NSX Advanced Load Balancer supports dedicated interface on Service Engines for HSM communication in the following environments:

  • Cisco CSP

  • vCenter No Orchestrator Mode

Background

Dedicated hardware security module (HSM) interfaces on NSX Advanced Load Balancer Service Engines use the following configuration parameters:

  • avi.hsm-ip.SE

  • avi.hsm-static-routes.SE

  • avi.hsm-vnic-id.SE

For existing SEs, these parameters can be populated in the /etc/ovf_config file.

Note:

All parameters in this file are comma-separated and the file format is slightly different from the YML file used for spinning up new Service Engines. However, the parameters and their respective formats are exactly the same as they are for new Service Engines.

YAML parameters

avi.hsm-ip.SE

  • Description : This is the IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM).

  • Format : IP-address/subnet-mask.

  • Example : avi.hsm-ip.SE: 10.160.103.227/24

avi.hsm-static-routes.SE

  • Description : These are comma-separated, static routes to reach HSM devices. Even /32 routes can be provided.

    Note:

    If there is a single static route, provide the same and ensure the square brackets are matched. Also, if HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.

  • Format : [ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ]

  • Example : avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]

avi.hsm-vnic-id.SE

  • Description : This is the ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface, and vNIC2 is data-out interface).

  • Format : ‘numeric vNIC ID’.

  • Example : avi.hsm-vnic-id.SE: ‘3’

YAML Parameter

Description

Format

Example

avi.hsm-ip.SE

IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM)

IP-address/subnet-mask

avi.hsm-ip.SE: 10.160.103.227/24

avi.hsm-static-routes.SE

Comma-separated, static routes to reach the HSM devices. Even /32 routes can be provided

[ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ]

avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]

avi.hsm-vnic-id.SE

ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface, and vNIC2 is data-out interface)

numeric vNIC ID

avi.hsm-vnic-id.SE: '3'

Instructions

CSP Configuration

To add a dedicated HSM vNIC on an existing SE CSP service, perform the following steps:

Note: In the sample configuration provided below, vNIC3 is used which is actually the fourth NIC on the CSP service.
  1. Navigate to Configuration > Service > Action > Power Off to power off NSX Advanced Load Balancer SE service using CSP user interface.

  2. Add a new vNIC to the SE with desired parameters Navigate to Configuration > Service > Action > Service Edit > Add vnic to add a new vNIC to the SE with desired parameters. Provide VLAN id, VLAN type, VLAN tagged, Network Name, Model, etc., and click Submit.

  3. To power on the SE service on CSP UI navigate to Configuration > Service > Action > Power ON.

NSX Advanced Load BalancerService Engine Configuration

  1. Perform the following steps using NSX Advanced Load Balancer Service Engine bash shell.

    ssh admin@<SE-MGMT-IP&gt
     bash#
     bash# sudo su
     bash# /opt/avi/scripts/stop_se.sh
     bash# mv /var/run/avi/ovf_properties.saved /home/admin   
    Note: Perform a move operation; do not copy this file. Edit it to provide the three comma-separated, HSM-dedicated NIC related parameters. The file looks like the following:
    bash# cat /home/admin/ovf_properties.saved
      AVICNTRL: 10.128.2.18, AVICNTRL_AUTHTOKEN: 1403771c-	fc59-4d76-89b2-b3c35682b342,
      avi.default-gw.SE: 10.128.2.1,
      avi.hsm-ip.SE: 10.160.103.227/24,
      avi.hsm-static-routes.SE:[10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2],
      avi.hsm-vnic-id.SE: '3',
      avi.mgmt-ip.SE: 10.128.2.27, ovf_source: CSP,
      uuid: FCE9B12D-A1B0-4EF3-B922-BDC2A5F8AA11
    
    bash# cp /home/admin/ovf_properties.saved /etc/ovf_config
      bash# /opt/avi/scripts/start_se.sh
     
  2. Verify that the dedicated vNIC information is applied correctly and the HSM devices are reachable via this interface. In this sample configuration, the eth3 dedicated HSM interface is configured with IP 10.160.103.227/24.

    bash# ssh admin@<SE-MGMT-IP>
     bash# ifconfig eth3
     eth3      Link encap:Ethernet  HWaddr 02:6a:80:02:11:05  
              inet addr:10.160.103.227  Bcast:10.160.103.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:4454601 errors:0 dropped:1987 overruns:0 frame:0
              TX packets:4510346 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:672683711 (672.6 MB)  TX bytes:875329395 (875.3 MB)
      bash# ip route
     default via 10.128.2.1 dev eth0 
     10.128.1.0/24 via 10.160.103.1 dev eth3
     10.128.2.0/24 via 10.160.103.2 dev eth3
     10.128.2.0/24 dev eth0  proto kernel  scope link  src 10.128.2.27 
     10.160.103.0/24 dev eth3 proto kernel  scope link  src 10.160.103.227
    bash# ping -I eth3 <HSM-IP>
    ping -I eth3 10.128.1.51
    PING 10.128.1.51 (10.128.1.51) from 10.160.103.227 eth3: 56(84) bytes of data.
    64 bytes from 10.128.1.51: icmp_seq=1 ttl=62 time=0.229 ms