Network asset management is the systematic process of tracking, documenting, and maintaining all hardware, software, and logical assets within a network infrastructure. For the N10-009 exam, this topic falls under Domain 3.0 Network Operations, Objective 3.1, and typically accounts for 5-10% of exam questions. This chapter covers the core components of asset management—inventory, configuration management, lifecycle tracking, and auditing—along with practical deployment scenarios and exam-focused traps. Mastering these concepts ensures you can effectively manage network resources and prepare for operations-related questions.
Jump to a section
Think of an enterprise network as a large public library. The library's collection—books, journals, DVDs—represents network assets: routers, switches, firewalls, servers, IP addresses, software licenses, and cables. The library's catalog system (like an ILS) is your asset management database (e.g., an ITAM tool or CMDB). Each book has a unique barcode (asset tag) and a call number (configuration data). When a new book arrives, a librarian enters its details into the catalog—title, author, ISBN, location—just as a network engineer adds a new switch to the CMDB with its serial number, IP, firmware version, and rack location. When a patron borrows a book, the system records the check-out (asset assignment to a user or project). The librarian periodically does a shelf read—scanning every book to ensure the catalog matches reality—exactly as you perform an inventory audit using SNMP or LLDP to verify that all devices are present and configured correctly. If a book is missing, the catalog is updated to 'lost' (retired asset). Without this system, you'd have no idea which books you own, where they are, or who has them—chaos, just like a network with no asset management.
What is Network Asset Management?
Network asset management (ITAM for infrastructure) is the practice of identifying, cataloging, and controlling all physical and virtual assets that comprise a network. These assets include:
Hardware: Routers, switches, firewalls, access points, servers, load balancers, cabling, patch panels, power distribution units (PDUs), UPS units.
Software: Operating system images, firmware versions, licenses for network management tools, security software.
Logical assets: IP addresses (subnets, VLANs), DNS records, certificates, VPN tunnels, routing protocols, configuration files.
Virtual assets: Virtual switches, virtual routers, hypervisors, containers (e.g., Docker), SDN controllers.
The primary goal is to maintain an accurate, up-to-date repository of asset information to support operations, security, compliance, and financial planning. Without asset management, you cannot know what you have, where it is, how it is configured, or when it needs replacement.
Key Components
#### 1. Asset Inventory
An inventory is a list of all assets with unique identifiers. Each asset should have:
Asset tag: A unique alphanumeric identifier (e.g., TAG-001234). Often a barcode or RFID tag.
Serial number: Manufacturer-assigned unique ID.
Model and manufacturer: e.g., Cisco Catalyst 9300-24T.
Location: Physical (building, floor, rack, U position) or logical (subnet, VLAN).
Purchase date and warranty: For lifecycle management.
Assigned user or owner: The person or team responsible.
Status: Active, spare, retired, stolen, in repair.
Configuration data: Firmware version, OS version, management IP, role (e.g., core switch, access switch).
Inventories can be maintained in spreadsheets, but best practice uses a Configuration Management Database (CMDB) or IT Asset Management (ITAM) software. Examples: ServiceNow CMDB, SolarWinds Network Configuration Manager, RackTables, NetBox.
#### 2. Configuration Management
Configuration management tracks the exact configuration of each device, including:
Startup and running configurations.
Firmware and software versions.
License keys and feature sets.
Change history (who changed what and when).
Tools like RANCID, Oxidized, or SolarWinds NCM automatically back up configurations and compare them against a baseline. When a configuration change is made (e.g., adding a VLAN), the tool captures the diff and stores it. This allows rollback and audit.
#### 3. Lifecycle Management
Assets pass through stages: procurement → deployment → operation → maintenance → retirement. Lifecycle management tracks each stage and ensures:
End-of-Life (EOL) and End-of-Support (EOS) dates: When the vendor stops selling or supporting the device. For example, Cisco switches typically have 5 years of support after EOL announcement. After EOS, no security patches are released, creating risk.
