Simplified network segmentation with dynamic partner integrations

SANTA CLARA, Calif., -- February 2nd, 2021 -- Arista Networks (NYSE:ANET) today announced a new zero trust security framework for today's digital enterprise. Arista Multi-Domain Macro-Segmentation Service is a suite of capabilities for integrating security policy with the network through an open and consistent network segmentation approach across network domains. Enabled through Arista EOS® (Extensible Operating System) and CloudVision® capabilities, the latest Arista MSS® (Macro-Segmentation Service) functionality includes a new group segmentation approach, MSS-Group, intended to simplify access control for users and IoT devices in today’s enterprise workspaces.

"Security and networking are coming together. Arista's zero trust strategy relies heavily on analytics and AI to identify mal-intent and is well positioned to capture what could be the biggest transition I've seen in networking,” said Zeus Kerravala, Founder and Principal Analyst at ZK Research.

Zero Trust Security in a Cloud and IoT World

Traditional network security architectures guarded users only at the borders. This approach is no longer sufficient with distributed users and a myriad of IoT endpoints in today’s enterprise. A zero trust architecture that assumes no user or thing can have free run of the network is needed to secure modern networks. Zero trust never trusts without verification, restricts access to only required connections and then continually monitors for good behavior. In this new decade, the implicit trust associated with network location needs to be replaced with continuous, proactive network monitoring with behavioral-based situational analysis for asset visibility and rapid incident response. Arista’s zero trust security approach is designed to address this evolution, combining network-based multi domain segmentation, situational awareness and visibility for all network resources, and AI-driven network detection and response.

IoT-ready Group Segmentation

Secure segmentation grouping needs to be defined based on functional roles, such as cameras or DVRs, across enterprise workspaces and independent of traditional network addressing constructs. In addition, any network solution needs to be based on an open framework that allows for deployment in both greenfield and brownfield deployments.

Arista is introducing MSS-Group as a new network segmentation service for controlling authorized network communication between groups. Available on EOS-based switches, MSS-Group implements security policy enforcement based on logical groups rather than traditional approaches based on interfaces, subnets or physical ports. MSS-Group is built on an efficient data plane enforcement mechanism, avoiding the limitations of vendor lock-in solutions that utilize proprietary hardware tags and are limited by inefficient hardware resource mappings. The MSS-Group solution leverages CloudVision, the same management plane platform for multi-domain automation, telemetry and analytics, for security policy management and visibility. In addition, the MSS-Group solution is most powerful when CloudVision integrates with a dynamic identity provider through available APIs.

Arista has partnered with Forescout in building such a solution that streamlines policy design and management. Organizations can use Forescout eyeSegment to automatically apply real-time context to associate each connected device with its relevant security segmentation group, easily design and monitor group-based policies and communicate the appropriate segmentation policies to CloudVision. CloudVision is then responsible for the dynamic orchestration of the required policy to the Arista switches for enforcement.

Arista Multi-Domain Segmentation

Arista Multi-Domain Segmentation converges the network with security across the campus to data center to cloud. The solution avoids the proprietary siloed architectures from incumbent vendors.

With multi-domain and network-security convergence as the goal, Arista is also enhancing MSS for enterprise edge firewall and data center virtualization use cases, delivering comprehensive segmentation solutions for enterprise-wide use cases.

MSS Firewall provides security service insertion, allowing flexible placement of firewall policy across DMZ edge, data center and campus networks. Leveraging open-standards network constructs, MSS Firewall dynamically steers traffic to the firewall policy enforcement point, extending security policy enforcement to address broader traffic patterns. Using the same CloudVision orchestration, MSS Firewall integrates with Palo Alto Networks and other leading firewall solutions from Arista’s security partner ecosystem.

MSS Host is a data center focused solution where security policies are extended from the virtualized host to the physical network. Through an API integration between CloudVision and VMware NSX platform, MSS Host extends NSX micro-segmentation policies to bare-metal workloads.

Arista enables solutions through a broad set of security ecosystem partner integrations with Aruba, Forescout, Palo Alto Networks, VMware, and Zscaler (see industry support here). In addition to advanced MSS-based dynamic segmentation services, Arista continues to support broad network segmentation models such as VXLAN/EVPN, VRFs, VLANs, and Access Control Lists.


MSS Firewall and MSS Host functionality are shipping as part of Arista CloudVision. The MSS-Group functionality will be available for trials in Q1’21.

Register here to learn more about Arista’s multi-domain segmentation solution at our webinar on March 18th, 2021.

Read more about this announcement on Jayshree Ullal's blog here.

About Arista Networks

Arista Networks is an industry leader in cognitive cloud networking solutions for large data center and campus environments. Arista’s award-winning platforms deliver availability, agility, automation analytics, and security through CloudVision® and Arista EOS®, an advanced network operating system. For more information, visit

ARISTA, CloudVision, CloudEOS and MSS are among the registered and unregistered trademarks of Arista Networks, Inc. in jurisdictions around the world. Other company names or product names may be trademarks of their respective owners. Additional information and resources can be found at This press release contains forward-looking statements including, but not limited to, statements regarding cost savings, performance, reliability, security and efficiency. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. Forward-looking statements are subject to risks and uncertainties that could cause actual performance or results to differ materially from those expressed in the forward-looking statements, including rapid technological and market change, customer requirements and industry standards, as well as other risks stated in our filings with the SEC available on Arista's website at and the SEC's website at Arista disclaims any obligation to publicly update or revise any forward-looking statement to reflect events that occur or circumstances that exist after the date on which they were made.

Media Contact
Amanda Jaramillo
Corporate Communications
Tel: (408) 547-5798
This email address is being protected from spambots. You need JavaScript enabled to view it.

Investor Contact
Charles Yager
Product and Investor Development 
Tel: (408) 547-5892
This email address is being protected from spambots. You need JavaScript enabled to view it.

The links above are for the viewer’s convenience, and Arista has not reviewed and is not responsible for their content.