The Cisco Collector Architecture

At the core of the network operations layer is the Cisco collector — a purpose-built SSH subsystem that maintains authenticated sessions to every managed device in your inventory. The collector does not rely on SNMP polling or RESTCONF endpoints. It opens a direct SSH channel to each device, authenticates using locally stored credentials from an encrypted vault, and drops into an interactive IOS exec session just like an engineer would from a terminal.

Each collector instance manages a pool of persistent SSH connections. When you ask the system a question about a router, it does not spin up a new session from scratch. It picks a warm connection from the pool, sends the appropriate command, reads the output buffer until the prompt returns, and parses the result. Connection pooling keeps response times under two seconds for most show commands, even across inventories of several hundred devices.

Legacy Cipher and KEX Support

Anyone who has managed a fleet of Cisco devices knows the pain: that 3825 running IOS 15.1 in the branch closet does not speak diffie-hellman-group14-sha256. It needs diffie-hellman-group1-sha1 and aes128-cbc, ciphers that modern SSH clients reject by default. The Cisco collector handles this transparently. During device onboarding, the collector performs a cipher negotiation probe against each host and records the highest mutually supported key exchange, cipher, and MAC algorithm. When it connects later, it presents exactly those parameters. No manual ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 flags. No separate jump hosts for legacy gear. A single collector handles everything from a Catalyst 2960 running 12.2(55) to a Catalyst 9300 on IOS-XE 17.x.

Why not NETCONF or RESTCONF? Many older IOS images ship without NETCONF subsystem support, and even when it is available, the XML schema coverage is inconsistent across platforms. SSH with screen-scraping is the universal denominator. Every Cisco device with a management IP speaks SSH (or at minimum, Telnet, which the collector also supports as a fallback). We chose the transport that works on 100% of deployed gear, not the one that works on the newest 20%.

Natural Language to IOS Command Translation

When an engineer types a request like "check OSPF neighbor status on core-rtr-01," the system does not perform a fuzzy keyword search against a static command map. The LLM interprets the intent, identifies the target device from the inventory by hostname or alias, selects the appropriate IOS command (in this case, show ip ospf neighbor), and dispatches it through the collector. The translation layer understands context: if you follow up with "what about its routing table," the system knows "its" refers to core-rtr-01 and sends show ip route to the same device without you re-specifying the hostname.

This is not a brittle intent-matching engine. The LLM can decompose complex requests into multi-command sequences. Asking "is there an OSPF flap on the WAN edge?" might trigger show ip ospf neighbor, show ip ospf interface, and show logging | include OSPF across multiple devices, with the AI correlating the outputs into a single coherent answer.

virp
you → check OSPF neighbors on core-rtr-01
 
[LIVE SSH] core-rtr-01# show ip ospf neighbor
 
Neighbor ID Pri State Dead Time Address Interface
10.0.0.2 1 FULL/DR 00:00:34 10.1.0.2 GigabitEthernet0/0
10.0.0.3 1 FULL/BDR 00:00:31 10.1.0.3 GigabitEthernet0/1
10.0.0.5 1 2WAY/DROTHER 00:00:29 10.2.0.5 GigabitEthernet0/2
 
AI → core-rtr-01 has 3 OSPF neighbors. Two adjacencies (10.0.0.2, 10.0.0.3) are FULL on Gi0/0 and Gi0/1. Neighbor 10.0.0.5 on Gi0/2 is stuck in 2WAY/DROTHER state — this is expected if that segment has more than two routers and 10.0.0.5 is not the DR or BDR. Confirm this is a multi-access segment if you want me to investigate further.

Show Command Parsing and Routing Table Analysis

Raw IOS output is human-readable but machine-hostile. The output of show ip route varies between IOS versions, between VRF and global table contexts, and between IPv4 and IPv6 address families. The platform's parsing layer handles all of this. It does not rely on TextFSM templates alone — the LLM itself acts as a flexible parser, extracting structured data from semi-structured output and cross-referencing it against known topology.

When you ask "does core-rtr-01 have a route to 172.16.50.0/24," the system runs show ip route 172.16.50.0 255.255.255.0, parses the result, and returns a direct answer: the route exists via OSPF with next-hop 10.1.0.2, or the route is missing entirely. If the route is missing, the AI can proactively check the OSPF LSDB with show ip ospf database on the advertising router to determine whether the prefix is being originated, filtered, or simply not reachable.

OSPF Verification Workflows

OSPF is the most commonly deployed IGP in enterprise networks, and it is also one of the most common sources of outages when adjacencies flap or areas are misconfigured. The platform provides deep OSPF verification that goes beyond checking neighbor state. It can:

  • Verify area ID consistency between neighbors using show ip ospf interface on both ends of a link
  • Compare hello and dead timers across adjacencies to identify timer mismatches before they cause a flap
  • Check for MTU mismatches that prevent adjacencies from reaching FULL state by correlating show ip ospf interface detail with show interface output
  • Detect stub/NSSA area misconfigurations by examining show ip ospf and comparing area types across all routers in the area
  • Trace LSA propagation through the LSDB to determine why a prefix is or is not reachable from a given vantage point
virp
you → why can't branch-rtr-04 reach 10.100.0.0/16?
 