Depreciation: Accounting value over time (e.g., 3-5 year straight-line depreciation for network gear).
Refresh cycles: Planned replacement intervals (typical enterprise: 5-7 years for switches, 3-5 for firewalls).
#### 4. Auditing and Discovery
To keep the inventory accurate, you must periodically discover assets on the network. Methods:
SNMP polling: Query devices for sysDescr, sysObjectID, serial number. SNMPv2c community strings or SNMPv3 credentials required.
LLDP (Link Layer Discovery Protocol): Advertises device identity and capabilities to neighbors. Use show lldp neighbors detail on Cisco to see connected devices.
CDP (Cisco Discovery Protocol): Cisco proprietary, similar to LLDP.
Active scanning: Tools like Nmap or Nessus scan IP ranges to identify open ports and OS fingerprint.
Agent-based discovery: Install an agent on servers (e.g., for virtual assets).
Network scanning tools: SolarWinds Network Topology Mapper, Spiceworks, Lansweeper.
Auditing compares discovered assets against the CMDB. Discrepancies indicate rogue devices, misconfigurations, or unrecorded changes.
How Asset Management Interacts with Other Technologies
IP Address Management (IPAM): Integrates with asset management to track which IP is assigned to which device. For example, a switch's management IP is stored in both the CMDB and IPAM.
Change Management: When a change is approved (e.g., replacing a switch), the asset record is updated.
Security: Asset management feeds into vulnerability management. If a device is EOL and has known vulnerabilities, it must be patched or replaced. Rogue devices discovered during audit are security incidents.
Financial management: Accurate asset data enables cost allocation, lease tracking, and budget forecasting.
Standards and Best Practices
ITIL (Information Technology Infrastructure Library): Defines service asset and configuration management (SACM) processes. Key concepts: Configuration Item (CI), CMDB, baseline, release.
ISO/IEC 19770: Standard for IT asset management.
IEEE 802.1AB (LLDP) and Cisco CDP: For discovery.
RFC 1157 (SNMP): For reading device MIBs.
Common Challenges
Incomplete discovery: Devices behind firewalls, air-gapped systems, or using non-standard SNMP communities may be missed.
Stale data: Without regular auditing (quarterly at minimum), the CMDB becomes inaccurate.
Manual entry errors: Typos in serial numbers or locations propagate.
Shadow IT: Users deploying unauthorized devices (e.g., personal routers) that aren't in inventory.
Mergers and acquisitions: Integrating disparate asset databases from different organizations.
Exam Relevance
The N10-009 exam expects you to:
Identify the components of asset management: inventory, configuration, lifecycle, audit.
Understand the purpose of asset tags, serial numbers, and CMDB.
Know discovery protocols (LLDP, CDP, SNMP) and their role in asset discovery.
Recognize the consequences of poor asset management: security risks, compliance failures, unnecessary costs.
Apply lifecycle concepts: EOL, EOS, refresh cycles.
Configuration and Verification Commands
Cisco IOS - Viewing device information:
show version # Shows hardware and software version, serial number
show inventory # Shows PID, VID, SN for all modules
show lldp neighbors detail # Shows LLDP neighbors with device IDs
show cdp neighbors detail # Cisco CDP neighbor detailsLinux/Network device - SNMP query:
snmpget -v2c -c public 192.168.1.1 1.3.6.1.2.1.1.1.0 # sysDescr
snmpget -v2c -c public 192.168.1.1 1.3.6.1.2.1.1.5.0 # sysName
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.47.1.1.1.1.11 # Entity MIB serial numbersNmap discovery scan:
nmap -sn 192.168.1.0/24 # Ping sweep to find live hosts
nmap -O 192.168.1.1 # OS detectionSummary of Key Values
| Parameter | Typical Value | |-----------|---------------| | Switch refresh cycle | 5-7 years | | Firewall refresh cycle | 3-5 years | | EOL to EOS gap | 1-2 years | | Audit frequency | Quarterly | | SNMPv2c community default | 'public' (insecure) | | LLDP update interval | 30 seconds (default) | | CDP update interval | 60 seconds (default) |
Understanding these values helps in planning and exam questions.
