Documentation
Securedy Labs — Network Design & Simulation
Build, simulate, and learn networking — powered by AI and a CCNA-quality CLI.
Securedy Labs is a browser-based network topology designer and simulator. Describe a network in plain English, the AI builds it on the canvas, then open a real CLI terminal on any device.
Quick start — 3 steps- 1. Sign in and create a new project from the home screen.
- 2. Type a prompt like
Build a small office network with a firewall, router, switch, and 5 workstations and press Enter. - 3. Click any device on the canvas → Open Terminal to launch the CLI.
What gets simulated
Router
Cisco IOS 15.7 — routing table, OSPF, BGP, EIGRP, RIP, MPLS, SD-WAN
L3 Switch
Cisco IOS — multilayer switch with both Layer 2 and Layer 3 routing
Switch
Cisco IOS 15.2 — VLANs, STP, MAC table, CDP, LLDP, port security
Firewall
Cisco ASA 9.16 — interfaces, ACLs, NAT, AAA, RADIUS, TACACS+
Server
Linux — ip addr, ss, netstat, nslookup, FTP, SMTP, SNMP
Workstation
Linux shell — basic networking commands
Laptop
Mobile endpoint — 802.1X, corporate VPN client
Phone
IP phone (PoE/SIP) or smartphone (WPA2/WPA3 WiFi)
Tablet
BYOD device — VLAN policies, MDM, wireless association
Cloud / ISP
BGP edge router with ISP hops in traceroute
Access Point
Cisco IOS AP — dot11 associations, BVI, WPA2 config
Load Balancer
HAProxy — backend health, active connections
WLC
Cisco WLC — CAPWAP tunnels, AP/client management, WLAN profiles
Getting the Most Out of Securedy Labs
Securedy Labs is most powerful when you treat it as a hands-on simulator, not just a diagram tool. The AI builds the topology, but the learning happens in the terminal and the Learn tab — where you investigate how devices actually behave.
Workflow that maximises learning
The recommended loop- 1. Build — describe the network you want to practice in the Architect tab.
- 2. Explore — open terminals on routers and switches, run
show commands, and read the output. - 3. Ask — switch to Learn mode and ask “why does this device have this route?” or “what would break if I removed this switch?”
- 4. Challenge — attempt a challenge at the right difficulty for your current level.
Writing better AI prompts
The more specific your prompt, the more accurate the topology. Vague prompts produce generic results.
CommandDescription
Better
Build a small office with a Cisco ASA firewall, a core L3 switch, two access switches with VLAN 10 (data) and VLAN 20 (voice), and 8 workstations on 192.168.10.0/24
Better
Add a second router and configure HSRP on both with a virtual IP of 10.0.0.254. RTR-A should have priority 110 with preempt.
Better
Configure OSPF area 0 between RTR-HQ and RTR-Br1 on the 10.1.0.0/30 link. Advertise the branch LAN 10.2.10.0/24 into OSPF.
Using Learn mode effectively
Learn mode works best when you ask specific questions about your topology, not generic questions. The AI has full context about every device, IP, VLAN, and connection in your current lab.
CommandDescription
Generic (less useful)
What is OSPF?
Specific (better)
Why does RTR-HQ have an OSPF neighbor relationship with RTR-Br1, and what happens to traffic if that adjacency drops?
Generic (less useful)
How do VLANs work?
Specific (better)
Walk me through exactly how a packet from WS-1 (VLAN 10) reaches SRV-Files (VLAN 30) step by step, using the devices in this topology.
Generic (less useful)
What is a firewall?
Specific (better)
What ACL rules would I need to add to FW-Edge to allow HTTP from the internet to the DMZ-Web server at 172.16.10.10?
Building real-world lab scenarios
These prompts build complete, exam-quality topologies you can explore with the terminal:
$ Build a multi-site WAN with HQ and two branch offices connected via MPLS. Use OSPF for routing. HQ has a dual-firewall DMZ with a web server.
$ Create a campus network with a collapsed core/distribution layer using two L3 switches in HSRP, four access switches with VLANs 10, 20, 30, and 40, and a WLC managing 6 access points.
$ Build an enterprise datacenter with a load balancer, web tier (3 servers), app tier (2 servers), and DB tier (1 server). Add a DMZ firewall between the internet and the web tier.
$ Create a small ISP network with a BGP edge router peering with two upstream providers, MPLS in the core, and three customer CE routers.
Challenge strategy
Challenges are designed so you have to find the fault yourself — the symptom description tells you what is broken, not where. Use the terminal to investigate systematically:
CommandDescription
Step 1 — Reproduce the symptom
Run ping or traceroute from the affected device to confirm the failure is real.
Step 2 — Narrow down the layer
Does traceroute reach the correct device? If so, it's a Layer 3+ issue. If it stops earlier, it's Layer 2 or lower.
Step 3 — Check each device in path
Open terminals on each hop. Run show ip interface brief to find down interfaces, show ip route to find missing routes, show access-list to find unexpected deny hits.
Step 4 — Form a hypothesis
Identify the specific misconfiguration before submitting — the AI feedback is most educational when your diagnosis is close.
Step 5 — Submit and read the feedback
The instructor feedback tells you exactly what you got right, what you missed, and why the fix works. Read it even when you get it correct.
