Do you have an OpenFlow controller that supports communication channel encryption via TLS and you’d like to take advantage of that option with an Arista switch? No problem! Just follow these simple steps and in mere minutes you’ll have a secure TLS connection up and running. Just imagine the look of shock and amazement on the faces of your friends, family and coworkers as you extend the capabilities of your EOS powered switch in near real time!
1) Please download Stunnel from here: http://dl.fedoraproject.org/pub/archive/fedora/linux/releases/14/Fedora/i386/os/Packages/stunnel-4.33-1.fc14.i686.rpm
2) Copy it to flash on the switch: switch#copy scp://@//stunnel-4.33-1.fc14.i686.rpm flash:
3) Install the RPM as an extension: switch#copy flash:stunnel-4.33-1.fc14.i686.rpm extension: switch#extension stunnel-4.33-1.fc14.i686.rpm
4) Verify that the RPM was installed:
switch# show extensions
Name Version/Release Status extension
—————————————— ————————- —— —-
stunnel-4.33-1.fc14.i686.rpm 4.33/1.fc14 A, I 1
A: available | NA: not available | I: installed | NI: not installed | F: forced
5) Configure the switch to load the extension at boot time: switch#copy installed-extensions boot-extensions
6) Create the stunnel.conf file:
switch#bash vi /mnt/flash/stunnel.conf
Paste in the following:
# Stunnel configuration file
sslVersion = TLSv1
cert = /persist/secure/capi.pem
# This is the built-in cert file, feel free to load and use your own.
key = /persist/secure/capikey.pem
# This is the built-in cert key file, feel free to load and use your own.
client = yes
# Service definition 
accept = 127.0.0.1:6633 connect = :6633
7) Configure stunnel to start at boot time:
switch(config-handler-stunnel)#action bash sudo stunnel /mnt/flash/stunnel.conf
Performing these steps will ensure that stunnel is loaded, started and managed as an extension at boot time. The are many more stunnel options that could we used including CA checking, logging options, PID files, etc.
8) Verify that stunnel is up and running with: switch#bash sudo netstat -an | grep 6633 switch#bash sudo ps -ef | grep stunnel
9) Configure Openflow on the switch to point to itself (stunnel client side):
If you have any questions be sure to reach out to your local Arista Systems Engineer.