Define Asset Scope and Policy
Begin by determining which assets are in scope—hardware, software, logical, virtual. Document a policy that specifies what constitutes an asset, who is responsible for tracking, and the mandatory data fields (e.g., asset tag, serial number, location, owner). This policy aligns with ITIL SACM processes. For example, a policy might require that every network device with a management IP must be recorded in the CMDB within 24 hours of deployment. The scope also defines exclusions, like test lab devices with no production impact.
Initial Discovery and Inventory Collection
Perform a comprehensive discovery of all assets using tools like SNMP scans, LLDP/CDP neighbor tables, and network scanning (Nmap). For each discovered device, collect unique identifiers: serial number (from SNMP Entity MIB or 'show inventory'), model, firmware version, and management IP. Record physical location if known. For example, use SNMPv2c to poll sysDescr and sysObjectID from all active IPs. This step creates a baseline inventory. Expect incomplete results—devices on isolated VLANs or with SNMP disabled will need manual entry.
Populate CMDB with Asset Records
Enter each discovered asset into the Configuration Management Database (CMDB) with all required fields. Assign a unique asset tag if not already present (e.g., barcode sticker). Link the asset to related CIs (Configuration Items) such as the network segment, rack, and connected devices. For example, a switch's record should reference its upstream router and downstream access points. Use software like NetBox or ServiceNow. Ensure the CMDB is the single source of truth—no duplicate entries. Validate data integrity by cross-referencing serial numbers with purchase records.
Implement Automated Configuration Backups
Set up automated configuration backup tools (e.g., RANCID, Oxidized, or SolarWinds NCM) to capture device configurations daily or on change. These tools connect via SSH/Telnet, execute 'show running-config', and store the output in a version control system (e.g., Git). When a configuration changes, the tool detects the diff and logs it. This supports change management and rollback. For example, Oxidized uses a YAML file to define device lists and credentials. Backup frequency should align with change velocity—daily for stable networks, hourly for dynamic ones.
Conduct Regular Audits and Reconciliation
Schedule periodic audits (quarterly recommended) to verify that the CMDB matches the actual network. Use the same discovery methods as step 2 but compare results against CMDB records. Identify missing assets (not in CMDB), ghost assets (in CMDB but not found), and data mismatches (e.g., wrong serial number). For each discrepancy, investigate and update the CMDB. For example, if a switch's firmware version changed due to an upgrade, update the CMDB. Audits also detect rogue devices—unauthorized assets that pose security risks. Document audit findings and remediation actions.
Manage Lifecycle and Refresh Planning
Track each asset's lifecycle stage: procurement, deployment, operation, maintenance, retirement. Monitor vendor EOL/EOS announcements (e.g., Cisco EOL bulletins) and plan refresh cycles accordingly. For a switch approaching EOS, schedule replacement within the budget cycle. Update the CMDB with retirement date and disposal method (e.g., donate, recycle). This step ensures that aging, unsupported devices do not introduce security vulnerabilities. Also track software license expiration—renew before lapse to maintain support.
Integrate with Change and Incident Management
Link asset records to change management processes. When a change request (e.g., replace a failed switch) is approved, the asset record is updated to reflect the new hardware. Similarly, incidents (e.g., hardware failure) should trigger an asset status update to 'repair' or 'RMA'. Integration ensures that the CMDB reflects real-time status. For example, if a ticket is opened for a faulty switch, the CMDB record is automatically updated to 'down' and the replacement process begins. This prevents orphaned records and improves operational efficiency.