Suggested learning paths
CCNA Beginner
Start with a small office topology. Practice: IP addressing, VLANs, inter-VLAN routing with SVIs, static routes, and basic ACLs. Use Learn mode to ask 'why' at each step.
CCNA Intermediate
Build a multi-site WAN. Practice: OSPF, EIGRP, BGP basics, HSRP, DHCP snooping, port security, and NAT. Attempt Medium-difficulty challenges.
Network Security
Focus on the firewall and DMZ topologies. Practice: ASA ACLs, NAT translation, IPsec tunnels, AAA/RADIUS, VLAN hopping prevention, and DHCP/ARP inspection.
The canvas is the main workspace. Devices are nodes, links are edges.
Adding devices
In Architect mode, a vertical palette sits on the left edge. Devices are arranged in three categories — Infrastructure, Endpoints, and Network. Click any icon to drop a device at a default position, or drag to place precisely. Use the search bar at the top of the palette to filter by name (e.g. type sw to see Switch and L3 Switch). Clear the search with the ✕ button. Zoom controls and fit-view sit at the bottom of the palette.
Connecting devices
Hover a device until the connection handles appear (small circles on the edges), then drag from one handle to another device. Duplicate links are rejected automatically.
Selecting and deleting
Click the Select icon in the bottom-left controls to enter rubber-band selection. Draw a box over multiple nodes, then press Delete or Backspace to remove them and their links. Click Pan to return to normal navigation.
Editing a device
Click any device to open the Device Inspector on the right. In Architect mode you can edit the label and IP address, delete the device, or open the CLI terminal via the Open Terminal button.
Architect
Default mode. The AI builds and modifies the topology from your prompts. Manual editing is fully enabled. Three sub-modes control how AI changes land:
CommandDescription
Auto
AI changes apply immediately to the canvas
Confirm
A diff preview appears — approve or discard before anything changes
Plan
AI explains what it would do in plain English before executing
Learn
The AI acts as a network instructor. Ask questions about any device or concept — it answers in the context of your specific topology. Each device shows a Learning Note with OSI-layer context. The device palette and edit controls are hidden in this mode.
Type any network design or learning request into the prompt bar and press Enter. The AI uses Claude and can build or modify any topology described in plain English — including large multi-site and continental networks.
File & image attachments
Click the paperclip icon next to the prompt bar to attach files. Supported formats: JPEG, PNG (screenshots, diagrams), PDF, plain text, and Cisco Packet Tracer .pkt files. Maximum 10 MB per file. Attachments are sent to the AI alongside your prompt — paste a screenshot of an existing network diagram and ask the AI to recreate it on the canvas.
CommandDescription
JPEG / PNG
Network diagrams, topology screenshots, Cisco Packet Tracer screenshots
PDF
Network design documents, RFPs, exam study material
Text / CSV
Device lists, IP address tables, config snippets
.pkt
Cisco Packet Tracer topology file — imports all devices, links, and IP addresses directly onto the canvas
$ Build a small office network with a firewall, core switch, two access switches, and 10 workstations. Use 192.168.10.0/24 for the LAN.
$ Add a DMZ with a web server behind the firewall.
$ Replace the core switch with two redundant switches using LACP.
$ Explain what OSPF is doing in this topology.
$ What would happen if the firewall went down?
Securedy Labs can import existing network topologies directly from simulator files. All devices, connections, IP addresses, and interface names are preserved — the topology appears on the canvas exactly as it was built in the source tool.
Importing a Cisco Packet Tracer file (.pkt)
How to import — 2 steps- 1. Click the paperclip icon in the chat input bar and select your
.pkt file. The import starts immediately. - 2. Optionally type a message (e.g.
Explain this topology) and press Send. The topology appears on the canvas and the AI responds to your prompt.
Supported Packet Tracer versions: PT 7, 8, and 9.x (including the latest PT 9.0 format). Both the legacy numeric-index link format and the newer save-ref-id link format are handled automatically.
CommandDescription
Devices
All routers, switches, L3 switches, firewalls, servers, PCs, laptops, phones, tablets, APs, WLCs, and cloud devices are imported
Connections
All physical links between devices, including interface names on both ends (e.g. Fa0/1 → Fa0)
IP addresses
IPv4 addresses configured on interfaces are carried over to the canvas
Layout
Devices are arranged in a clean tier-based layout: cloud → router/firewall → L3 switch → switch → server → endpoint
What gets cleaned up automatically
Packet Tracer's canvas coordinates do not translate to Securedy Labs' viewport, so the import discards PT positions and applies a fresh hierarchical layout instead — the same tier-based arrangement the AI uses when generating topologies from scratch. Power strips, PDUs, and annotation notes are ignored.
More simulators coming soon
Planned import support
SoonGNS3 (.gns3) — GNS3 project files — routers, switches, and appliances with full topology export
SoonEVE-NG — EVE-NG lab files — enterprise-grade topologies with real IOS/NX-OS images
SoonCisco Modeling Labs — CML / VIRL2 topology YAML — Cisco's official network simulation platform
SoonVisio (.vsdx) — Microsoft Visio network diagrams — device and link extraction from diagram shapes
Securedy Labs supports multiple AI models from Anthropic and OpenAI. The active model is shown in the bottom-left of the chat input — click it to switch. Your selection is saved and remembered across sessions.
