/ 01
EOS session recording
Every EOS CLI session captured — configuration mode, commit-confirmed sessions, rollback events, EVPN configuration, multi-agent management plane. Searchable text fleet-wide.
Arista is the dominant data centre switching platform for cloud-native and EVPN/VXLAN environments. Innovexus brokers SSH and eAPI sessions to every EOS-based device — no agent, no CloudVision Portal dependency, no MOS plugin. Sessions are recorded, credentials rotate on schedule, configurations are baselined and diffed.
Innovexus is agentless from the EOS device perspective. Connection is via SSH (preferred) for CLI and eAPI HTTPS for programmatic access. Anything that authenticates against TACACS+, RADIUS, or local EOS users is in scope.
Most Arista fleets are running through Innovexus within 1 business day. EOS's clean Linux-derived configuration model and standard AAA make integration straightforward.
Pull existing local admin credentials from EOS devices. Vault them. The Innovexus pod takes over as source of truth; rotation runs on schedule via standard `username ... secret` config updates.
Add the Innovexus pod's outbound IP to your management ACLs (`ip access-list` applied to the management VRF, or your jump-host equivalent). Existing TACACS+/RADIUS continues to handle AAA at the device level.
Map your EOS role profiles (network-admin, network-operator, custom roles) to Innovexus role definitions. Engineers see only devices and roles their Innovexus role permits.
Session recording captures the full EOS CLI experience including configuration mode, commit-confirmed sessions, and rollback events. Configuration drift collection uses `show running-config` for clean diffs.
Engineers log into Innovexus with their FIDO2 hardware key, click into an Arista device, and the brokered SSH session opens with the assigned role. Recording, audit, and credential lifecycle operate automatically.
Every EOS CLI session captured — configuration mode, commit-confirmed sessions, rollback events, EVPN configuration, multi-agent management plane. Searchable text fleet-wide.
Local admin credentials, TACACS+ shared secrets, RADIUS keys, and eAPI HTTPS credentials rotate on schedule. EOS's clean configuration model makes rotation low-risk.
Management ACLs ensure Arista devices accept connections only from the Innovexus pod IP. Lost engineer endpoints cannot connect directly.
Continuous baseline collection. Drift detected outside approved sessions fires an alert. Approved-change baseline promotion via the brokered-session workflow.
Automation tools (Ansible, custom scripts using pyeapi) authenticate against EOS using vault-issued short-lived eAPI credentials retrieved through the Innovexus platform API. Both interactive and automated paths logged to the unified audit trail.
Network monitoring and security operations alongside PAM. Same console, one audit trail, one tier price.
Direct, sourced answers about how Innovexus integrates with this vendor's platforms.
No. The integration is direct via SSH using EOS's standard AAA primitives. CVP, CloudVision-as-a-Service, and Arista MOS Server (or successors) are not dependencies. If you run CVP for orchestration, Innovexus runs alongside it — we handle privileged human and vendor access; CVP handles automation, telemetry, and orchestration.
Commit-confirmed sessions are recorded as a single continuous session through to either manual confirmation or automatic rollback timeout. Rollback events are captured as discrete audit entries. EOS's configuration session model maps cleanly to Innovexus's session recording — the rollback timeline is part of the audit evidence.
Yes. Innovexus is fabric-topology agnostic — we connect via SSH to whichever Arista devices you put in scope, regardless of EVPN role (spine, leaf, super-spine). The integration doesn't depend on or interfere with the EVPN control plane. Configuration drift detection works across the entire fabric.
Yes. The vault holds the eAPI HTTPS credentials, and automation tools retrieve short-lived tokens via the Innovexus platform API. The benefit: automation engineers don't hold long-lived eAPI credentials in their environments, and every eAPI authentication event is in the unified audit trail.
Brokered SSH management sessions add typically 5–20 ms at the management plane. This applies to administrative SSH/CLI sessions only. Data-plane forwarding latency on 7130 platforms — the reason you have 7130 in the first place — is completely unaffected. Innovexus does not sit in the data path.
CVP supports SAML SSO with any SAML 2.0 identity provider. When integrated, engineers authenticate to CVP through Innovexus identity, which provides hardware-rooted MFA at the platform login. The CVP audit trail attributes every CVP action to the engineer's FIDO2-authenticated identity. CVP-mediated configuration changes still flow through CVP's own change tracking; Innovexus complements it with the brokered-session view.
Vault EOS credentials for one device class, allowlist the pod IP, point engineers at it. First brokered session within an hour. 5-day trial, no card required.