Scenario 1: Enterprise Campus Network Refresh
A large university with 500+ switches and 200 access points needs to replace all end-of-life (EOL) Catalyst 3750 switches with new Catalyst 9300s. Without asset management, the team would have to physically inspect each closet to identify which switches are EOL. With a CMDB, they can query all switches where 'model' starts with 'WS-C3750' and 'status' is 'active'. This yields 150 switches. The CMDB also shows each switch's location (building, floor, rack), serial number, and warranty status. The team creates a project plan to replace them over summer break. During replacement, they update the CMDB with new serial numbers and 'status: active'. After the refresh, they run an audit using SNMP to confirm all new switches are correctly recorded. The audit reveals two switches that were not replaced because they were in a hidden closet—the CMDB now gets updated with accurate location data.
Scenario 2: Data Center Compliance Audit
A financial services company must comply with PCI DSS, which requires an accurate inventory of network devices. The internal audit team uses the CMDB to generate a list of all firewalls, switches, and routers. They then perform a physical audit: they visit each data center and scan barcode asset tags. Discrepancies arise: three switches are found with different serial numbers than in the CMDB because they were swapped during a maintenance window without updating records. The compliance violation triggers a change management review. The network team implements a policy that any hardware swap must be accompanied by a CMDB update within 4 hours. They also enable SNMP traps to automatically detect hardware changes (e.g., if a module is inserted or removed). The next audit passes.
Scenario 3: Cloud Hybrid Network Asset Tracking
A company uses AWS VPCs alongside on-premises equipment. They need a unified asset view. They use a tool like NetBox to define both physical devices (e.g., on-prem routers) and virtual devices (e.g., AWS EC2 instances functioning as NAT gateways). For cloud assets, they use APIs to pull instance IDs, IP addresses, and tags into NetBox. The CMDB now includes both domains. When an on-prem firewall fails, the incident management system automatically creates a ticket and updates the asset status to 'failed'. The replacement process is triggered, and the new firewall's serial number is entered into NetBox. The company runs monthly reconciliation scripts that compare NetBox against AWS inventory and on-prem SNMP scans. Discrepancies are flagged for review. This integration ensures that asset management covers the entire hybrid network, preventing blind spots.
Performance and Scale Considerations
For large networks (>10,000 devices), automated discovery must be rate-limited to avoid overwhelming devices or network links. Use SNMP polling with random jitter (e.g., ±5 minutes) to spread load.
CMDB databases must be indexed on serial number and IP address for fast queries.
Configuration backup storage grows quickly—a single switch config is ~10 KB, 10,000 devices at daily backups = 100 MB/day. Use compression and retention policies (e.g., keep 30 daily, 12 monthly).
Integration with change management requires APIs or webhooks. For example, ServiceNow CMDB can trigger a workflow when a CI is updated.
Common Misconfiguration Pitfalls
Not updating CMDB after changes: The most common failure. A switch replacement without record update leads to inaccurate data, causing audit failures and security risks.
Using shared SNMP community strings: 'public' allows anyone to read device info. Use SNMPv3 with authentication.
Ignoring software assets: Unlicensed software can lead to compliance issues. Track firmware version and license keys.
No automated discovery: Relying solely on manual entry guarantees stale data. Always automate discovery.
What Goes Wrong
Rogue devices: An employee plugs in a personal router, creating a security hole. Without asset management, it remains undetected until an audit or incident.
Unsupported hardware: A switch reaches EOS but is not replaced because no one knows it's EOS. A vulnerability is exploited.
Wasted budget: Over-ordering spare devices because the inventory shows fewer than actually exist.
Slow incident response: When a device fails, the team doesn't know its location or configuration, delaying recovery.
Proper asset management mitigates all these risks.
Exactly What N10-009 Tests
Objective 3.1 states: 'Given a scenario, implement network asset management processes.' The exam expects you to:
Identify the components of asset management: inventory, configuration management, lifecycle management, auditing.
Understand the role of asset tags, serial numbers, and CMDB.
Know the purpose of discovery protocols: LLDP (IEEE 802.1AB), CDP (Cisco proprietary), SNMP.
