Sentinel-NX is a small, offline assistant for writing Cisco IOS-XE network configurations. It is built on a 3B parameter language model (Qwen2.5-Coder-3B) that was fine-tuned to produce strict, valid configuration for exactly what is requested, without adding interfaces, addresses, descriptions, or other settings that were not asked for. It is small enough to run on a laptop or a low-cost edge device, and it runs entirely on local hardware with no internet connection.
Most general-purpose language models tend to over-produce. When asked for a configuration, they often add commands that were never requested, such as an extra interface, a guessed IP address, or an unprompted "best practice" line. In ordinary writing that padding is harmless. In a network configuration it is not: a single unintended command can take a link down or open a security gap.
There is a second problem. The cloud-based assistants engineers might otherwise turn to are not an option on air-gapped, classified, or tightly regulated networks, where configuration data is not allowed to leave the local environment.
Sentinel-NX is designed around the opposite behavior. It returns the minimum correct configuration for the request and nothing more, and it does so entirely offline, so no data ever leaves the machine.
Sentinel-NX was measured against a hidden benchmark: a set of prompts written from scratch, using interfaces, VLANs, network numbers, and device names the model had never seen during training. Testing on unfamiliar examples shows whether the model genuinely learned the task rather than memorizing answers.
| Model | Score |
|---|---|
| Base model (Qwen2.5-Coder-3B) | 58 / 100 |
| Sentinel-NX (version 3.1) | 97 / 100 |
The improvement comes from the training method described below.
The strong score did not come from a single training run. It came from a repeating cycle of testing and correction:
- Test the model and record exactly which kinds of configuration it gets wrong.
- Build a small, focused set of training examples that target those specific weaknesses.
- Retrain the model and test it again.
- Repeat.
Each round closed gaps the previous version had left open, in areas such as tunnels, routing protocols, access control, and device monitoring. The final round reinforced the hardest remaining cases. In total, the model was trained on roughly 5,200 examples across several rounds of correction.
One intermediate version actually performed worse than the one before it. The benchmark caught that regression right away, which is the reason every version was scored before moving on. Measuring each step is what made steady, reliable progress possible.
The model is published on Hugging Face at huggingface.co/tnadmin/Sentinel-NX. Two versions are available: a higher-fidelity build (Q8_0) and a slightly faster one (Q6_K).
Run it with Ollama:
ollama run hf.co/tnadmin/Sentinel-NX:Q8_0Or with llama.cpp, after downloading a model file:
./llama-cli -m sentinel-nx-q8_0.gguf --temp 0 -c 4096 -cnv \
-sys "You are a Cisco IOS-XE configuration assistant. Output only strict, valid configuration for exactly what is requested. Do not invent values."The model's strict behavior depends on the instructions it is given. Providing a system prompt like the one above, and clearly stating what it should not add, keeps its output disciplined. You can also rebuild the model yourself from the original base model using the scripts in the scripts/ folder.
The project includes a simple web interface, app/sentinel-nx-chat.html, for working with the model. It is a single file with no external dependencies and runs fully offline. It provides a running chat history, a memory toggle (on, so that follow-up questions keep their context; off, so that each request is answered on its own), a separate view of the model's reasoning, and a one-click button to copy the generated configuration.
To use it, start the model as a local server and open the file in a web browser:
./llama-server -m sentinel-nx-q8_0.gguf --host 127.0.0.1 --port 8080 -c 4096In a small number of cases, the model places the OSPF router-id setting under an interface instead of under the routing process, where it belongs. A targeted correction for this is the next planned improvement. Details are recorded in eval/results/V3_1_STATUS.txt.
The project code and documentation are released under the PolyForm Noncommercial License 1.0.0. The model is built on Qwen2.5-Coder-3B-Instruct and is distributed under the Qwen Research License, which permits non-commercial use only. See the LICENSE and NOTICE files for full details.