Available models
Claude Sonnet 4.6DefaultAnthropic
The recommended model for most use. Fast, capable, and efficient — handles topology generation, modification, and tutoring well. Ideal for iterative lab building where you're making many changes quickly.
Best for: Day-to-day topology work, fast iteration, Learn mode Q&A
Claude Opus 4.8Most CapableAnthropic
Anthropic's most powerful model. Produces deeper, more accurate explanations and handles complex multi-site designs with precision. Responses take slightly longer but are noticeably more thorough — especially for CCNA-level concept breakdowns.
Best for: Complex topology design, in-depth Learn mode explanations, CCNA exam prep
ChatGPT 5.4OpenAIOpenAI
OpenAI's GPT 5.4 model. A strong alternative perspective — useful when you want a second opinion on a design decision or a different explanation style for a concept you're struggling with.
Best for: Alternative perspective, second-opinion on designs
ChatGPT 5.5OpenAI LatestOpenAI
OpenAI's latest GPT 5.5 model. The most capable OpenAI option — applies to topology generation and tutoring. Requires an OpenAI API key configured on the server.
Best for: Latest OpenAI capability, complex reasoning tasks
How to switch models
Inside any lab, the model selector appears in the bottom-left corner of the chat input bar — it shows the current model name (e.g. Claude Sonnet 4.6). Click the dropdown to switch instantly. The change applies to the next message you send. Your selection persists across labs and browser sessions via localStorage.
Which model should I use?
CommandDescription
Building topologies quickly
Claude Sonnet 4.6 — fastest generation, great accuracy
Learning and CCNA exam prep
Claude Opus 4.8 — deepest explanations, most educational
Complex multi-site design
Claude Opus 4.8 — handles 30+ device topologies with precision
Exploring a different explanation
ChatGPT 5.4 or 5.5 — different style, useful for second opinions
Challenges
Any model — AI feedback is model-agnostic; Opus gives richer coaching
Click any device → Open Terminal. The panel slides up from the bottom of the canvas. Switching to a different device opens a fresh session.
CommandDescription
ping <ip>
4 ICMP packets with animated output and RTT min/avg/max. Uses BFS path through topology.
traceroute <ip>
Hop-by-hop path derived from topology graph. Cloud nodes add synthetic ISP hops.
show clock
Current UTC time in Cisco IOS format.
show version
OS version, uptime, memory, and hardware for the device type.
?
Show a categorized command reference table for the current device. Routers get 7 sections (Routing Protocols, Interfaces, Security/VPN, Services, High Availability, Advanced, General). Switches get 4 sections (Layer 2, Security, Advanced, General). Other devices show a flat list.
help
Alias for ? — same categorized command reference.
clear
Clear all terminal output.
exit
Close the terminal panel.
↑ / ↓
Navigate command history (last 50 commands).
Escape
Close the terminal.
Routers (and firewalls) support a full Cisco IOS configuration mode. Changes persist in the topology and immediately update show command output — just like a real device.
Entering and exiting
CommandDescription
configure terminal
Enter global configuration mode. Prompt changes to hostname(config)#
conf t
Short form of configure terminal
end
Exit from any configuration mode back to privileged (hostname#)
Ctrl+Z
Same as end — immediately returns to privileged mode
exit
In (config)#: return to privileged. In (config-if)#: return to (config)#
The prompt changes to reflect the current mode: hostname# → privileged, hostname(config)# → global config, hostname(config-if)# → interface config, hostname(config-line)# → line config (console / VTY).
Static routes — ip route
Add or remove static routes from global configuration mode. Routes appear immediately in show ip route as S entries and in show running-config.
CommandDescription
ip route <prefix> <mask> <next-hop>
Add a static route. Example: ip route 10.10.10.0 255.255.255.0 192.168.1.1
ip route <prefix> <mask> <next-hop> <ad>
Add with custom administrative distance.
no ip route <prefix> <mask>
Remove all static routes matching prefix and mask
no ip route <prefix> <mask> <next-hop>
Remove a specific route by prefix, mask, and next-hop
hostname <name>
Set the router hostname (updates canvas label)
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip route 10.10.10.0 255.255.255.0 192.168.1.1
Router(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.1 1
Router(config)# end
Router# show ip route
S 10.10.10.0/24 [1/0] via 192.168.1.1
S* 0.0.0.0/0 [1/0] via 10.0.0.1
Routing protocols
CommandDescription
router ospf <proc>
Enter OSPF process config. Use 'network' to advertise subnets, 'router-id' to set ID.
router eigrp <AS>
Enter EIGRP AS config. Acknowledges the command; used with 'show ip eigrp neighbors'.
router rip version 2
Enter RIPv2 config. Acknowledges the command; used with 'show ip rip database'.
router bgp <AS>
Enter BGP AS config.
High availability — HSRP / VRRP
CommandDescription
standby <grp> ip <vip>
Set HSRP group virtual IP on an interface. Example: standby 0 ip 10.0.0.254
standby priority <val>
Set HSRP priority (default 100). Higher value wins Active role.
standby preempt
Allow this router to reclaim Active when it recovers from failure.