Recognize the consequences of poor asset management: security vulnerabilities, compliance failures, cost overruns.
Apply lifecycle concepts: EOL, EOS, refresh cycles (typical 5-7 years for switches, 3-5 for firewalls).
Interpret scenarios where asset management is missing or incomplete and choose the best remediation.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: 'Use a spreadsheet instead of a CMDB.' Why chosen: Spreadsheets are simple and free. But they lack version control, automation, and integration. The exam expects you to know that a CMDB is the correct tool for enterprise asset management.
2. Wrong answer: 'Asset management is only for hardware.' Why chosen: Many candidates think of physical devices only. The exam includes software licenses, IP addresses, and virtual assets. Always consider all asset types.
3. Wrong answer: 'Auditing is a one-time event during deployment.' Why chosen: Candidates confuse initial inventory with ongoing auditing. The exam stresses periodic audits (quarterly) to maintain accuracy.
4. Wrong answer: 'CDP and LLDP are interchangeable without difference.' Why chosen: Both provide neighbor discovery. But CDP is Cisco proprietary, LLDP is open standard. The exam may ask which protocol works in a multi-vendor environment—answer is LLDP.
5. Wrong answer: 'SNMPv2c is secure enough for asset discovery.' Why chosen: SNMPv2c is common and easy. But it sends community strings in cleartext. The exam expects SNMPv3 for secure discovery.
Specific Numbers and Terms That Appear on the Exam
Refresh cycles: 5-7 years for switches, 3-5 years for firewalls.
EOL vs EOS: EOL = last date to purchase; EOS = last date to receive support.
LLDP default timer: 30 seconds.
CDP default timer: 60 seconds.
SNMP MIB for serial numbers: Entity MIB (1.3.6.1.2.1.47.1.1.1.1.11).
Asset tag: Unique identifier, often barcode.
Edge Cases and Exceptions
Virtual assets: A hypervisor's virtual switch (vSwitch) is an asset but has no serial number. How do you track it? Use UUID or instance ID.
Cloud assets: AWS EC2 instances have instance IDs, but they are ephemeral. Asset management must handle dynamic IPs and auto-scaling groups.
Mergers: Two companies with different CMDBs must be reconciled. The exam may present a scenario where duplicate assets exist.
Rogue devices: A device not in CMDB but discovered via LLDP. The correct action is to investigate and add it to CMDB.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If a question asks about keeping asset data accurate, look for 'periodic audit' or 'reconciliation'—not 'one-time scan'.
If the question involves multi-vendor environment, choose LLDP over CDP.
If security is a concern, choose SNMPv3 over v2c.
If the question is about tracking changes, choose 'configuration backup' or 'version control'.
If the question is about lifecycle, look for EOL/EOS dates and refresh planning.
By understanding the mechanism—asset management is a continuous process requiring automated discovery, secure protocols, and integration with change management—you can systematically eliminate distractors.
Network asset management includes inventory, configuration management, lifecycle management, and auditing.
The CMDB is the central repository for all asset information; it should be updated automatically via discovery.
LLDP (IEEE 802.1AB) is the open standard for neighbor discovery; CDP is Cisco proprietary.
SNMPv3 should be used for secure asset discovery; SNMPv2c sends community strings in cleartext.
Lifecycle management tracks EOL and EOS dates; typical refresh cycles are 5-7 years for switches, 3-5 for firewalls.
Periodic audits (quarterly) are essential to reconcile the CMDB with the actual network.
Configuration backups are part of asset management; tools like RANCID or Oxidized store configs in version control.
Asset management includes virtual and cloud assets, not just physical hardware.
Rogue devices discovered during audit must be investigated and added to the CMDB or removed.
Integration with change management ensures asset records are updated when devices are added, changed, or retired.
These come up on the exam all the time. Here's how to tell them apart.
