Avi Load Balancer supports dedicated interface on Service Engines for HSM communication in the following environments:

  • Cisco CSP

  • vCenter No Orchestrator Mode


Avi Load Balancer supports dedicated interfaces for Service Engines deployed in vCenter No Orchestrator environments.

Dedicated hardware security module (HSM) interfaces on Avi Load Balancer Service Engines use the following configuration parameters:

  • avi.hsm-ip.SE

  • avi.hsm-static-routes.SE

  • avi.hsm-vnic-id.SE


YAML Parameter





IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM)




Comma-separated, static routes to reach the HSM devices. Even /32 routes can be provided.


If there is a single static route, provide the same and ensure the square brackets are matched. Also, if HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.

[ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ]

avi.hsm-static-routes.SE:[ via, via]


For CSP, this is the ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface and vNIC2 is data-out interface). For vCenter No Orchestrator, this is the vNIC ID (for instance, “3”for “Eth3”).IP

numeric vNIC ID

avi.hsm-vnic-id.SE: '3'

Cisco CSP

A sample YAML file for the Day Zero configuration on the CSP is shown below:

bash# cat avi_meta_data_dedicated_hsm_SE.yml
avi.mgmt-ip.SE: ""
avi.mgmt-mask.SE: ""
avi.default-gw.SE: ""
AVICNTRL_AUTHTOKEN: “febab55d-995a-4523-8492-f798520d4515"
avi.hsm-static-routes.SE:[ via, via]
avi.hsm-vnic-id.SE: '3'

Once an Avi Load Balancer Service Engine is created with the Day Zero configuration file and appropriate virtual NIC interfaces are added to the SE service instance on Cisco CSP, verify that the dedicated vNIC configuration is applied successfully and the HSM devices are reachable through this interface. In this case, interface eth3 (dedicated HSM interface) is configured with IP

Login into the bash prompt of Avi Load Balancer SE and use IP route command and run a ping test to check reachability of the dedicated interface IP.

bash# ssh admin@<SE-MGMT-IP>
bash# ifconfig eth3
eth3      Link encap:Ethernet  HWaddr 02:6a:80:02:11:05  
          inet addr:  Bcast:  Mask:
          RX packets:4454601 errors:0 dropped:1987 overruns:0 frame:0
          TX packets:4510346 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:672683711 (672.6 MB)  TX bytes:875329395 (875.3 MB)
bash# ip route
default via dev eth0 via dev eth3 via dev eth3 dev eth0  proto kernel  scope link  src dev eth3  proto kernel  scope link  src
bash# ping -I eth3 <HSM-IP>
ping -I eth3
PING ( from eth3: 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=62 time=0.229 ms

vCenter No-Orchestrator

When the Service Engine is being deployed, add the OVF properties listed above to the virtual machine. For existing Service Engines, the SE virtual machine can be powered off, the OVF properties added, and the VM powered on.