Dedicated hardware security module (HSM) interfaces on NSX Advanced Load Balancer Service Engines use the following configuration parameters:
avi.hsm-ip.SE
avi.hsm-static-routes.SE
avi.hsm-vnic-id.SE
For existing SEs, these parameters can be populated in the /etc/ovf_config file.
All parameters in this file are comma-separated and the file format is slightly different from the YML file used for spinning up new Service Engines. However, the parameters and their respective formats are exactly the same as they are for new Service Engines.
YAML parameters
YAML Parameter |
Description |
Format |
Example |
---|---|---|---|
avi.hsm-ip.SE |
IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM) |
IP-address/subnet-mask |
avi.hsm-ip.SE: 10.160.103.227/24 |
avi.hsm-static-routes.SE |
Comma-separated, static routes to reach the HSM devices. Even /32 routes can be provided.
Note:
If there is a single static route, provide the same and ensure the square brackets are matched. Also, if HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet. |
[ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ] |
avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2] |
avi.hsm-vnic-id.SE |
ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface, and vNIC2 is data-out interface) |
numeric vNIC ID |
avi.hsm-vnic-id.SE: '3' |
Configuring Parameters
To add a dedicated HSM vNIC on an existing SE CSP service, perform the following steps:
In the sample configuration provided below, vNIC3 is used which is actually the fourth NIC on the CSP service.
Navigate to NSX Advanced Load Balancer SE service using CSP user interface.
to power offAdd a new vNIC to the SE with desired parameters Navigate to Submit.
to add a new vNIC to the SE with desired parameters. Provide VLAN id, VLAN type, VLAN tagged, Network Name, Model, and more. ClickTo power on the SE service on CSP UI navigate to
.
To configure NSX Advanced Load Balancer Service Engine
Perform the following steps using NSX Advanced Load Balancer Service Engine bash shell.
ssh admin@<SE-MGMT-IP> bash# bash# sudo su bash# /opt/avi/scripts/stop_se.sh bash# mv /var/run/avi/ovf_properties.saved /home/admin
Note:Perform a move operation; do not copy this file. Edit it to provide the three comma-separated, HSM-dedicated NIC related parameters. The file looks like the following:
bash# cat /home/admin/ovf_properties.saved AVICNTRL: 10.128.2.18, AVICNTRL_AUTHTOKEN: 1403771c- fc59-4d76-89b2-b3c35682b342, avi.default-gw.SE: 10.128.2.1, avi.hsm-ip.SE: 10.160.103.227/24, avi.hsm-static-routes.SE:[10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2], avi.hsm-vnic-id.SE: '3', avi.mgmt-ip.SE: 10.128.2.27, ovf_source: CSP, uuid: FCE9B12D-A1B0-4EF3-B922-BDC2A5F8AA11
bash# cp /home/admin/ovf_properties.saved /etc/ovf_config bash# /opt/avi/scripts/start_se.sh
Verify that the dedicated vNIC information is applied correctly and the HSM devices are reachable using this interface. In this sample configuration, the eth3 dedicated HSM interface is configured with IP 10.160.103.227/24.
bash# ssh admin@<SE-MGMT-IP> bash# ifconfig eth3 eth3 Link encap:Ethernet HWaddr 02:6a:80:02:11:05 inet addr:10.160.103.227 Bcast:10.160.103.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4454601 errors:0 dropped:1987 overruns:0 frame:0 TX packets:4510346 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:672683711 (672.6 MB) TX bytes:875329395 (875.3 MB) bash# ip route default via 10.128.2.1 dev eth0 10.128.1.0/24 via 10.160.103.1 dev eth3 10.128.2.0/24 via 10.160.103.2 dev eth3 10.128.2.0/24 dev eth0 proto kernel scope link src 10.128.2.27 10.160.103.0/24 dev eth3 proto kernel scope link src 10.160.103.227 bash# ping -I eth3 <HSM-IP> ping -I eth3 10.128.1.51 PING 10.128.1.51 (10.128.1.51) from 10.160.103.227 eth3: 56(84) bytes of data. 64 bytes from 10.128.1.51: icmp_seq=1 ttl=62 time=0.229 ms