server unavailable and authentication denied.
- ACL wildcard masks are not subnet masks.
- ACL direction is from the interface point of view: inbound means traffic entering the interface.
- CoPP protects the device CPU. It does not replace interface ACLs or firewall policy.
- REST API security is not just “use HTTPS.” Authentication, authorization, token scope, certificate validation, and secret handling all matter.
- TrustSec is identity-based segmentation. MACsec is Layer 2 encryption and integrity. They solve different problems.