IPv6
CommandDescription
ipv6 unicast-routing
Enable IPv6 routing globally.
ipv6 address <addr/prefix>
Assign an IPv6 address to the current interface. Example: ipv6 address 2001:db8::1/64
EtherChannel
CommandDescription
channel-group <id> mode active
Add interface to EtherChannel in LACP active mode.
channel-group <id> mode desirable
Add interface to EtherChannel in PAgP desirable mode.
Management services
CommandDescription
ntp server <ip>
Configure an NTP server. Reflected in 'show ntp status'.
logging <ip>
Send syslog to an external collector.
snmp-server community <str> RO
Add a read-only SNMP community string.
snmp-server community <str> RW
Add a read-write SNMP community string.
snmp-server host <ip> <community>
Configure an SNMP trap destination.
ip dhcp pool <name>
Create a DHCP address pool.
Interface configuration
Enter interface config mode to assign IP addresses, set descriptions, and control administrative state. Changes reflect in show ip interface brief.
CommandDescription
interface <name>
Enter interface config mode. Accepts full name or abbreviation — e.g. GigabitEthernet0/0 or Gi0/0
ip address <ip> <mask>
Assign an IP address to the interface
no ip address
Remove the configured IP address
no shutdown
Bring the interface up (administratively enabled)
shutdown
Bring the interface down (administratively disabled)
description <text>
Set a human-readable description for the interface
clock rate <bps>
Set clocking speed on a Serial DCE interface. Required on the DCE end for WAN links. Example: clock rate 64000
no clock rate
Remove the clock rate setting from the interface
Interface name abbreviations
GiGigabitEthernet
FaFastEthernet
TeTenGigabitEthernet
SeSerial
LoLoopback
TuTunnel
VlVlan
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown
%LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to up
Router(config-if)# description WAN uplink to ISP
Router(config-if)# end
Router# show ip interface brief
GigabitEthernet0/1 192.168.1.1 YES NVRAM up up
IOS hardening commands are available in global configuration mode on routers. All settings persist in the topology and appear in show running-config.
Enable password & secret
enable secret uses an MD5 hash and takes precedence over enable passwordwhenever both are set. Always prefer enable secret on real devices.
CommandDescription
enable password <pw>
Set a plain-text enable password. Shown as cleartext in running-config unless service password-encryption is on.
enable secret <pw>
Set a type-5 (MD5) enable secret. Displayed as a hash in running-config. Takes precedence over enable password.
no enable password
Remove the enable password.
no enable secret
Remove the enable secret.
Password encryption
CommandDescription
service password-encryption
Encrypt all plaintext passwords in running-config using a weak reversible type-7 cipher. Applies to enable password and VTY/console passwords.
no service password-encryption
Disable type-7 encryption. Passwords already encrypted are NOT decrypted automatically.
Line passwords — console & VTY
Use line console 0 to secure direct console access and line vty 0 4 (or 0 15) to secure SSH/Telnet sessions. The prompt changes to hostname(config-line)#.
CommandDescription
line console 0
Enter line config mode for the physical console port.
line vty 0 4
Enter line config mode for virtual terminal lines 0–4 (5 simultaneous sessions).
line vty 0 15
Virtual terminal lines 0–15 (16 simultaneous sessions).
password <pw>
Set the login password for this line.
login
Require password authentication when connecting to this line.
no login
Allow connection without a password (not recommended).
transport input ssh telnet
Permit SSH and Telnet on VTY lines. Shown automatically in running-config.
IOS hardening precedence
If both enable password and enable secret are set, IOS ignores enable password entirely — enable secret always wins. Use service password-encryption to obfuscate type-7 passwords, but know it is reversible. For strong security only enable secret provides a one-way hash.
Full hardening example
Router# configure terminal
Router(config)# enable secret MySecret1
Router(config)# service password-encryption
Router(config)# line console 0
Router(config-line)# password ConsolePw
Router(config-line)# login
Router(config-line)# exit
Router(config)# line vty 0 4
Router(config-line)# password VtyPw
Router(config-line)# login
Router(config-line)# end
Router# show running-config
...
service password-encryption
enable secret 5 $1$mERr$hashed...
...
line console 0
password 7 04435B0A16
login
line vty 0 4
password 7 05120D0B04
login
transport input ssh telnet
Simulates a CISCO2911/K9. Routing tables, neighbors, and ARP are derived from the topology graph. All show commands below are available on any router device.
Interfaces & routing
CommandDescription
show ip interface brief
Interface summary — name, IP, OK, method, status, protocol.
show ip route
Routing table — C, S, S* (default), O (OSPF), B (BGP), D (EIGRP), R (RIP). Routes added via conf t appear instantly.
show ip protocols
Active routing protocols — OSPF area, EIGRP AS, metric weights, and route sources.
show ip ospf neighbor
OSPF neighbor table — neighbor ID, priority, state (FULL/DR), dead timer, address, interface.
show ip bgp summary
BGP peer summary — local AS, router ID, per-peer message and prefix counts.
show ip eigrp neighbors
EIGRP neighbor table — address, interface, hold time, uptime, SRTT, RTO, sequence.
show ip eigrp topology
EIGRP topology table — passive/active prefixes, successors, FD per prefix.
show ip rip database
RIPv2 database — directly connected and learned routes with metric and next-hop.
show arp
ARP cache — IP-to-MAC for directly connected neighbors.
show ip dhcp binding
DHCP binding table — assigned IPs, client MACs, lease expiration, type.
show ip dhcp pool
DHCP pool config — network, default router, DNS server, lease time.
show running-config
Full IOS config — hostname, interfaces, OSPF, static routes, logging, line config.
