NetPilot
Back to Blog
Tutorial9 min

Self-Hosted ContainerLab With an AI Chat Interface (Air-Gapped)

ContainerLab is powerful but headless — YAML and CLI, no GUI. Here's how to add an AI chat and live-topology layer over your own self-hosted ContainerLab host, so you can describe a topology in plain English and get a deployed lab — fully on-prem, no cloud.

S
Sarah Chen
Network Engineer

ContainerLab is the cleanest way to run real multi-vendor network labs in containers — declarative topology files, real network-OS images, fast spin-up. It is also deliberately headless: you write YAML, you run clab deploy, you SSH in. That's perfect for DevOps engineers and CI pipelines, and it's exactly why "ContainerLab GUI" and "ContainerLab web interface" are such common searches — plenty of people want a friendlier layer over the same engine without giving up the real labs underneath.

This tutorial shows how to add that layer — specifically an AI chat + live-topology interface — over your own self-hosted ContainerLab host, running fully on-prem with no cloud.

ContainerLab is powerful but headless

A ContainerLab topology is a YAML file:

name: three-router-ospf
topology:
  nodes:
    r1: { kind: linux, image: frrouting/frr:latest }
    r2: { kind: linux, image: frrouting/frr:latest }
    r3: { kind: linux, image: frrouting/frr:latest }
  links:
    - endpoints: ["r1:eth1", "r2:eth1"]
    - endpoints: ["r2:eth2", "r3:eth1"]

Then sudo clab deploy -t three-router-ospf.clab.yml, then SSH into each node and configure OSPF by hand. It works beautifully — but every topology and every config is something you write yourself, and there's no GUI to design, operate, or hand to someone who doesn't live in YAML.

What a GUI + AI layer looks like

The layer that answers the "ContainerLab GUI" search has three parts:

  1. An MCP server on the ContainerLab host that exposes the lab — deploy, inspect, run commands — over an authenticated API.
  2. An AI agent that turns plain-English intent into the topology YAML and per-vendor configs, calls the MCP server to deploy, and validates the result.
  3. A live topology viewer that renders the running lab and gives you device CLI in the browser.

NetPilot On-Prem is this layer, packaged to run on your own network. You keep ContainerLab as the engine; you gain a chat interface, AI-authored YAML, and a GUI on top.

How it connects

NetPilot doesn't replace your ContainerLab host — it connects to it. The NetPilot MCP server runs on the ContainerLab VM and exposes the lab to the backend over an authenticated HTTP API:

NetPilot backend  --bearer token-->  MCP server (on the clab host)  -->  clab / Docker
                                          |
                                     TopoViewer (:8080)  -->  live topology + device CLI in the browser

The agent runs on a local LLM you operate, so the whole path — intent, YAML generation, deploy, validate — stays inside your LAN.

Walkthrough — plain English to a deployed lab

Instead of hand-writing the YAML above, describe it:

"Three FRR routers in a line running OSPF in area 0, /30s between them, and a loopback on each advertised into OSPF. Deploy it and confirm full adjacencies."

The agent writes the .clab.yml, generates the per-router OSPF config, deploys it through the MCP server, and reads back the adjacency state to confirm it converged — then shows you the live topology.

Full ContainerLab and CLI access stays underneath. Nothing is hidden behind the agent:

# Inspect the running lab with native clab
sudo clab inspect -t three-router-ospf.clab.yml
 
# SSH into a node and verify OSPF by hand
ssh admin@clab-three-router-ospf-r1
vtysh
show ip ospf neighbor
show ip route ospf

Then iterate conversationally — "add a fourth router and make it an ABR into a new area 1" — and the agent edits the topology and configs and redeploys. You're getting the GUI/AI ergonomics and the raw clab workflow, not one or the other.

Self-hosted and air-gapped

Because the agent, the ContainerLab host, and the model all run on your network, the whole thing can be fully air-gapped:

  • NetPilot On-Prem installs from a signed offline bundle.
  • Device images are bring-your-own (BYOI) — staged on the ContainerLab host, never pulled at runtime. FRR and Nokia SR Linux are built in; Cisco, Juniper, Arista, Palo Alto, and Fortinet are BYOI.
  • The local LLM keeps every inference on the LAN.

No telemetry, no phone-home, no outbound connectivity at runtime — the same offline guarantee you already get from self-hosted ContainerLab, now with an AI agent and a GUI on top.

FAQ

Does ContainerLab have a GUI?

ContainerLab is CLI- and YAML-driven with a built-in topology graph, but no full GUI for designing or operating labs. You can add one: NetPilot On-Prem connects over an authenticated MCP server, lets you describe topologies in plain English, deploys them, and renders the live topology with in-browser device CLI.

Can I add AI to a self-hosted ContainerLab?

Yes. NetPilot On-Prem runs an AI agent on a local LLM that connects to your existing ContainerLab host over MCP. It writes the YAML and per-vendor configs, deploys via clab, and validates — while you keep full clab and SSH access underneath. Fully on-prem, no cloud.

Is the ContainerLab AI layer air-gapped?

It can be. NetPilot On-Prem installs from a signed offline bundle, runs the model locally, and makes no outbound calls at runtime — the agent, the ContainerLab host, and the LLM all run on the same LAN.

Copy-paste ready: The all-vendors OSPF area 0 prompt in our example library is a good lab to deploy on your own ContainerLab host through the agent.

Related reading: On-Prem AI Network Lab is the full air-gapped deployment; Run an AI Network Engineer on a Local LLM covers the model; and Building an Air-Gapped Network Lab covers the offline lab itself.

Want an AI + GUI layer over your ContainerLab host? The On-Prem AI Network Lab page covers the deployment — contact sales to scope it for your network.

Try NetPilot Free

Build enterprise-grade network labs in seconds with AI assistance

Get Started Free