NetPilot

On-prem AI network lab on a local LLM

Fully air-gapped — runs entirely on your own LAN on a local LLM (Ollama, vLLM, or Microsoft Foundry Local), with no cloud and no phone-home. Describe a network and the agent designs, builds, and validates a real multi-vendor ContainerLab lab.

Watch Demo
netpilot · on-prem

Built for air-gapped and disconnected networks

0
outbound calls at runtime — nothing leaves your LAN
100%
on your infrastructure — the app, the lab, and the LLM
9+
network operating systems on real CLIs (BYOI for licensed NOS)

Why NetPilot On-Prem is different

Self-hosted DIY emulators are offline but manual and AI-less; cloud AI tools have the agent but send your network off-site. NetPilot On-Prem is the one that is both air-gapped and AI-built.

Runs on your local LLM

The agent runs on your own Ollama, vLLM, or Foundry Local model — every prompt and inference stays on your LAN.

The alternative

DIY ContainerLab, EVE-NG, and GNS3 have no AI at all — you hand-build every node and write every config yourself.

Air-gapped by design

No cloud, no telemetry, no outbound calls at runtime. Installs and updates from a signed offline bundle.

The alternative

Cloud AI copilots send every prompt, config, and topology to a vendor API outside your boundary.

The agent builds the lab

Describe a network in plain English; the agent designs the topology, writes per-vendor configs, deploys it, and verifies it.

The alternative

Self-hosted emulators are manual — drag nodes, source images, and type every CLI line by hand.

Real CLIs, always there

SSH into any device for the real vendor CLI — the agent for speed, the CLI to verify and stay in control.

The alternative

Cloud chatbots give you text, not a real lab or a real device CLI to verify against.

See It in Action

Watch the agent build and validate a multi-vendor lab from a plain-English prompt — the same workflow that runs fully air-gapped on your own LAN and local LLM.

An AI network engineer that never leaves your network

Describe the network, let the agent design, build, and validate it on your own ContainerLab host and local LLM, then SSH into real CLIs — with nothing dialing out.

1. Describe the network — it never leaves your LAN

Tell NetPilot what you need in plain English. The request goes to your own local LLM (Ollama, vLLM, or Foundry Local) running on a VM you operate — no prompt, config, or topology ever leaves your network.

netpilot · on-prem

2. The agent builds and validates a real lab

NetPilot lays out the topology, assigns addressing, and writes per-vendor configs across real network OSes (FRR and Nokia SR Linux built in; Cisco, Juniper, Arista, Palo Alto, and Fortinet via BYOI), then deploys it on your ContainerLab host through an authenticated MCP server and verifies it — design to deploy to verify, all on your infrastructure.

netpilot · on-prem

3. SSH into real CLIs — and nothing phones home

Open a real device CLI over SSH, run show commands, and troubleshoot, or ask the agent to make a cross-device change. The agent is the fast path; the CLI is the verification and control layer — and there is no cloud, telemetry, or outbound call anywhere in the loop.

netpilot · on-prem

What you can build air-gapped

From a regulated change-validation lab to a disconnected research testbed — describe it and the agent builds it on real multi-vendor network OSes, entirely inside your network.

Air-gapped change validation

Build a multi-vendor mirror of a change behind your perimeter and validate it before production — on networks that can never reach the cloud. The agent builds the lab; you sign off.

Disconnected research labs

Stand up routing-protocol and impairment experiments (OSPF, BGP, IS-IS, mesh routing under packet loss with tc netem) entirely offline, with reproducible prompts as the artifact.

Multi-vendor labs on your own hardware

FRR and Nokia SR Linux built in, plus Cisco, Juniper, Arista, Palo Alto, and Fortinet via BYOI — real CLIs in one topology, all inside your network.

Network automation sandbox without cloud

Test Ansible, Nornir, or NETCONF/RESTCONF against a real multi-vendor topology over SSH — a programmable lab the agent stands up in minutes, with no external dependency.

Data-sovereignty digital twin

Keep every prompt, config, and inference inside your boundary for finance, telco, and regulated networks where data residency rules out a cloud model endpoint.

Protocol and topology study

Compare routing designs, EVPN/VXLAN fabrics, or MPLS L3VPN behavior on real network OSes — describe it in plain English and the agent wires and configures every device.

Pre-deployment testing behind the firewall

Spin up a faithful lab of a planned rollout on isolated infrastructure, run the change, and capture the result — Day-0/Day-1, never touching the live network.

Offline training environments

Give engineers a real multi-vendor lab to learn on inside a disconnected facility, with the agent generating fresh topologies and configs on demand.