LLDP (IEEE 802.1AB)
Open standard, works across vendors
Default timer: 30 seconds
Advertises system name, description, capabilities, and management IP
Can be used for asset discovery in any network
Supported on Cisco, Juniper, HP, and others
CDP (Cisco Discovery Protocol)
Cisco proprietary, only between Cisco devices
Default timer: 60 seconds
Advertises same information as LLDP plus native VLAN and duplex
Limited to Cisco-only networks for asset discovery
Enabled by default on Cisco IOS
Mistake
Asset management is just a list of devices in a spreadsheet.
Correct
A spreadsheet lacks automation, version control, and integration. Enterprise asset management uses a CMDB with automated discovery, configuration backups, and lifecycle tracking. Spreadsheets are only acceptable for very small networks (<50 devices).
Mistake
Configuration backups are not part of asset management.
Correct
Configuration management is a core component of asset management. Backups enable rollback, audit, and change tracking. Tools like RANCID or Oxidized store configurations in version control, linking them to the asset record.
Mistake
Once you create an inventory, you don't need to update it often.
Correct
Networks change constantly—new devices added, configurations modified, hardware replaced. Without periodic audits (quarterly), the inventory becomes stale and unreliable. Automated discovery and reconciliation are essential.
Mistake
CDP and LLDP are the same thing.
Correct
Both discover neighbors, but CDP is Cisco proprietary and LLDP is IEEE 802.1AB open standard. In a multi-vendor network, LLDP is required. CDP works only between Cisco devices. The exam tests this distinction.
Mistake
Asset management only applies to physical hardware.
Correct
Software licenses, IP addresses, virtual switches, and cloud instances are also assets. A complete asset management program includes all logical and virtual assets. The N10-009 exam includes these in scenarios.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
EOL (End-of-Life) is the last date a product can be purchased from the vendor. EOS (End-of-Support) is the last date the vendor provides technical support, bug fixes, and security patches. After EOS, the device is considered unsupported and should be replaced to avoid security risks. For example, Cisco announces EOL and then typically 1-2 years later EOS. The exam expects you to know that EOL precedes EOS.
Use LLDP (IEEE 802.1AB) because it is an open standard supported by most vendors including Cisco, Juniper, HP, and Extreme. CDP is Cisco proprietary and only works between Cisco devices. In a multi-vendor environment, CDP would miss non-Cisco devices. The exam often tests this distinction.
Best practice is to perform a full audit at least quarterly. However, for high-security environments (e.g., PCI DSS), monthly audits may be required. Automated discovery tools can run nightly to detect changes, but a formal reconciliation process should occur quarterly. The exam may ask about audit frequency in scenario questions.
A Configuration Management Database (CMDB) is a centralized repository that stores information about all configuration items (CIs) in the network, including hardware, software, and logical assets. It is important because it provides a single source of truth for asset data, supports change management, and enables compliance auditing. Tools like ServiceNow, NetBox, and SolarWinds are examples. The exam expects you to know that a CMDB is superior to spreadsheets.
Risks include: security vulnerabilities from unsupported (EOS) devices, compliance failures (e.g., PCI DSS), wasted budget on unnecessary purchases, slow incident response due to missing location or configuration data, and inability to plan refresh cycles. The exam often presents scenarios where these risks materialize.
Cloud assets like EC2 instances, virtual firewalls, and load balancers should be tracked using their unique IDs (e.g., instance ID, ARN). Use APIs to automatically discover and sync cloud resources into your CMDB. Tagging resources in the cloud (e.g., 'Environment: Production') helps map them to on-prem assets. The exam may include hybrid network scenarios.
SNMP is used to read device information from MIBs (Management Information Bases). For example, sysDescr (1.3.6.1.2.1.1.1.0) gives the device description, and the Entity MIB provides serial numbers. SNMPv3 is recommended for security. SNMP polling can be automated to populate the CMDB. The exam expects you to know which MIB objects to query.
You've just covered Network Asset Management — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?