NSX Advanced Load Balancer supports dedicated interface on Service Engines for HSM communication in the following environments:

  • Cisco CSP

  • vCenter No Orchestrator Mode

Note: Starting with NSX Advanced Load Balancer version 20.1.5, dedicated interfaces for Service Engines deployed in vCenter No Orchestrator environments are supported.

Dedicated hardware security module (HSM) interfaces on NSX Advanced Load Balancer Service Engines use the following configuration parameters:

  • avi.hsm-ip.SE

  • avi.hsm-static-routes.SE

  • avi.hsm-vnic-id.SE

Parameters

avi.hsm-ip.SE

  • Description : This is the IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM).

  • Format: IP-address/subnet-mask

  • Example : avi.hsm-ip.SE: 10.160.103.227/24

avi.hsm-static-routes.SE

  • Description : These are comma-separated, static routes to reach HSM devices. Even /32 routes can be provided.

    Note:

    If there is a single static route, provide the same and ensure the square brackets are matched. Also, if HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.

  • Format : [ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ]

  • Example : avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]

avi.hsm-vnic-id.SE

  • Description : For CSP, this is the ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface and vNIC2 is data-out interface). For vCenter No Orchestrator, this is the vNIC ID (eg: “3”for “Eth3”)

  • Format : ‘numeric vNIC ID’.

  • Example : avi.hsm-vnic-id.SE: ‘3’

YAML Parameter

Description

Format

Example

avi.hsm-ip.SE

IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM)

IP-address/subnet-mask

avi.hsm-ip.SE: 10.160.103.227/24

avi.hsm-static-routes.SE

Comma-separated, static routes to reach the HSM devices. Even /32 routes can be provided

[ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ]

avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]

avi.hsm-vnic-id.SE

ID of the dedicated HSM vNIC

numeric vNIC ID

avi.hsm-vnic-id.SE: '3'

Instructions

Cisco CSP

A sample YAML file for the Day Zero configuration on the CSP is shown below:

bash# cat avi_meta_data_dedicated_hsm_SE.yml avi.mgmt-ip.SE: "10.128.2.18" avi.mgmt-mask.SE: "255.255.255.0" avi.default-gw.SE: "10.128.2.1" AVICNTRL: "10.10.22.50" AVICNTRL_AUTHTOKEN: “febab55d-995a-4523-8492-f798520d4515" avi.hsm-ip.SE: 10.160.103.227/24 avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2] avi.hsm-vnic-id.SE: '3'

Once an NSX Advanced Load Balancer Service Engine is created with the Day Zero configuration file and appropriate virtual NIC interfaces are added to the SE service instance on Cisco CSP, verify that the dedicated vNIC configuration is applied successfully and the HSM devices are reachable via this interface. In this case, interface eth3 (dedicated HSM interface) is configured with IP 10.160.103.227/24.

Login into the bash prompt of NSX Advanced Load Balancer SE and use ip route command and run a ping test to check reachability of the dedicated interface IP.

bash# ssh admin@<SE-MGMT-IP> bash# ifconfig eth3 eth3 Link encap:Ethernet HWaddr 02:6a:80:02:11:05 inet addr:10.160.103.227 Bcast:10.160.103.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4454601 errors:0 dropped:1987 overruns:0 frame:0 TX packets:4510346 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:672683711 (672.6 MB) TX bytes:875329395 (875.3 MB) bash# ip route default via 10.128.2.1 dev eth0 10.128.1.0/24 via 10.160.103.1 dev eth3 10.128.2.0/24 via 10.160.103.2 dev eth3 10.128.2.0/24 dev eth0 proto kernel scope link src 10.128.2.27 10.160.103.0/24 dev eth3 proto kernel scope link src 10.160.103.227 bash# ping -I eth3 <HSM-IP> ping -I eth3 10.128.1.51 PING 10.128.1.51 (10.128.1.51) from 10.160.103.227 eth3: 56(84) bytes of data. 64 bytes from 10.128.1.51: icmp_seq=1 ttl=62 time=0.229 ms

vCenter No-Orchestrator

When the Service Engine is being deployed, add the OVF properties listed above to the VM. For existing Service Engines, the SE VM can be powered off, the OVF properties added, and the VM powered on.

Additional Information

For different types of supported configuration for HSM and ASM communication on NSX Advanced Load Balancer, refer to How to configure dedicated interfaces for HSM and ASM communication on Cisco CSP.