How the air-gap works — three VMs on your LAN

NetPilot On-Prem runs across three Linux VMs on the same network. Nothing reaches the cloud at runtime.

VM-1 · NetPilot app

Frontend, backend, and PostgreSQL as one Podman/Docker Compose stack. NetPilot installs this from a signed offline bundle.

VM-2 · ContainerLab host

Your Docker + ContainerLab host plus the NetPilot MCP server that exposes the lab to the agent. You stage your own device images (BYOI).

VM-3 · Local LLM

Your own model server — Ollama, vLLM, or Microsoft Foundry Local — on a single workstation GPU, not a datacenter H100/A100. You provide and operate it; NetPilot installs nothing here.

No cloud, no phone-home, no outbound connectivity at runtime — updates are applied from signed offline bundles you bring across your boundary.

NetPilot On-Prem vs the alternatives

DIY self-hosted tools are genuinely offline and give you real CLIs — they just have no AI. Cloud AI tools have the agent but send your network off-site. NetPilot On-Prem is both air-gapped and AI-built.

Runs fully air-gapped (no outbound at runtime)
NetPilot On-Prem
Yes — app, lab, and LLM on your LAN
DIY self-hosted (ContainerLab / EVE-NG / GNS3)
Yes — self-hosted on owned hardware
Cloud AI network tools
No — prompts and configs leave your network
AI agent designs + builds + validates the lab
NetPilot On-Prem
Yes — from a plain-English prompt
DIY self-hosted (ContainerLab / EVE-NG / GNS3)
No — you hand-build every node
Cloud AI network tools
Partial — text only, no real lab to deploy
Driven by your own local LLM
NetPilot On-Prem
Ollama, vLLM, or Foundry Local — inference stays on-LAN
DIY self-hosted (ContainerLab / EVE-NG / GNS3)
No AI in the loop
Cloud AI network tools
Vendor's cloud model only
Real multi-vendor NOS CLIs
NetPilot On-Prem
FRR + Nokia SR Linux built in; Cisco/Juniper/Arista/Palo Alto/Fortinet via BYOI
DIY self-hosted (ContainerLab / EVE-NG / GNS3)
Yes — you source and stage each image
Cloud AI network tools
No real device CLI
Who stands up the lab
NetPilot On-Prem
The agent — then SSH in to verify
DIY self-hosted (ContainerLab / EVE-NG / GNS3)
You — provision, image, and configure by hand
Cloud AI network tools
No lab — guidance text only
Install + maintenance
NetPilot On-Prem
Managed install from a signed offline bundle
DIY self-hosted (ContainerLab / EVE-NG / GNS3)
You own the host, images, and upkeep
Cloud AI network tools
Nothing to host (and nothing on-prem)

Bottom line

Pick DIY self-hosted labs (ContainerLab, EVE-NG, GNS3) when you need:

  • You want to own and hand-build every layer yourself, with no AI in the loop
  • A free, open-source lab on hardware you already run, with a curated image library you maintain
  • Low-level control of every image, VM, and config is the point

Pick NetPilot when you need:

  • An AI agent that designs, builds, and validates the lab from a prompt — fully air-gapped
  • Runs on your own local LLM (Ollama, vLLM, Foundry Local) — no cloud, no phone-home
  • Real multi-vendor NOS CLIs over SSH, with the agent writing the per-vendor config
  • A managed install from a signed offline bundle, not a DIY maintenance project

Verdict:Keep DIY self-hosted tools when you want to own every layer by hand and don't need AI. Choose NetPilot On-Prem when you want an AI network engineer that designs, builds, and validates real multi-vendor labs — running entirely on your own LAN and local LLM, with the CLI always there to verify.

