NSX Advanced Load Balancer supports dedicated interface on Service Engines for HSM communication in the following environments:

  • Cisco CSP

  • vCenter No Orchestrator Mode

Note:

NSX Advanced Load Balancer supports dedicated interfaces for Service Engines deployed in vCenter No Orchestrator environments.

Dedicated hardware security module (HSM) interfaces on NSX Advanced Load Balancer Service Engines use the following configuration parameters:

  • avi.hsm-ip.SE

  • avi.hsm-static-routes.SE

  • avi.hsm-vnic-id.SE

Parameters

YAML Parameter

Description

Format

Example

avi.hsm-ip.SE

IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM)

IP-address/subnet-mask

avi.hsm-ip.SE: 10.160.103.227/24

avi.hsm-static-routes.SE

Comma-separated, static routes to reach the HSM devices. Even /32 routes can be provided.

Note:

If there is a single static route, provide the same and ensure the square brackets are matched. Also, if HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.

[ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ]

avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]

avi.hsm-vnic-id.SE

For CSP, this is the ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface and vNIC2 is data-out interface). For vCenter No Orchestrator, this is the vNIC ID (for instance, “3”for “Eth3”).IP

numeric vNIC ID

avi.hsm-vnic-id.SE: '3'

Cisco CSP

A sample YAML file for the Day Zero configuration on the CSP is shown below:

bash# cat avi_meta_data_dedicated_hsm_SE.yml
avi.mgmt-ip.SE: "10.128.2.18"
avi.mgmt-mask.SE: "255.255.255.0"
avi.default-gw.SE: "10.128.2.1"
AVICNTRL: "10.10.22.50"
AVICNTRL_AUTHTOKEN: “febab55d-995a-4523-8492-f798520d4515"
avi.hsm-ip.SE: 10.160.103.227/24
avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]
avi.hsm-vnic-id.SE: '3'

Once an NSX Advanced Load Balancer Service Engine is created with the Day Zero configuration file and appropriate virtual NIC interfaces are added to the SE service instance on Cisco CSP, verify that the dedicated vNIC configuration is applied successfully and the HSM devices are reachable through this interface. In this case, interface eth3 (dedicated HSM interface) is configured with IP 10.160.103.227/24.

Login into the bash prompt of NSX Advanced Load Balancer SE and use IP route command and run a ping test to check reachability of the dedicated interface IP.

bash# ssh admin@<SE-MGMT-IP>
bash# ifconfig eth3
eth3      Link encap:Ethernet  HWaddr 02:6a:80:02:11:05  
          inet addr:10.160.103.227  Bcast:10.160.103.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4454601 errors:0 dropped:1987 overruns:0 frame:0
          TX packets:4510346 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
       
          RX bytes:672683711 (672.6 MB)  TX bytes:875329395 (875.3 MB)
bash# ip route
default via 10.128.2.1 dev eth0 
10.128.1.0/24 via 10.160.103.1 dev eth3
10.128.2.0/24 via 10.160.103.2 dev eth3
10.128.2.0/24 dev eth0  proto kernel  scope link  src 10.128.2.27 
10.160.103.0/24 dev eth3  proto kernel  scope link  src 10.160.103.227
bash# ping -I eth3 <HSM-IP>
ping -I eth3 10.128.1.51
PING 10.128.1.51 (10.128.1.51) from 10.160.103.227 eth3: 56(84) bytes of data.
64 bytes from 10.128.1.51: icmp_seq=1 ttl=62 time=0.229 ms

vCenter No-Orchestrator

When the Service Engine is being deployed, add the OVF properties listed above to the virtual machine. For existing Service Engines, the SE virtual machine can be powered off, the OVF properties added, and the VM powered on.