High availability
CommandDescription
show standby
HSRP status — group, priority, state (Active/Standby), active/standby IP, virtual IP.
show vrrp
VRRP group — state (Master/Backup), virtual IP, virtual MAC, advertisement interval, priority.
show glbp
GLBP group — AVG/AVF roles, virtual IP, forwarder MAC, active/standby routers.
IPv6
CommandDescription
show ipv6 interface brief
IPv6 interface summary — link-local (EUI-64 from MAC), status/protocol per interface.
show ipv6 route
IPv6 routing table — L (local), C (connected), S (static default).
Security & tunnels
CommandDescription
show crypto isakmp sa
IPsec Phase 1 — IKE SAs between this router and connected router neighbors. State QM_IDLE when up.
show crypto ipsec sa
IPsec Phase 2 — ESP SAs, SPI, encap/decap packet counts per peer.
show interface Tunnel0
GRE tunnel to cloud neighbor — source, destination, encapsulation, MTU.
show ssh
Active SSH sessions — connection ID, version, mode, encryption, state, username.
WAN
CommandDescription
show interface Serial0/0
Serial interface — PPP/HDLC encapsulation, LCP state, NCP open protocols.
show pppoe session
PPPoE sessions — session ID, remote MAC, port, virtual interface, state.
show mpls forwarding-table
MPLS label forwarding table — local/outgoing labels, prefix, bytes switched, egress interface.
show mpls ldp neighbor
LDP neighbor — peer identity, TCP connection state, uptime, discovery source.
show sdwan control connections
SD-WAN control plane — vSmart/vBond peer state and uptime.
Management
CommandDescription
show ntp status
NTP sync state — stratum, reference server, clock offset, root delay, loop filter.
show clock
Current UTC clock. Displays NTP as time source when configured.
show ntp associations
NTP peer table — reference clock, stratum, poll interval, reach, delay, offset, jitter.
show snmp
SNMP system info — chassis, contact, location, packet counters, community strings.
show logging
Syslog buffer — enabled state, facility, last 3 log entries with timestamps.
show netconf-yang sessions
Active NETCONF sessions — session ID, transport, username, source host, login time.
show restconf
RESTCONF status — enabled state, HTTPS port, active connections.
configure terminal
Enter global configuration mode. See Configure Mode section.
Route codes
CConnected
SStatic
S*Default route
OOSPF
BBGP
DEIGRP
RRIP
L3 Switch — Multilayer Switch
The Multilayer Switch (L3 Switch) operates at both Layer 2 and Layer 3 — modelled after the Cisco Catalyst 3650/3850. It runs the same CLI commands as a regular switch for Layer 2 features, plus the full router command set for routing (OSPF, BGP, EIGRP, static routes, HSRP) and the ? help command shows the Router section headings. Use it wherever you need inter-VLAN routing without a separate router.
L3 Switch vs. Router
Both support the same routing show commands. The L3 Switch sits at the Distribution or Core layer (canvas y=420) while routers sit at the WAN/Distribution layer (y=280). Connect Access switches below and a Firewall or Router above.
Simulates a WS-C3750E. VLAN tables, MAC tables, STP state, CDP/LLDP neighbors, and security bindings are derived from the topology.
VLANs & interfaces
CommandDescription
show ip interface brief
Physical interfaces (unassigned) + SVI interfaces. First VLAN SVI gets device IP.
show vlan brief
VLAN table — ID, name, status, ports. Includes reserved VLANs 1002–1005 as act/unsup.
show interfaces status
Per-port table — status (connected/notconnect), VLAN, duplex, speed, type.
show interfaces trunk
Trunk ports — mode, 802.1Q encapsulation, status, native VLAN, allowed VLANs.
show mac address-table
MAC table — VLAN, MAC address, type (DYNAMIC), port for each topology neighbor.
Spanning tree
CommandDescription
show spanning-tree
PVST+/RSTP state per VLAN — root election, bridge ID, timers, per-port role/state/cost.
Discovery protocols
CommandDescription
show cdp neighbors
CDP table — device ID, local interface, holdtime, capability, platform, remote port.
show lldp neighbors
LLDP brief table — device ID, local interface, hold time, capability, port ID.
show lldp neighbors detail
LLDP full detail — chassis ID, system name, description, management address.
EtherChannel
CommandDescription
show etherchannel summary
Port-channel — group, protocol (LACP/PAgP), bundled ports with flags (P=bundled, D=down).
show pagp neighbor
PAgP neighbor table — partner name, device ID, port, age, flags, capabilities.
Security
CommandDescription
show port-security
Port security summary — max addresses, current count, violation count, action (Shutdown).
show ip dhcp snooping
DHCP snooping status — enabled VLANs, option 82 settings, trusted/untrusted interfaces.
show ip dhcp snooping binding
DHCP snooping binding table — MAC, IP, lease time, type, VLAN, interface.
show ip arp inspection
DAI per-VLAN stats — forwarded and dropped ARP packets.
show ip arp inspection statistics
DAI statistics — SMAC/TMAC failure counts per VLAN.
show ip verify source
IP Source Guard bindings — interface, filter type (ip-mac), mode, IP, MAC, VLAN.