Frequently Asked Questions

The questions air-gapped, defense, and regulated teams actually ask

Yes — NetPilot On-Prem. The AI agent is driven by a local LLM you run yourself (Ollama, vLLM, or Microsoft Foundry Local, over an OpenAI-compatible endpoint), so every inference call stays inside your network. It designs network topologies, deploys real ContainerLab labs, and runs device CLI through chat — with no cloud, no phone-home, and no outbound connectivity at runtime.
Yes. NetPilot On-Prem targets any OpenAI-compatible local model server — Ollama, vLLM, and Microsoft Foundry Local are all supported, and you pick the model in the admin console. A model with reliable tool-calling is recommended because the agent drives a multi-step design → deploy → verify loop; the runtime and model both run on your own hardware (a separate VM you operate), so nothing leaves your LAN.
Effectively, yes. NetPilot connects to a ContainerLab host on your network through an authenticated MCP server, and the agent designs topologies and deploys real multi-vendor labs on it from a chat interface. A built-in topology viewer renders the live topology and gives you device CLI in the browser. It is the AI + GUI layer that DIY ContainerLab does not ship — without sending anything to the cloud.
Across three Linux VMs on the same LAN. VM-1 runs the NetPilot app (frontend, backend, and PostgreSQL as a Podman/Docker Compose stack). VM-2 is your ContainerLab host plus the NetPilot MCP server that exposes the lab to the agent. VM-3 runs your local LLM. NetPilot installs VM-1 and ships the MCP bundle for VM-2 as a signed offline release; you provide and operate the ContainerLab host and the LLM. Device images are bring-your-own (BYOI) — NetPilot never distributes commercial vendor images.
A single workstation GPU — not a datacenter cluster. The agent runs on a ~31B-class local model (such as Google's Gemma 4 31B), which at 4-bit quantization needs roughly 17-20 GB of VRAM. A single 24 GB card (e.g. an RTX 4090) handles a pilot; a 48 GB workstation card (RTX 6000 Ada or A6000) is the comfortable production spec, with ECC memory for regulated environments. Apple Silicon with 64 GB or more of unified memory works too, and CPU-only is a slow fallback. You do not need an H100 or A100. You provide and size the model-host VM, and we'll scope it with you on the call.
Any OpenAI-compatible local model server — Ollama, vLLM, or Microsoft Foundry Local. We validated the agent on Google's Gemma 4 31B via Ollama; a ~31B-class model is the sweet spot because the agent needs reliable multi-step tool-calling, which very small models struggle with. The model is configured in the admin console and is swappable, so you run whichever model your security team approves. NetPilot never distributes model weights — you pull the model yourself (BYOI).
No. At runtime there is no cloud dependency, no telemetry, and no external connectivity — the app, the ContainerLab lab, and the LLM all run inside your network. Updates are applied from signed offline bundles you bring across your boundary; nothing dials out on its own.
Cisco CML and EVE-NG Pro are proven self-hosted emulators you run on owned hardware — that is genuinely their strength. What they do not have is an AI agent that designs the topology, writes the per-vendor configs, and validates the lab for you. NetPilot On-Prem adds exactly that, runs real multi-vendor network OSes (FRR and Nokia SR Linux built in; Cisco, Juniper, Arista, Palo Alto, and Fortinet via BYOI), and operates fully air-gapped on your own local LLM. Many teams keep CML or EVE-NG for what they are good at and use NetPilot for the AI-built, multi-vendor work.
Self-contained local auth (username/password with argon2 hashing), a JWT cookie with CSRF double-submit protection, an admin console for users and LLM providers, and Fernet-encrypted secrets at rest. The agent's actions and device CLI are logged. We scope your specific compliance and data-handling requirements on the call rather than implying certifications we do not hold.
No — NetPilot does not hold FedRAMP, IL4, or IL5 authorization. On-prem runs entirely on your own authorized infrastructure inside your boundary, so the authorization scope remains with the deploying organization. We scope the specific compliance and data-handling requirements with you on the call.

Explore NetPilot

NetPilot for Enterprise

Cloud, dedicated, on-prem, or air-gapped — with your choice of AI provider per deployment.

Network Engineering Agent

The agent your engineers run — it designs, builds, and validates the lab from your prompt.

Defense Network Research Lab

Reproducible multi-vendor research labs, cloud or on-prem.

Cisco CML Alternative

Multi-vendor and AI-built — with a self-hosted on-prem option.

EVE-NG Alternative

An AI agent over real multi-vendor labs — cloud or on-prem.

AI Network Emulator

How the AI agent designs and deploys real-NOS labs end to end.

Further reading

Run an AI Network Engineer on a Local LLM

Ollama, vLLM, or Foundry Local — fully offline, no cloud.

Building an Air-Gapped Network Lab

Real multi-vendor labs with no cloud and no phone-home.

Self-Hosted ContainerLab + AI

Add an AI chat and topology layer over your ContainerLab host.

Build Enterprise Labs with AI

From plain-English prompt to a validated multi-vendor lab.

Local LLM GPU Requirements

What GPU runs the agent on-prem — a single workstation card, no H100.

Network Digital Twin

A runnable mirror for change validation and what-if testing.

Bring the AI network engineer inside your perimeter

An air-gapped AI network lab on your own LAN and local LLM — the agent designs, builds, and validates real multi-vendor labs, with nothing leaving your network. Tell us your environment and we'll scope the deployment.