NSX Advanced Load Balancer supports dedicated interface on Service Engines for HSM communication in the following environments:
Cisco CSP
vCenter No Orchestrator Mode
NSX Advanced Load Balancer supports dedicated interfaces for Service Engines deployed in vCenter No Orchestrator environments.
Dedicated hardware security module (HSM) interfaces on NSX Advanced Load Balancer Service Engines use the following configuration parameters:
avi.hsm-ip.SEavi.hsm-static-routes.SEavi.hsm-vnic-id.SE
Parameters
YAML Parameter |
Description |
Format |
Example |
|---|---|---|---|
|
IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM) |
IP-address/subnet-mask |
avi.hsm-ip.SE: 10.160.103.227/24 |
|
Comma-separated, static routes to reach the HSM devices. Even /32 routes can be provided.
Note:
If there is a single static route, provide the same and ensure the square brackets are matched. Also, if HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet. |
[ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ] |
avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2] |
|
For CSP, this is the ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface and vNIC2 is data-out interface). For vCenter No Orchestrator, this is the vNIC ID (for instance, “3”for “Eth3”).IP |
numeric vNIC ID |
avi.hsm-vnic-id.SE: '3' |
Cisco CSP
A sample YAML file for the Day Zero configuration on the CSP is shown below:
bash# cat avi_meta_data_dedicated_hsm_SE.yml avi.mgmt-ip.SE: "10.128.2.18" avi.mgmt-mask.SE: "255.255.255.0" avi.default-gw.SE: "10.128.2.1" AVICNTRL: "10.10.22.50" AVICNTRL_AUTHTOKEN: “febab55d-995a-4523-8492-f798520d4515" avi.hsm-ip.SE: 10.160.103.227/24 avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2] avi.hsm-vnic-id.SE: '3'
Once an NSX Advanced Load Balancer Service Engine is created with the Day Zero configuration file and appropriate virtual NIC interfaces are added to the SE service instance on Cisco CSP, verify that the dedicated vNIC configuration is applied successfully and the HSM devices are reachable through this interface. In this case, interface eth3 (dedicated HSM interface) is configured with IP 10.160.103.227/24.
Login into the bash prompt of NSX Advanced Load Balancer SE and use IP route command and run a ping test to check reachability of the dedicated interface IP.
bash# ssh admin@<SE-MGMT-IP>
bash# ifconfig eth3
eth3 Link encap:Ethernet HWaddr 02:6a:80:02:11:05
inet addr:10.160.103.227 Bcast:10.160.103.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4454601 errors:0 dropped:1987 overruns:0 frame:0
TX packets:4510346 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:672683711 (672.6 MB) TX bytes:875329395 (875.3 MB)
bash# ip route
default via 10.128.2.1 dev eth0
10.128.1.0/24 via 10.160.103.1 dev eth3
10.128.2.0/24 via 10.160.103.2 dev eth3
10.128.2.0/24 dev eth0 proto kernel scope link src 10.128.2.27
10.160.103.0/24 dev eth3 proto kernel scope link src 10.160.103.227
bash# ping -I eth3 <HSM-IP>
ping -I eth3 10.128.1.51
PING 10.128.1.51 (10.128.1.51) from 10.160.103.227 eth3: 56(84) bytes of data.
64 bytes from 10.128.1.51: icmp_seq=1 ttl=62 time=0.229 ms
vCenter No-Orchestrator
When the Service Engine is being deployed, add the OVF properties listed above to the virtual machine. For existing Service Engines, the SE virtual machine can be powered off, the OVF properties added, and the VM powered on.