Management & PoE
CommandDescription
show snmp
SNMP system info — chassis, contact, location, community strings.
show logging
Syslog buffer — enabled state and recent log entries including STP topology changes.
show power inline
PoE status — available/used/remaining watts, per-port admin/oper state, connected device class.
show running-config
Full switch config — VLANs, trunk/access ports, SVIs, spanning-tree mode, port security.
STP port roles
CommandDescription
Desg FWD
Designated Forwarding — active, forwarding frames
Root FWD
Root Forwarding — best path toward root bridge
Altn BLK
Alternate Blocking — loop prevention, discarding
Firewall — Cisco ASA 9.16
Interfaces mapped to outside / inside / DMZ zones. ACLs and NAT entries are derived from server neighbors in the topology.
Interfaces & traffic
CommandDescription
show interface
Per-interface block — nameif, security level, IP, MAC, BW, traffic stats.
show access-list
ACL entries with hit counts — OUTSIDE_IN permits HTTP/HTTPS to servers, denies all else.
show nat translations
NAT table — inside global, inside local, outside local, outside global.
show conn
Active TCP/UDP connection table — source, destination, state.
show route
ASA routing table — connected, static, and OSPF routes.
AAA & authentication
CommandDescription
show aaa servers
AAA server groups — RADIUS and TACACS+ servers with timeout and retry settings.
show aaa sessions
Active AAA sessions — username, source IP, auth type, server used, session duration.
show radius server-group all
RADIUS server statistics — requests, accepts, rejects, timeouts, server state.
show tacacs
TACACS+ statistics — opens, closes, aborts, errors, packets in/out, server state.
show ssh
Active SSH sessions — connection ID, source IP, username, session duration.
show logging
Syslog buffer — enabled state, facility, trap level, recent log entries.
show ip dhcp snooping
DHCP snooping status — trusted interfaces for DHCP reply forwarding.
show running-config
Full ASA config — interfaces, nameif, security-level, ACLs, NAT, logging.
Security levels
CommandDescription
inside — 100
Fully trusted. Outbound flows freely. Inbound must be explicitly permitted.
dmz — 50
Semi-trusted. Accessible from inside. Traffic to inside must be permitted.
outside — 0
Untrusted. All inbound denied unless explicitly permitted by ACL.
Server & Workstation — Linux
Prompt style: hostname:~$. Workstations have fewer open ports than servers.
Networking
CommandDescription
ip addr show
Interfaces — loopback, primary NIC with IP/CIDR/broadcast, MAC, IPv6 link-local.
ip route
Default route via gateway and connected subnet.
ifconfig
BSD-style interface summary — inet, netmask, broadcast, ether.
ss -tulpn
Listening sockets. Servers: 22, 80, 443, 3306, 53. Workstations: 22 only.
netstat -rn
Kernel routing table in numeric format.
nslookup <domain>
DNS lookup. Known domains resolve correctly. Unknown domains get a deterministic IP.
cat /etc/resolv.conf
DNS config — nameservers 8.8.8.8 and 1.1.1.1, search domain corp.local.
Application layer protocols
CommandDescription
ftp <host>
Connect via FTP — shows vsFTPd 3.0 banner, anonymous login, binary mode.
tftp <host>
Connect via TFTP on port 69.
telnet <host> 25
SMTP banner — Postfix 220, EHLO handshake, STARTTLS, AUTH methods.
telnet <host> 110
POP3 banner — Dovecot +OK ready response.
telnet <host> 143
IMAP banner — Dovecot IMAP4rev1 ready.
telnet <host> 80
HTTP — shows nginx 200 OK response with headers.
Management
CommandDescription
ntpdate <server>
Synchronize clock with NTP server — shows step time and offset.
ntpq
NTP peer table — reference clock, stratum, poll, reach, delay, offset, jitter.
snmpwalk <host>
Walk SNMP OIDs — sysDescr, sysUpTime, sysContact, sysLocation.
snmpget <host>
Get a specific SNMP OID value.
logger <message>
Send a message to syslog.
journalctl
View systemd journal — SSH logins, kernel events, service starts.
whoami
root (server) or user (workstation).
hostname
Device hostname derived from label.
uname -a
Linux kernel version string.
Endpoints — Laptop, Phone, Tablet
Three mobile endpoint types are available in the Endpoints category of the device palette. All three share the same Linux shell CLI as Workstations and Servers.
Laptop
Mobile employee endpoint. Supports 802.1X port authentication, corporate VPN client, and wired or wireless connection.
Phone
Dual role: IP phone (PoE-powered, SIP/SCCP protocols) or smartphone (WPA2/WPA3 WiFi, BYOD VLAN).
Tablet
BYOD tablet. Place on a guest or BYOD VLAN, apply MDM policies, and associate to an access point.
Phones, Laptops, and Tablets appear at the endpoint layer of the canvas (y=700) alongside Workstations and Servers. Connect them to Access Points for wireless or to Switches for wired. The AI will automatically place them in the correct VLAN when you describe the network.
Represents an ISP or internet uplink. Runs BGP. Traceroute injects 2 synthetic ISP hops (198.51.100.x) before internal devices.
