Cisco Routermate

Cisco announced the release of new software for routers. The company is confident that the new modification will make the younger models of routers more accessible and simplify the configuration of basic functions. The company has long been blamed for the complexity of setting up equipment from the command line for simple administrators. Small company administrators often have difficulty in configuring routers from the command line for the first time and are affected by this. The new approach is designed to, if not correct it, then at least make the command interface with an inexperienced user, make it more accessible and more understandable. The approach is part of the ICN (Intelligent Collaboration Network) concept, which brings together novice professionals around the world. The modification was named Cisco Routermate and in the future it will become part of the new generation of Cisco AISR routers (from the ISR - Integrated Services Router and Artificial intelligence (AI) - artificial intelligence).

So, let's see what is special about the new “intellectual” software. Just want to say that at the moment (version 0.01) the feature set is quite small. However, in this case, the very concept of a “friendly” router with a self-learning software interface is appealing. Also, I immediately want to reassure the network gurus: of course, the console will not go anywhere and all the configuration commands will be available, as before, but additional intelligent menus and dialog settings will appear as part of the new set of functions.
')


Currently, the first test version of the Extended software, which includes Routermate, is available for ISR 4300 series routers, however, it will be available for ISR 800, 1900 in the future. A license is not required. The main line, in which the new approach will be spread, as already mentioned, will be the new generation of routers - AISR. First of all, before setting up the router, the administrator needs to create a profile on the device and specify his own data and company data. As part of the survey, the router specifies what is the addressing for the central office of the company and its branches, provider settings, the operating mode of the company, the basic rules of IT security in the company. After that, a universal console with a common set of commands and an interactive mode of configuration and communication become available. As many have already guessed, chatbot is built on a self-learning platform and will be able to develop in the process of communication (it’s not possible to zigovat the owner, similarly to his brother from another well-known company, nevertheless, a simpler algorithm is thought here). It will also be able to automatically correct errors when entering standard commands (how many times we entered congf t and shrun!) Or advise you to read this or that manual during the configuration process.

But back to more pressing issues. What can be configured from the interactive menu. Actually, the menu is divided into two parts - in the first we can make the most common settings using the wanna command (entered in # preferred mode or from the chat mode (router command). In this case, everything looks like templates with the only difference that the router does not will ask extra details about the vpn parameters (hash, encryption), and if you specified information about remote offices in your profile, then it will automatically set these parameters (for site-to-site) .For SSL VPN (if you do not need integration with AD ) will also issue a test login for connected I brief instructions on how to connect.

Menu of standard tasks.

cisco-aisr-g3#router
>>hello Vasily!
>^Z
cisco-aisr-g3#wanna
>Come on, configure something! You want..
1. connect to internet
2. connect to branch (site-to-site vpn)
3. connect vpn users (anyconnect vpn)
4. translate port (NAT)
5. open/close port (ZFW)

Further, after specifying the minimum required parameters, automatic tuning is performed.

Another part of the interactive interface is the administrator assistance mode. This is a very useful mode, it helps not to despair and to find a solution, at least for typical questions. You can call the menu with the helpme command.

cisco-aisr-g3#router
>>hi
>how are you?
>>oh, its a lot of traffic today!(
>helpme
>>Sure! What kind of problem do you have?
1. problem with ping
2. check TCP port state (open, closed)
3. problem with vpn
4. problem with access to web
5. problem with dhcp
6. problem with connection quality

For example, we do not ping the host on the network.

>1
>>Which destination address?
>192.168.10.10
>>And source address/subnet?
>192.168.9.20
>>Let me check
>>show access-lists lan_input_in

Extended IP access list lan_input_in
<..>
220 permit icmp 192.168.9.0 0.0.0.255 any (109486 matches)

>>ping 192.168.10.10 source GigabitEthernet0/2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.9.1
.....
Success rate is 0 percent (0/5)

>>show arp 192.168.10.10
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.10.10 5 c321.901e.e321 ARPA GigabitEthernet0/2

>> Estimated Reason: icmp traffic blocked on destination host
>> Recommended Action: Please check firewall/antivirus on destination host

Or IPSec VPN does not work in a remote office.

>3
>>Branch or remote vpn?
>Branch
>>remote address or office description?
>Smolensk
>>don't worry, I'm working on it
>>show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot
87.52.67.231 175.82.33.123 MM_NO_STATE 1 0
>>debug crypto isakmp
>>debug crypto condition peer 87.52.67.231
>>ping 192.168.20.1 source GigabitEthernet0/2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with .a source address of 192.168.9.1
3d01h: ISAKMP (0:1): processing SA payload. message ID = 0
3d01h: ISAKMP (0:1): found peer pre-shared key matching 87.52.67.231
ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
.
ISAKMP: encryption AES-256-CBC.
.ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0:1): Hash algorithm offered does not match policy!
Success rate is 0 percent (0/5)
ISAKMP (0:1): atts are not acceptable. Next payload is 0
>> Estimated Reason: vpn configuration parameters doesn't match.
>>I sent my vpn parameters to email vpp@cbs.ru, check it on remote side.
>>Vasiliy, please read this document www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
>thanks
>>No problem, glad to help you!

Or slows down Internet access.

>6
>>Let me guess, poor internet connection?
>yes
>>Analysis traffic and telemetry…
>>show processes cpu
CPU utilization for five seconds: 97%/92%; one minute: 97%; five minutes: 96%
>>High CPU utilization due to interrupts
>>Checking traffic
>>show interface summary

>>Interface utilization 95%
>>Analyzing flows
>>show ip cache flow high utilization
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/0/0 192.168.10.43 Gi0/0/1 198.26.15.66 06 07D0 CED4 10568
>>Lookup IP=192.168.10.43, AD_username=Ivanov_P
>>NBAR protocol-discovery
>>Protocol=torrent
>>Torrent type=Adult video
>>The problem is in Ivanov_P. Choose the option:
1. Block Ivanov_P ip address
2. Send email to Roscomnadzor
3. Copy torrent file (hot_chicks59.mov) to admin PC

As you can see, while the tasks are quite simple, but how can they help a person who is not very understanding the wilds of the console! In the case of IPsec VPN, for example, the router sent the vpn parameters to the administrator by mail, so it’s enough just to redirect them or coordinate with the remote side. In the meantime, we are waiting for an answer, and you can relax.

If the administrator is tired or stuck in the server alone with the console, it does not matter. In the new modification, it will be possible (except for communicating with the router on your favorite topic) also to relieve stress by playing arkanoid or tetris, or spill over with a router to poker (it’s better not to specify data in the variable creditcard profile) or sea battle.



What's next?

Vendor plans to develop the direction of "friendly" devices. In the future, as part of the general concept of building a network, the central router can also configure routers in remote offices (for example, configure IPSec VPN from two sides at once, universal firewall policies, or Internet traffic routing at a remote office through the center). AISR will also be able to scan your network and communicate with other devices via the SNMP protocol and report (syslog, push, send mail via EEM) to the administrator about the ending cartridge or disk space. Also, a specialized version will soon appear for lovers of MikroTik equipment.

Technological progress is fast, networks penetrate our lives. And who knows, maybe in the future, your grandmother can configure NAT or BGP distribution to EIGRP.