Configuring Dedicated Interfaces for HSM Communication on New Avi Service Engines

Overview

Avi supports dedicated interface on Service Engines for HSM communication in the following environments:

  • Cisco CSP
  • vCenter No Orchestrator Mode

Note: Starting with Avi Vantage version 20.1.5, dedicated interfaces for Service Engines deployed in vCenter No Orchestrator environments are supported.

Dedicated hardware security module (HSM) interfaces on Avi Service Engines use the following configuration parameters:

  • avi.hsm-ip.SE
  • avi.hsm-static-routes.SE
  • avi.hsm-vnic-id.SE

Parameters

  1. avi.hsm-ip.SE
    Description – This is the IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM).
    Format – IP-address/subnet-mask
    Example – avi.hsm-ip.SE: 10.160.103.227/24

  1. avi.hsm-static-routes.SE
    Description – These are comma-separated, static routes to reach HSM devices. Even /32 routes can be provided.
    Note: If there is a single static route, provide the same and ensure the square brackets are matched. Also, if HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.
    Format – [ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ]
    Example – avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]

  1. avi.hsm-vnic-id.SE
    Description – For CSP, this is the ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface and vNIC2 is data-out interface). For vCenter No Orchestrator, this is the vNIC ID (eg: “3”for “Eth3”)
    Format – ‘numeric vNIC ID’.
    Example – avi.hsm-vnic-id.SE: ‘3’
YAML Parameter Description Format Example
avi.hsm-ip.SE IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM) IP-address/subnet-mask avi.hsm-ip.SE: 10.160.103.227/24
avi.hsm-static-routes.SE Comma-separated, static routes to reach the HSM devices. Even /32 routes can be provided [ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ] avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]
avi.hsm-vnic-id.SE ID of the dedicated HSM vNIC numeric vNIC ID avi.hsm-vnic-id.SE: '3'

Instructions

Cisco CSP

A sample YAML file for the Day Zero configuration on the CSP is shown below:


bash# cat avi_meta_data_dedicated_hsm_SE.yml
avi.mgmt-ip.SE: "10.128.2.18"
avi.mgmt-mask.SE: "255.255.255.0"
avi.default-gw.SE: "10.128.2.1"
AVICNTRL: "10.10.22.50"
AVICNTRL_AUTHTOKEN: “febab55d-995a-4523-8492-f798520d4515"
avi.hsm-ip.SE: 10.160.103.227/24
avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]
avi.hsm-vnic-id.SE: '3'

Once an Avi Service Engine is created with the Day Zero configuration file and appropriate virtual NIC interfaces are added to the SE service instance on Cisco CSP, verify that the dedicated vNIC configuration is applied successfully and the HSM devices are reachable via this interface. In this case, interface eth3 (dedicated HSM interface) is configured with IP 10.160.103.227/24.

Login into the bash prompt of Avi SE and use ip route command and run a ping test to check reachability of the dedicated interface IP.


bash# ssh admin@<SE-MGMT-IP>
bash# ifconfig eth3
eth3      Link encap:Ethernet  HWaddr 02:6a:80:02:11:05  
          inet addr:10.160.103.227  Bcast:10.160.103.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4454601 errors:0 dropped:1987 overruns:0 frame:0
          TX packets:4510346 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
       
          RX bytes:672683711 (672.6 MB)  TX bytes:875329395 (875.3 MB)
bash# ip route
default via 10.128.2.1 dev eth0 
10.128.1.0/24 via 10.160.103.1 dev eth3
10.128.2.0/24 via 10.160.103.2 dev eth3
10.128.2.0/24 dev eth0  proto kernel  scope link  src 10.128.2.27 
10.160.103.0/24 dev eth3  proto kernel  scope link  src 10.160.103.227
bash# ping -I eth3 <HSM-IP>
ping -I eth3 10.128.1.51
PING 10.128.1.51 (10.128.1.51) from 10.160.103.227 eth3: 56(84) bytes of data.
64 bytes from 10.128.1.51: icmp_seq=1 ttl=62 time=0.229 ms

vCenter No-Orchestrator

When the Service Engine is being deployed, add the OVF properties listed above to the VM. For existing Service Engines, the SE VM can be powered off, the OVF properties added, and the VM powered on.

Additional Information

For different types of supported configuration for HSM and ASM communication on Avi Vantage, refer to How to configure dedicated interfaces for HSM and ASM communication on Cisco CSP.

Document Revision History

Date Change Summary
April 15, 2020 Updated the content for dedicated interfaces for Service Engines deployed in vCenter No Orchestrator environments (Version 20.1.5)