CommandDescription
show ip bgp
Full BGP RIB — default route originated locally + prefixes from connected routers.
show ip bgp summary
BGP peer summary — router ID, local AS, per-peer message and prefix counts.
traceroute <ip>
Adds 2 synthetic ISP hops before topology path for realism.
Cisco IOS lightweight AP. SSIDs: CORP_WIFI and CORP_WIFI_5G. Connected workstation neighbors appear as wireless clients.
CommandDescription
show dot11 associations
Client table — MAC, age, signal strength (dBm), IP, SSID for each connected workstation.
show interface BVI1
Bridge Virtual Interface — IP, MAC, MTU, BW, DHCP helper.
show running-config
Full AP config — dot11 SSIDs, WPA2 keys, radio interfaces, bridge groups.
HAProxy-style interface. Backend health reflects topology — devices marked broken show as DOWN.
CommandDescription
show server-pool status
Backend health — per-server UP/DOWN with last check time. Broken = DOWN (timeout).
show connections
Active session count, total requests, bytes in/out, frontend status.
show running-config
Full HAProxy config — global, defaults, frontend, http_back, api_back, stats.
WLC — Cisco Wireless LAN Controller
Wireless LAN Controllers centrally manage Access Points over CAPWAP tunnels. Add a WLC from the canvas palette and connect it to Access Point devices — CAPWAP tunnels, AP registrations, and client tables are all derived from the topology.
CommandDescription
show wlan summary
WLAN profiles — ID, profile name, SSID, status, security type (WPA2-Enterprise / WPA2-Personal).
show ap summary
Registered APs — name, model, Ethernet MAC, IP, state (Registered), client count.
show client summary
All wireless clients — MAC, IP, associated AP, WLAN ID, state (Assoc), protocol (802.11ac).
show capwap tunnel
CAPWAP tunnel state — AP name, AP IP, WLC IP, control/data channel state (UP), uptime.
show interface summary
WLC interfaces — management and AP-manager with IP, type, VLAN, AP-manager flag.
show mobility summary
Mobility domain — protocol port, security mode, domain name, member list.
show license
License type (Base), AP count licensed vs. in use, authorization status.
CAPWAP vs. autonomous APs
In this simulation, Access Points connected to a WLC operate in Lightweight mode — the AP forwards all traffic to the WLC for processing. The WLC owns SSID profiles, security keys, and client authentication. APs not connected to a WLC operate in autonomous mode with their own local config.
CommandDescription
Delete / Backspace
Delete selected node(s) or edge(s) on the canvas
Shift + click
Add to current selection (multi-select)
Click empty area
Deselect all
↑ / ↓ in terminal
Cycle command history (last 50 commands)
Ctrl+Z in terminal
Exit from any configure mode back to privileged prompt
Escape in terminal
Close the terminal panel
Enter in edit field
Save label or IP address edit
Escape in edit field
Cancel the edit
Challenges present a broken network topology and ask you to diagnose the fault. Open the terminal on affected devices, run show commands to investigate, and submit your answer.
Challenges are available from the Challenges page. Each challenge has a difficulty rating (Easy / Medium / Hard) and a symptom description. Use the terminal to find which device is misconfigured and why.
Available challenges
CommandDescription
Silent VLAN (Easy)
Inter-VLAN routing fails. Missing SVI or ip routing command on Layer 3 switch.
Routing Loop (Medium)
traceroute cycles between two branch routers. Conflicting static routes.
Firewall Blackhole (Hard)
DMZ web server unreachable. Missing HTTP/HTTPS permit rules in firewall ACL.
OSPF Area Mismatch (Medium)
OSPF stuck in EXSTART. One router configured with wrong area number.
HSRP Split Brain (Hard)
Both routers claiming HSRP Active. Missing standby preempt on higher-priority router.
VLAN Hopping (Hard)
Layer 2 bypass attack. Native VLAN set to a data VLAN enabling double-tagging.
DHCP Snooping Block (Medium)
DHCP fails after enabling snooping. Uplink port not marked as trusted.
Wireless Auth Fail (Medium)
WPA2 4-way handshake MIC error. PSK mismatch between WLC profile and client.
Diagnostic approach
CommandDescription
ping <target-ip>
Start here — confirm reachability from the affected device
traceroute <target-ip>
Find where packets stop — the hop before the * is the problem
show ip route
Check routing table — missing or incorrect routes cause drops
show ip interface brief
Check for interfaces that are admin-down or line-protocol down
show spanning-tree
Look for ports stuck in BLK state that should be forwarding
show access-list
Check hit counts — unexpectedly high deny hitcnt reveals blocked traffic
show standby
Check HSRP state — both routers Active = split brain
show ip dhcp snooping
Check trusted interfaces when DHCP stops working after enabling snooping
show capwap tunnel
Verify AP-to-WLC CAPWAP is UP when wireless clients fail to associate
All CCNA exam protocols and technologies, grouped by category. Each shows whether it is fully simulated via interactive CLI commands in this lab.