[LIVE SSH] branch-rtr-04# show ip route 10.100.0.0 255.255.0.0
% Network not in table
 
[LIVE SSH] branch-rtr-04# show ip ospf neighbor
10.0.0.1 1 FULL/DR 00:00:38 10.3.0.1 GigabitEthernet0/0
 
[LIVE SSH] core-rtr-01# show ip ospf database | include 10.100.0.0
10.100.0.0 10.0.0.6 1608 0x80000004 0x00A1C3 Type-5 E2
 
[LIVE SSH] branch-rtr-04# show ip ospf | include Area
Area 2, Stub
 
AI → Found it. 10.100.0.0/16 is advertised as a Type-5 External LSA by 10.0.0.6 (visible in the core LSDB). However, branch-rtr-04 is in OSPF Area 2 configured as a stub area. Stub areas reject Type-5 LSAs by design. Two options: convert Area 2 to NSSA (which allows Type-7 externals that get translated to Type-5 at the ABR), or convert it to a normal area. Want me to draft the config change?

The Approval Queue: Write Command Governance

Read commands are executed immediately. show, display, ping, traceroute — these are non-destructive and return results in real time. Write commands are a different story. Any command that would modify running-config, alter a routing process, shut down an interface, or change a VLAN assignment passes through the approval queue before execution.

Here is how it works: when the AI determines that fulfilling your request requires a configuration change, it generates the exact IOS command sequence (including the configure terminal entry, the specific commands, and the end), presents it to you in the chat for review, and places it in a pending state. You explicitly approve or reject the change. Only after approval does the collector push the commands into the device's config mode. There is no "auto-apply" mode. There is no way for the AI to bypass the gate.

After execution, the system performs post-change verification. If you approved a command to add a network statement to OSPF, the system will automatically run show ip ospf interface and show ip ospf neighbor after the change to confirm the new network is being advertised and adjacencies are stable. If it detects a problem — say, the neighbor on that interface dropped to INIT state — it alerts you immediately and can propose a rollback.

virp
you → add network 192.168.40.0/24 to OSPF area 0 on dist-sw-02
 
APPROVAL REQUIRED The following commands will be sent to dist-sw-02:
 
configure terminal
router ospf 1
network 192.168.40.0 0.0.0.255 area 0
end
 
you → approved
 
[LIVE SSH] Commands applied successfully.
 
[POST-CHECK] dist-sw-02# show ip ospf interface GigabitEthernet1/0/24
Internet Address 192.168.40.1/24, Area 0
Process ID 1, Router ID 10.0.0.12, Network Type BROADCAST, Cost: 1
Timer intervals: Hello 10, Dead 40
 
AI → Verified. 192.168.40.0/24 is now active in OSPF area 0 on Gi1/0/24. Process ID 1, cost 1. Hello/Dead timers are default (10/40). Neighbor discovery is in progress on that interface.

What the AI Actually Sees

Transparency matters. When the platform answers a question about your network, it shows you exactly which commands it ran and on which devices. There are no hidden API calls, no cached data from an hour ago presented as live. Every piece of information is traceable to a specific SSH session, a specific command, and a specific timestamp. If the AI says an interface is up, you can see the show interface output it based that conclusion on.

This traceability is also the backbone of the anti-fabrication engine. The AI is architecturally constrained from making claims about device state without first retrieving live data from the device. If the SSH connection to a device is down, the AI will tell you it cannot reach the device rather than guess at its state. There is no hallucination pathway because the system does not have a "make something up" fallback.

Multi-Vendor Reality

While the Cisco collector is the most mature integration, the same architectural pattern — persistent SSH, show command parsing, approval-gated writes, post-change verification — applies to the broader network operations roadmap. The collector framework is extensible. Adding a new vendor means defining the prompt patterns, command syntax, and output parsers for that platform. The approval queue and verification loops remain identical regardless of whether the target is an ISR 4431 or a different vendor's equipment.

Practical Scenarios

Day-to-day, engineers use the network operations module for tasks that would otherwise require opening four terminal windows and cross-referencing output manually:

  • Morning health checks: "Show me any OSPF neighbors that are not in FULL state across all routers" triggers a sweep of every managed device and returns only the anomalies.
  • Trunk troubleshooting: "Is VLAN 150 allowed on the trunk between dist-sw-01 and dist-sw-02?" pulls show interface trunk on both ends and compares the allowed VLAN lists.
  • Change validation: After a maintenance window, "verify all OSPF adjacencies are stable and no interfaces are error-disabled" gives a fleet-wide health report in seconds.
  • Capacity planning: "What is the current CPU and memory utilization on all 4000-series routers?" gathers show processes cpu and show platform resources across the relevant devices and summarizes the results.

Every one of these workflows is a conversation. You ask a follow-up question, the system maintains context, and each answer links back to the raw device output. This is AI network troubleshooting built for engineers who need to trust the data, not a dashboard that hides the commands behind a pie chart.