Well hello everyone, it’s been a minute (or many) since my last blog post, but I’m excited to say that the major project I’ve been working on for the last 18+ months has come to a conclusion (well, for me at least 😉 ) and I’m looking forward to investing more time in blogs, videos, and getting back out there.
I have several topics I’m looking to dive into, but coming back from Cisco Live in Vegas last week, I figured I might as well jump on the AI hype train, chugga chugga chugga, and share a bit of my own thoughts on the topic.
Let me start by saying that I am just beginning to really dip my toe into the AI pool. There are many other engineers already way out in the deep end, and I hope to swim out and join them soon.
Cisco Live 2024 in Vegas was just the compelling event I needed to step down on the first step (to keep up the metaphor), and I included AI in two of my talks during the week. There was How to be a Network Engineer in an Artificial Age in the Cisco U. Theater, an update to my talk, “How to be a Network Engineer in a Programmable Age,” that I first delivered at Cisco Live in 2017. After eight years, it felt a little bittersweet to leave the programmable age behind, but exciting to be entering a new age. Artificial Intelligence also made a last-minute “bonus” appearance in my breakout “Programmability Skills for Engineers Who Don’t Want to Code.”
For these talks, I spent some time thinking through how network engineers should be thinking about and using AI right now, and what to possibly expect for the future. I’m not going to go through all the details in this blog post, but rather, I want to focus in on one specific use case that I found surprising and a bit exciting: Using AI to peer review your work. Buckle in, and let’s check it out.
Bridget takes Hank to Network Engineering School
One of the examples in “Programmability Skills for Engineers Who Don’t Want to Code” revolves around creating IPSEC VPN configurations for routers based on a configuration template and spreadsheet of data. I first show how to use formulas within the spreadsheet to create the configurations, and later use Ansible and Jinja2 templates to do the same thing.
As I was rehearsing the session, I wondered… Could AI do the same work?
If I’m honest, I figured it would get close, but need to be fixed/finished to be done. So I crafted this prompt and sent it to Cisco’s ChatGPT implementation known as “BridgeIT”.
Using the data from the below CSV data,
vpn_name,tunnel_interface,side_1_public_ip,source_network,source_mask,side_2_outside,tunnel_destination,destination_network,destination_mask,preshared_key
VPN_101,GigabitEthernet0/1,203.0.113.101,10.98.128.0,0.0.3.255,GigabitEthernet1/1,198.51.100.33,172.28.11.0,0.0.0.255,ZA788I
VPN_102,GigabitEthernet0/1,203.0.113.102,10.98.128.0,0.0.3.255,GigabitEthernet1/1,198.51.100.34,172.28.12.0,0.0.0.255,AM285I
generate a configuration from each row based on the below jinja2 template
! VPN {{ vpn_name }}
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 14
crypto ipsec transform-set vpn_transform esp-aes esp-sha256-hmac
access-list 100 permit ip {{ source_network }} {{ source_mask }} {{ destination_network }} {{ destination_mask }}
crypto isakmp key {{ preshared_key }} address {{ tunnel_destination }}
crypto map {{ vpn_name }} 10 ipsec-isakmp
set peer {{ tunnel_destination }}
set transform-setvpn_transform
match address 100
interface {{ tunnel_interface }}
crypto map {{ vpn_name }}
I sent it away and waited… and waited… and waited. But then this reply came back:
Based on the provided Jinja2 template and the CSV data, here are the generated configurations for each VPN:
For VPN_101:
! VPN VPN_101
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 14
crypto ipsec transform-set vpn_transform esp-aes esp-sha256-hmac
access-list 100 permit ip 10.98.128.0 0.0.3.255 172.28.11.0 0.0.0.255
crypto isakmp key ZA788I address 198.51.100.33
crypto map VPN_101 10 ipsec-isakmp
set peer 198.51.100.33
set transform-set vpn_transform
match address 100
interface GigabitEthernet0/1
crypto map VPN_101
For VPN_102:
! VPN VPN_102
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 14
crypto ipsec transform-set vpn_transform esp-aes esp-sha256-hmac
access-list 100 permit ip 10.98.128.0 0.0.3.255 172.28.12.0 0.0.0.255
crypto isakmp key AM285I address 198.51.100.34
crypto map VPN_102 10 ipsec-isakmp
set peer 198.51.100.34
set transform-set vpn_transform
match address 100
interface GigabitEthernet0/1
crypto map VPN_102
I was duly impressed. Bridget (as BridgeIT is affectionately known as) understood exactly what I wanted and was able to create the configurations for me perfectly. Score one for our artificially intelligent robot overlords.
