This section explains how to configure dedicated interfaces for HSM communication on a new and an existing Controller.

Configuring Dedicated Interfaces for HSM Communication on a new Controller

For configuration on a new Controller, the following YML parameters can be provided in the day-zero YAML file:

  • avi.hsm-ip.Controller

  • avi.hsm-static-routes.Controller

  • avi.asm-vnic-id.Controller

YAML Parameter

Description

Format

Example

avi.hsm-ip.Controller

IP address of the dedicated HSM vNIC on the Controller (this is not the IP address of the HSM device)

IP-address/subnet-mask

avi.hsm-ip.SE: 10.160.103.230/24

avi.hsm-static-routes.Controller

These are comma-separated, static routes to reach the HSM devices from the respective Controllers. Even /32 routes can be provided.

Note: If there is a single static route, provide the same and ensure the square brackets are matched. Also, if the HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.

[hsm-network1/mask1 via gateway1, hsm-network2/mask2 via gateway2] or [hsm-network1/mask1 via gateway1]

avi.hsm-static-routes.Controller: [10.128.1.0/24 via 10.160.103.1, 10.130.1.0/24 via 10.160.103.1]

avi.asm-vnic-id.Controller

This is the ID of the dedicated HSM vNIC and is typically 1 on CSP. vNIC0 is the management interface, which is the only interface on the Controllers by default.

numeric-vnic-id

avi.hsm-vnic-id.Controller: '1'

Instructions

A sample Controller service YAML file for the day-zero configuration on the CSP is as follows:

bash# cat avi_meta_data_ctlr-dedicated-hsm.yml 

avi.default-gw.Controller: 10.128.2.1
avi.mgmt-ip.Controller: 10.128.2.30
avi.mgmt-mask.Controller: 255.255.255.0
avi.hsm-ip.Controller: 10.160.103.230/24
avi.hsm-static-routes.Controller: [10.128.1.0/24 via 10.160.103.1, 10.130.1.0/24 via 10.160.103.1]
avi.hsm-vnic-id.Controller: '1'

Once the Controller is created with this day-zero configuration and additional virtual NIC interface is added to the Controller service instance on CSP, verify that the dedicated vNIC configuration is applied successfully and the HSM devices are reachable via the dedicated interface. In this case we configured eth1 as the dedicated HSM interface with IP 10.160.103.230/24.

bash# ssh admin@<CONTROLLER-MGMT-IP>
bash# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 02:4a:80:02:11:04  
          inet addr:10.160.103.230  Bcast:10.160.103.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:342620 errors:0 dropped:2855 overruns:0 frame:0
          TX packets:78 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:29201376 (29.2 MB)  TX bytes:11230 (11.2 KB)
bash# ip route
default via 10.128.2.1 dev eth0 
10.128.1.0/24 via 10.160.103.1 dev eth1 
10.128.2.0/24 dev eth0  proto kernel  scope link  src 10.128.2.18 
10.130.1.0/24 via 10.160.103.1 dev eth1 
10.160.103.0/24 dev eth1  proto kernel  scope link  src 10.160.103.218 
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 
bash# ping -I eth1 <HSM-IP>
ping -I eth1 10.130.1.10
PING 10.130.1.10 (10.130.1.10) from 10.160.103.230 eth1: 56(84) bytes of data.
64 bytes from 10.130.1.10: icmp_seq=1 ttl=62 time=0.229 ms

Configuring Dedicated Interfaces for HSM Communication on an existing NSX Advanced Load Balancer Controller

The dedicated HSM interfaces on an existing Controller uses the following YAML parameters:

  • avi.hsm-ip.Controller

  • avi.hsm-static-routes.Controller

  • avi.hsm-vnic-id.Controller

For an existing Controller, these parameters can be populated in the /etc/ovf_config file. All the parameters in this file are comma-separated, and the file format is slightly different from the YAML file used for spinning up a new Controller. However, the parameters and their respective formats are same as they are for a new Controller.