Layer 3 — Routing
OSPFEIGRPBGPRIPv2Static RoutesDefault RoutesFloating StaticRoute Redistribution
Layer 2 — Switching
STPRSTPPVST+VLANs802.1Q TrunkingEtherChannelLACPPAgPCDPLLDP
IP Addressing
IPv4IPv6CIDRVLSMNATPATDHCPDNS
Security
Standard ACLsExtended ACLsPort SecurityAAARADIUSTACACS+DHCP SnoopingDAIIP Source GuardIPsecGRESSH
WAN & Connectivity
PPPPPPoEMPLSHDLCSD-WANDSLCableFiber
Wireless
802.11a/b/g/n/ac/axWPA2WPA3CAPWAPWLC
High Availability
HSRPVRRPGLBP
Network Fundamentals
ARPICMPHSRPQoSDSCPPoEOSI ModelTCP/IP Model
Automation & Programmability
REST APIJSONYANGNETCONFRESTCONFAnsiblePuppetChefSDN
Transport & Application
TCPUDPHTTPHTTPSSMTPPOP3IMAPFTPTFTPSNMPNTPSyslog
Most issues in Securedy Labs are caused by configuration on the canvas or in the terminal — not a bug in the platform. Work through the steps below before reaching out to support.
Can't sign in
CommandDescription
Wrong password
Passwords are case-sensitive. Use the Forgot password? link on the login page to receive a reset email. Check your spam folder if it doesn't arrive within a few minutes.
Signed up with Google
If you created your account with Continue with Google, you must always sign in that way — entering your Google email as a regular password will fail.
New account, can't log in
Check your inbox for a verification email from Securedy Labs. You must verify before your first login. Check spam/promotions if it's missing.
Login page loops or errors
Clear your browser cookies and cache for securedy.ai, then try again. Alternatively open an incognito/private window.
Browser extension blocking
Ad blockers, privacy shields, or VPN extensions can interfere with authentication. Disable them for securedy.ai or try a different browser.
Still locked out
Email support@securedy.ai with the email address you signed up with and a description of what you see.
How to troubleshoot general issues
CommandDescription
Reload the page first
Most transient glitches — canvas not rendering, AI chat unresponsive, terminal not opening — resolve with a hard reload (Cmd/Ctrl + Shift + R).
Try incognito mode
Isolates the issue from browser extensions and cached state. If it works in incognito, a browser extension is the likely culprit.
Try a different browser
Securedy Labs is tested on Chrome, Firefox, Edge, and Safari. If one browser misbehaves, try another to confirm whether it's browser-specific.
Check the browser console
Open DevTools (F12 → Console tab). Red errors there give the clearest signal of what went wrong. Include them in any support request.
Zoom out on the canvas
If you can't see devices, press the fit-view button (bottom of the device palette). Devices may have been placed far off-screen.
Common issues (user-side)
These are the most frequent problems reported by users — all caused by a configuration step being missed rather than a platform fault.
CommandDescription
ping / traceroute fails between two devices
The devices must be linked on the canvas. Hover a device until the connection handles appear, then drag a cable to the target. No cable = no path.
Interface is down — ping fails despite a cable
The interface may be administratively disabled. Open the terminal, enter configure terminal, then run no shutdown on the interface. Verify with show ip interface brief.
AI built the wrong topology
Prompts like 'build a network' are too vague. Be specific: device types, counts, IP ranges, and role. Example: Build a small office with a Cisco firewall, a core switch, two access switches, and 10 workstations on 192.168.10.0/24.
Wrong CLI commands on a device
Each device type has its own command set. Cisco IOS commands (show ip route, conf t) only work on routers, L3 switches, and firewalls. Servers use Linux commands (ip addr show, ss -tulpn). Check the relevant section in these docs.
Terminal won't open
You must click directly on a device node on the canvas, not on an empty area or a cable. The Open Terminal button appears in the Device Inspector on the right.
Can't connect two devices
Connection handles only appear when you hover slowly over the edge of a node. Drag from the small circle that appears to another device. Duplicate links are rejected — if the two devices are already connected, a second cable will not be added.
OSPF / BGP neighbors not forming
The most common cause is mismatched area numbers (OSPF) or AS numbers (BGP) between the two routers. Run show ip ospf neighbor or show ip bgp summary to confirm. Fix with router ospf <proc> and the correct network statement.
show running-config looks empty
Commands entered without first running configure terminal are not saved. Always enter conf t before making configuration changes. Use end or Ctrl+Z to return to privileged mode.
File attachment won't upload
Attachments must be JPEG, PNG, PDF, plain text, or .pkt (Packet Tracer) and must be under 10 MB. Compressed archives (.zip, .docx) are not supported — convert to PDF or plain text first.
Canvas is very slow with many devices
Large topologies (50+ nodes) may feel sluggish on lower-powered machines. Use the AI to describe sub-sections one at a time rather than building everything in one prompt.
When reporting a bug
Include: the browser and OS you're using, the exact steps you took, and any error text from the browser console (F12 → Console). A screenshot is often faster than a description.
If you've worked through the troubleshooting steps above and still need help, the support team is available by email.
Email support
support@securedy.aiResponse time is typically within one business day. Include your account email, browser, OS, and a description of the issue — or a screenshot if something looks wrong.
What to include in your message
CommandDescription
Account email
The email address you use to sign in to Securedy Labs.
Browser and OS
For example: Chrome 124 on macOS 14, or Firefox on Windows 11.
Steps to reproduce
What you were doing when the issue occurred. The more specific the better.
Error message
Copy any red text from the browser console (F12 → Console) or from an error banner in the app.
Screenshot or recording
A screenshot is often faster to diagnose than a written description. Attach it directly to the email.