Posted on August 7, 2020 7:56 pm
 |  Asked by CLAUDIA DE LUNA
Print Friendly, PDF & Email


In Cisco ACI, policy is applied to EndPoint Groups, so that the policy is abstracted away from and endpoints IP address.  Is there an equivalent capability with an Arista infrastructure both in the data center and in the campus?

Thank you,


Posted by Vignesh
Answered on August 10, 2020 9:15 pm

Hi Claudia,

May i know what kind of policy are you referring to , it would be great if you could elaborate on the policy specifics so that we can help you with the matching Arista solution for the same.



Posted by Alexis Dacquay
Answered on August 11, 2020 9:54 am

Hi Claudia,

Yes, but not the same way.

Abstracting the very low-level details can be easily achieved wit Arista CloudVision, or with Ansible and other 3rd party tools. Both can work together too (Ansible + CloudVision)

It allows you applying network policy logics using groups of resources, whether IP Addresses, MAC addresses, subnets, prefixes, ACL entries, ports, etc.

Those "groups" are not only abstracting End-Points, but any potential bit of configuration.

Then use those logical resources to follow your network specifications.

In the end, the result would be the same as if it was configured line by line in CLI, or with API instructions, but from an automation perspective, the solution does indeed use logical resource groups. There is no formal name for "endpoint group" that abstract those low-level details, because there are many more resources than just "end points".

I will give you an example:

  • All the MAC addresses in VLAN 10 are a group "vlan-10-mac-addresses"
  • All the MAC addresses in VLAN 20 are in "vlan-20-mac-addresses"
  • All the local subnets in VRF "Customer Blue" are in a group "vrf-blue-subnets"
  • Filtering rules, routing policies, QoS templates, interface details at Layer1 or 2 (speeds, trunks, etc), everything is just a resource.

The the policy logic just consume those and apply them in the management plane, control-plane, and data-pane. Wherever the actions are executed.


Because the automation logic is involving some software intelligence, and consuming, manipulating and policing the aforementioned network "resources" as if they were software resources (variables), you may find such solution described as "Infrastructure as Code".


The simplest answer to your original question was indeed "Yes, but not the same way."

The longer and fullest answer to that, just like an answer to "how does ACI works", isn't a one-liner, there are lots of  details to cover, especially when considering the most important aspect of the topic:

What do you need to do?







Post your Answer

You must be logged in to post an answer.