Configuring Dedicated Interfaces for HSM Communication on NSX Advanced Load Balancer Service Engines

This section explains the configuration of dedicated interfaces for HSM communication on a new SE and an existing SE.

Configuring Dedicated Interfaces for HSM Communication on a New NSX Advanced Load Balancer Service Engine

The dedicated HSM interfaces on the Service Engines use the following YAML configuration parameters:

avi.hsm-ip.SE
avi.hsm-static-routes.SE
avi.hsm-vnic-id.SE

For configuration on new SEs, these parameters are provided in the day-zero YAML file.

YAML Parameters


YAML Parameter	Description	Format	Example
avi.hsm-ip.SE	IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM)	IP-address/subnet-mask	avi.hsm-ip.SE: 10.160.103.227/24
avi.hsm-static-routes.SE	These are comma-separated, static routes to reach HSM devices. Even /32 routes can be provided. If there is a single static route, provide the same and ensure the square brackets are matched. Also, if HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.	[hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1]	avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]
avi.hsm-vnic-id.SE	ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface and vNIC2 is data-out interface)	numeric vNIC ID	avi.hsm-vnic-id.SE: '3'

Instructions

A sample YAML file for the day zero configuration on the CSP is shown below:

bash# cat avi_meta_data_dedicated_hsm_SE.yml
avi.mgmt-ip.SE: "10.128.2.18"
avi.mgmt-mask.SE: "255.255.255.0"
avi.default-gw.SE: "10.128.2.1"
AVICNTRL: "10.10.22.50"
AVICNTRL_AUTHTOKEN: “febab55d-995a-4523-8492-f798520d4515"
avi.hsm-ip.SE: 10.160.103.227/24
avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]
avi.hsm-vnic-id.SE: '3'

Once the SE is created with the Day Zero configuration file and appropriate virtual NIC interfaces are added to the SE service instance on Cisco CSP, verify that the dedicated vNIC configuration is applied successfully and the HSM devices are reachable via this interface. In this case, interface eth3 (dedicated HSM interface) is configured with IP 10.160.103.227/24.

Login into the bash prompt of the SE and useIP route command and run a ping test to check reachability of the dedicated interface IP.

bash# ssh admin@<SE-MGMT-IP>
bash# ifconfig eth3
eth3      Link encap:Ethernet  HWaddr 02:6a:80:02:11:05  
          inet addr:10.160.103.227  Bcast:10.160.103.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4454601 errors:0 dropped:1987 overruns:0 frame:0
          TX packets:4510346 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
       
          RX bytes:672683711 (672.6 MB)  TX bytes:875329395 (875.3 MB)
bash# ip route
default via 10.128.2.1 dev eth0 
10.128.1.0/24 via 10.160.103.1 dev eth3
10.128.2.0/24 via 10.160.103.2 dev eth3
10.128.2.0/24 dev eth0  proto kernel  scope link  src 10.128.2.27 
10.160.103.0/24 dev eth3  proto kernel  scope link  src 10.160.103.227
bash# ping -I eth3 <HSM-IP>
ping -I eth3 10.128.1.51
PING 10.128.1.51 (10.128.1.51) from 10.160.103.227 eth3: 56(84) bytes of data.
64 bytes from 10.128.1.51: icmp_seq=1 ttl=62 time=0.229 ms

Configuring Dedicated Interfaces for HSM Communication on the Service Engine.

The dedicated HSM interfaces on the SEs use the following configuration parameters:

avi.hsm-ip.SE
avi.hsm-static-routes.SE
avi.hsm-vnic-id.SE

For the existing SEs, these parameters can be populated in the /etc/ovf_config file.

Note:

All parameters in this file are comma-separated and the file format is slightly different from the YML file used for spinning up new SEs. However, the parameters and their respective formats are exactly the same as they are for new SEs.

YAML Parameters


YAML Parameter	Description	Format	Example
avi.hsm-ip.SE	IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM)	IP-address/subnet-mask	avi.hsm-ip.SE: 10.160.103.227/24
avi.hsm-static-routes.SE	These are comma-separated, static routes to reach HSM devices. Even /32 routes can be provided. If there is a single static route, provide the same and ensure the square brackets are matched. Also, if HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.	[hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1]	avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]
avi.hsm-vnic-id.SE	ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface, and vNIC2 is data-out interface)	numeric vNIC ID	avi.hsm-vnic-id.SE: '3'

Instructions for Configuring CSP

To add a dedicated HSM vNIC on an existing SE CSP service, perform the following steps:

Note:

In the sample configuration provided below, vNIC3, the fourth NIC on the CSP service is used.

Navigate to Configuration > Service > Action > Power Off to power off the SE service using CSP user interface.
Add a new vNIC to the SE with desired parameters by navigating to Configuration > Service > Action > Service Edit > Add vnic. Provide VLAN ID, VLAN type, VLAN tagged, Network Name, Model, etc., and click on the Submit button.
To power on the SE service on CSP UI, navigate toConfiguration > Service > Action > Power On.

Instructions for Configuring NSX Advanced Load Balancer Service Engine

Perform the following steps using the Service Engine bash shell.

ssh admin@<SE-MGMT-IP&gt
 bash#
 bash# sudo su
 bash# /opt/avi/scripts/stop_se.sh
 bash# mv /var/run/avi/ovf_properties.saved /home/admin

Note:

Perform a move operation; do not copy this file. Edit it to provide the three comma-separated, HSM-dedicated NIC related parameters. The file is as follows:

bash# cat /home/admin/ovf_properties.saved
  AVICNTRL: 10.128.2.18, AVICNTRL_AUTHTOKEN: 1403771c-	fc59-4d76-89b2-b3c35682b342,
  avi.default-gw.SE: 10.128.2.1,
  avi.hsm-ip.SE: 10.160.103.227/24,
  avi.hsm-static-routes.SE:[10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2],
  avi.hsm-vnic-id.SE: '3',
  avi.mgmt-ip.SE: 10.128.2.27, ovf_source: CSP,
  uuid: FCE9B12D-A1B0-4EF3-B922-BDC2A5F8AA11

bash# cp /home/admin/ovf_properties.saved /etc/ovf_config
bash# /opt/avi/scripts/start_se.sh

Verify that the dedicated vNIC information is applied correctly and the HSM devices are reachable via this interface. In this sample configuration, the eth3 dedicated HSM interface is configured with IP 10.160.103.227/24.

bash# ssh admin@<SE-MGMT-IP>
 bash# ifconfig eth3
 eth3      Link encap:Ethernet  HWaddr 02:6a:80:02:11:05  
          inet addr:10.160.103.227  Bcast:10.160.103.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4454601 errors:0 dropped:1987 overruns:0 frame:0
          TX packets:4510346 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:672683711 (672.6 MB)  TX bytes:875329395 (875.3 MB)
  bash# ip route
 default via 10.128.2.1 dev eth0 
 10.128.1.0/24 via 10.160.103.1 dev eth3
 10.128.2.0/24 via 10.160.103.2 dev eth3
 10.128.2.0/24 dev eth0  proto kernel  scope link  src 10.128.2.27 
 10.160.103.0/24 dev eth3 proto kernel  scope link  src 10.160.103.227
bash# ping -I eth3 <HSM-IP>
ping -I eth3 10.128.1.51
PING 10.128.1.51 (10.128.1.51) from 10.160.103.227 eth3: 56(84) bytes of data.
64 bytes from 10.128.1.51: icmp_seq=1 ttl=62 time=0.229 ms