Synthetic network config generator for ML training data -- valid configs + intentional misconfigs.
Training ML models for network config analysis requires large labeled datasets of valid and invalid configurations. Real configs are proprietary and can't be shared. Existing synthetic generators produce unrealistic configs that don't transfer to production environments.
netsynth generates realistic multi-vendor network configurations with optional intentional misconfigurations. Each config comes with labels (valid/invalid + error type) ready for ML training.
+------------+ +----------+ +----------+ +----------+
| Parameters |---►| Template |---►| Mutations|---►| Dataset |
| (realistic | | (vendor- | | (labeled | | (JSON/ |
| values) | | specific)| | errors) | | JSONL/ |
| | | | | | | CSV) |
+------------+ +----------+ +----------+ +----------+
|
+-------+-------+
| | |
Cisco IOS JunOS Arista EOS
- 3 vendor platforms: Cisco IOS, JunOS, Arista EOS
- 14 mutation types: security, syntax, routing, ACL, and operational misconfigs
- Topology generator: spine-leaf and three-tier campus topologies with consistent addressing
- Dataset builder: labeled output in JSON, JSONL, and CSV formats
- Reproducible: seed-based generation for experiment reproducibility
pip install netsynth# Generate a single valid config
netsynth generate --platform cisco_ios --routing ospf
# Generate with misconfigs
netsynth generate --invalid --mutation plaintext_password
# Generate a training dataset (100 configs, 30% invalid)
netsynth dataset --count 100 --invalid-ratio 0.3 --output training.jsonl
# Generate a multi-device topology
netsynth topology --type spine-leaf --platform cisco_ios
# List available mutations
netsynth list-mutationsfrom netsynth.generator import ConfigGenerator
from netsynth.dataset import build_dataset
gen = ConfigGenerator(seed=42)
valid = gen.generate(platform="cisco_ios", routing="ospf")
invalid = gen.generate_invalid(mutation_name="plaintext_password")
dataset = build_dataset(count=1000, invalid_ratio=0.3, seed=42)| Mutation | Category | Severity | Description |
|---|---|---|---|
| plaintext_password | security | critical | Replace encrypted password with plaintext |
| snmp_public | security | high | Set SNMP community to 'public' with RW |
| no_service_encryption | security | high | Remove service password-encryption |
| telnet_enabled | security | high | Enable telnet on VTY lines |
| duplicate_ip | interface | critical | Assign same IP to two interfaces |
| missing_mask | syntax | high | Remove subnet mask from interface |
| missing_no_shut | interface | medium | Remove no shutdown from interface |
| wrong_ospf_area | routing | medium | Put interface in wrong OSPF area |
| missing_bgp_neighbor | routing | high | Remove a BGP neighbor statement |
| acl_permit_any | acl | critical | Add permit any any to ACL |
| missing_ntp | operations | medium | Remove all NTP configuration |
| missing_logging | operations | medium | Remove logging configuration |
| weak_vty_acl | security | high | Remove transport input restriction from VTY |
| overlapping_networks | routing | medium | Add overlapping network statements |
MIT