YAML Parameters

YAML Parameter

Description

Format

Example

avi.hsm-ip.Controller

IP address of the dedicated HSM vNIC onNSX Advanced Load Balancer Controller (this is not the IP address of the HSM device)

IP-address/subnet-mask

avi.hsm-ip.SE: 10.160.103.230/24

avi.hsm-static-routes.Controller

These are comma-separated, static routes to reach the HSM devices from the respective Controllers. Even /32 routes can be provided.

Note: If there is a single static route, provide the same and ensure the square brackets are matched. Also, if the HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.

[hsm-network1/mask1 via gateway1, hsm-network2/mask2 via gateway2] or [hsm-network1/mask1 via gateway1]

avi.hsm-static-routes.Controller: [10.128.1.0/24 via 10.160.103.1, 10.130.1.0/24 via 10.160.103.1]

avi.asm-vnic-id.Controller

ID of the dedicated HSM vNIC and is typically 1 on CSP

numeric-vnic-id

avi.hsm-vnic-id.Controller: '1'

Instructions for Configuring Cisco CSP

Follow these steps to add the dedicated HSM vnic interfaces on an existing Controller CSP service. In the example mentioned below, vNIC1 is configured as the dedicated HSM interface (vNIC0 is the NSX Advanced Load Balancer Controller management interface)

  • Navigate to Configuration > Services > Action and select Power Off to power off the SE service on Cisco CSP.

  • To add a new vNIC for the Controller with the desired parameters, navigate to Configuration > Services > Action > Service Edit, click on Add vNIC and provide VLAN ID, VLAN type, VLAN tag, network name, Model etc., and click Submit.

  • Navigate to Configuration > Services > Action and clickPower On to power on the Controller service on Cisco CSP.

Instructions for Configuring the Controller

Login to the Controller bash shell and perform the following steps:

bash# cat avi_meta_data_ctlr-dedicated-hsm.yml 
ssh admin@<Controller-MGMT-IP>
	bash#
	bash# sudo su
	bash# mv /var/run/avi/ovf_properties.saved /home/admin
Note:

Perform a move operation; do not copy this file. Edit it to provide the three comma-separated, HSM dedicated NIC related parameters.

The file looks like the following:

bash# cat /home/admin/ovf_properties.saved
{avi.default-gw.CONTROLLER: 10.128.2.1, 
avi.mgmt-ip.CONTROLLER: 10.128.2.18, 
avi.mgmt-mask.CONTROLLER: 255.255.255.0,
   avi.hsm-ip.CONTROLLER: 10.160.103.230/24,
   avi.hsm-static-routes.CONTROLLER: [10.128.1.0/24 via   10.160.103.1, 10.130.1.0/24 via 10.160.103.1],
   avi.hsm-vnic-id.CONTROLLER: '1',
   ovf_source: CSP, uuid: E8FEBCCD-497E-4458-A933-B8317C1D8743}

  bash# cp /home/admin/ovf_properties.saved /etc/ovf_config
  bash# shutdown -h now

Verify that the dedicated vNIC configuration is applied correctly and the HSM devices are reachable via the dedicated interface. In this case , the interface eth1 is configured as the dedicated HSM interface with IP 10.160.103.230/24.

bash# ssh admin@<CONTROLLER-MGMT-IP>
bash# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 02:4a:80:02:11:04  
          inet addr:10.160.103.230  Bcast:10.160.103.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:342620 errors:0 dropped:2855 overruns:0 frame:0
          TX packets:78 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:29201376 (29.2 MB)  TX bytes:11230 (11.2 KB)
bash# ip route
default via 10.128.2.1 dev eth0 
10.128.1.0/24 via 10.160.103.1 dev eth1 
10.128.2.0/24 dev eth0  proto kernel  scope link  src 10.128.2.18 
10.130.1.0/24 via 10.160.103.1 dev eth1 
10.160.103.0/24 dev eth1  proto kernel  scope link  src 10.160.103.218 
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 
bash# ping -I eth1 <HSM-IP>
ping -I eth1 10.130.1.10
PING 10.130.1.10 (10.130.1.10) from 10.160.103.230 eth1: 56(84) bytes of data.
64 bytes from 10.130.1.10: icmp_seq=1 ttl=62 time=0.229 ms