Another Reason to Run Linux on Your Data Center Switches

Arista’s OpenFlow implementation doesn’t support TLS encryption. Usually that’s not a big deal, as there aren’t that many customers using OpenFlow anyway, and those that do hopefully do it over a well-protected management network.

However, lack of OpenFlow TLS encryption might become an RFP showstopper… not because the customer would really need it but because the customer is in CYA mode (we don’t know what this feature is or why we’d use it, but it might be handy in a decade, so we must have it now) or because someone wants to eliminate certain vendors based on some obscure missing feature.

However, as Arista EOS runs on top of fully-open Linux (not like some other vendors that try to sandbox their customers into a container) it’s pretty easy to add OpenFlow TLS encryption with a TLS proxy (stunnel) as explained in this article (might be behind a regwall).

Regardless of what you think about running your switches on Linux, or adding third-party software to your switches, or treating the switches like servers – the ability to add components that get the job done without waiting years for your $vendor to implement them is priceless.

Ignoring minor details like ridiculously low pricing offered by a $vendor who desperately wants to get your deal, I wouldn’t buy a data center switch that I can’t manage like a Linux server these days… but maybe it’s just me having my head in the clouds.

Explore!

Want to know what major data center switching vendors are doing? You’ll find an in-depth overview of their latest products and software features in the Data Center Fabric Architectures webinar.

Want to learn how to build a leaf-and-spine fabric? Take the Designing and Building Data Center Fabrics online course – it covers physical and L2/L3 fabric design, advanced topics and vendor overview, and includes vibrant support community, and hands-on exercises in.

How about mastering more than just data center networking? Hundreds of fellow networking engineers found Building Next-Generation Data Center online course extremely useful.

7 comments:

  1. If it's easy for me to get root on my DC switch, it's easy for an attacker to backdoor it too.
    You're trading user-friendliness for security.
    Replies
    1. Thank you, I really needed a good joke today.
    2. Should be a joke. Cause if xabrouck is serious, Linux should be banned all together with NX-OS, ISE and pretty much everything. In fact open Linux means that apart from normal upgrade, it's easy to apply a security patch even before next release is available. @xabrouck: I'd seriously consider adding a smile next time. Like that: =)
  2. A bit offtopic but "EOS" name sounds funny.
  3. From Arista's site:
    1) Please download Stunnel from here: http://dl.fedoraproject.org/pub/archive/fedora/linux/releases/14/Fedora/i386/os/Packages/stunnel-4.33-1.fc14.i686.rpm

    From the http://dl.fedoraproject.org/pub/archive/fedora/ site:

    Note: The Fedora releases here are no longer supported or maintained, so they do not receive bug fixes or security updates. We do not recommend using these releases any more. To obtain the latest, supported version of Fedora, please refer to the main download page.


    I think I'd prefer to download a more recent version, but the rest of the instructions are fine.
    Replies
    1. For example, stunnel 5.42 instead of 4.33 - https://www.rpmfind.net/linux/rpm2html/search.php?query=stunnel
    2. the path to https://en.wikipedia.org/wiki/Dependency_hell
Add comment
Sidebar