But wait… she wasn’t done. The message continued:
Please note that there’s a typo in the Jinja2 template, specifically in the line where it says:
set transform-setvpn_transform
There should be a space before “vpn_transform”. Here’s the corrected line that should appear in the template:
set transform-set vpn_transform
Oh man… I had a typo in my template? Inconceivable!!! I quickly went and checked my prompt and the source Jinja2 template that I copied for the prompt—a template I’ve used in my Ansible demo in this presentation for two years.
Sure enough, I had a typo. Whoops… boy, did I feel embarrassed. And if you go back and look at the configurations that Bridget provided to my prompt, you’ll see that she actually fixed the mistake and sent the correct configs. Very, very well done. Score two and three.
But she still wasn’t done…
Additionally, you might face an issue when applying two different crypto maps to the same interface. Usually, a physical interface only supports one crypto map. If you need to support multiple VPNs on the same interface, you would typically use the same crypto map name with different sequence numbers for each peer.
Here’s how you can modify the second crypto map to use the same crypto map name with a different sequence number (assuming you want to use the crypto map name VPN_MAP for both):
For VPN_102 (with a revised crypto map name and sequence number):
! VPN VPN_102
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 14
crypto ipsec transform-set vpn_transform esp-aes esp-sha256-hmac
access-list 102 permit ip 10.98.128.0 0.0.3.255 172.28.12.0 0.0.0.255
crypto isakmp key AM285I address 198.51.100.34
crypto map VPN_MAP 20 ipsec-isakmp
set peer 198.51.100.34
set transform-set vpn_transform
match address 102
interface GigabitEthernet0/1
crypto map VPN_MAP
Notice that the access list number for VPN_102 has been changed to 102 to avoid conflict with the access list for VPN_101. The crypto map sequence number for VPN_102 has been set to 20, differentiating it from the sequence number 10 used for VPN_101. If you follow this approach, make sure that all your VPNs use the same crypto map name (VPN_MAP in this case) with different sequence numbers.
Okay… this shows some serious network understanding. Combining a CSV file and a Jinja2 template together isn’t that far from the code assistance and co-pilot use cases that have been in place for awhile—not really that much of a stretch. And finding a typo in a configuration template that is probably present in hundreds of public Internet documentation, blog posts, and training examples? Also not really that surprising.
But making this final leap related to network architecture and design… this was really quite surprising. I didn’t tell Bridget that each of these configurations would be deployed on individual routers, so she reasonably “worried” that I was looking to deploy the configs on the same device. And if I did that, it WOULD be an issue. Her suggested solution is reasonable, though admittedly follows examples that are also well documented on the Internet.
So what does this mean for us network engineers?
I was discussing this example during Cisco Live with some attendees, and the analogy of a “peer review” was brought up. This was a use case for AI in network engineering that I hadn’t formalized in my head yet, but had been dancing around with other examples.
There is a very real risk of engineers using AI-generated configurations “as is” in their network. This is a bad idea for the same reason as copying and pasting code from Stackoverflow or another untrusted Internet source. Before using configurations generated by Bridget or another generative AI tool, it is critical to verify the accuracy. Otherwise, you risk becoming another victim to hallucinations or just inaccuracies from overconfident AI assistants.
However, I think there is real potential in using AI as a peer reviewer for configurations and other artifacts we create. Here, WE, the network engineer, use our knowledge, skills, and experience to build a solution. Then, we ask AI to take a look and provide some feedback, similar to sending it to a co-worker, partner, or Cisco TAC.
This second-set-of-eyes use case is one that I think engineers should consider trying out for themselves—with a couple of very important caveats:
- Check with your company and organization’s AI policies. Many of the publicly available AI tools take any prompt information sent to them and use it for future training and fine-tuning. Network configurations are considered confidential for many companies as there is a serious security risk in sharing them publicly.
- I would still recommend having another “organic intelligence” review any critical configurations. I’m excited by the potential of AI, and we likely will get to a point where AI is so accurate we can rely on it for many use cases, but let’s take the slow approach to get there.
Well, what are your thoughts on this use of AI for network engineering? What other use cases are you exploring in your daily work as an engineer? Let me know in the comments. And stay tuned for more from me as I continue to swim into the Artificial Age!
PS… This blog post was written by me, Hank Preston, and not by Bridget or another AI tool 🙂
Sign up for Cisco U. | Join the Cisco Learning Network today for free.
Follow Cisco Learning & Certifications
X | Threads | Facebook | LinkedIn | Instagram | YouTube
Use #CiscoU and #CiscoCert to join the conversation.
Cisco Helps Build AI Workforce With New Skills Certification
Navigating the Multicloud Journey with Cisco’s New Certifications [Infographic]
Share: