Configuring Dedicated Interfaces for HSM Communication on an Existing Avi Service Engine

Background

Dedicated hardware security module (HSM) interfaces on Avi Service Engines use the following configuration parameters:

  • avi.hsm-ip.SE
  • avi.hsm-static-routes.SE
  • avi.hsm-vnic-id.SE

For existing SEs, these parameters can be populated in the /etc/ovf_config file.

Note: All parameters in this file are comma-separated and the file format is slightly different from the YML file used for spinning up new Service Engines. However, the parameters and their respective formats are exactly the same as they are for new Service Engines.

YAML parameters

  1. avi.hsm-ip.SE
    Description: This is the IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM).
    Format: IP-address/subnet-mask.
    Example: avi.hsm-ip.SE: 10.160.103.227/24

  2. avi.hsm-static-routes.SE
    Description: These are comma-separated, static routes to reach HSM devices. Even /32 routes can be provided.
    Note: If there is a single static route, provide the same and ensure the square brackets are matched. Also, if HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.
    Format: [ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ]
    Example: avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]

  3. avi.hsm-vnic-id.SE
    Description: This is the ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface, and vNIC2 is data-out interface)
    Format: ‘numeric vNIC ID’.
    Example: avi.hsm-vnic-id.SE: ‘3’

    YAML Parameter Description Format Example
    avi.hsm-ip.SE IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM) IP-address/subnet-mask avi.hsm-ip.SE: 10.160.103.227/24
    avi.hsm-static-routes.SE Comma-separated, static routes to reach the HSM devices. Even /32 routes can be provided [ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ] avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]
    avi.hsm-vnic-id.SE ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface, and vNIC2 is data-out interface) numeric vNIC ID avi.hsm-vnic-id.SE: '3'

Instructions

CSP Configuration

To add a dedicated HSM vNIC on an existing SE CSP service, perform the following steps: Note: In the sample configuration provided below, vNIC3 is used which is actually the fourth NIC on the CSP service.

  1. Navigate to Configuration > Service > Action > Power Off to power off Avi SE service using CSP user interface.
  2. Add a new vNIC to the SE with desired parameters Navigate to Configuration > Service > Action > Service Edit > Add vnic to add a new vNIC to the SE with desired parameters. Provide VLAN id, VLAN type, VLAN tagged, Network Name, Model, etc., and click on Submit.
  3. To power on the SE service on CSP UI navigate to Configuration > Service > Action > Power On.

Avi Service Engine Configuration

  1. Perform the following steps using Avi Service Engine bash shell.

 ssh admin@<SE-MGMT-IP&gt
 bash#
 bash# sudo su
 bash# /opt/avi/scripts/stop_se.sh
 bash# mv /var/run/avi/ovf_properties.saved /home/admin

Note: Perform a move operation; do not copy this file. Edit it to provide the three comma-separated, HSM-dedicated NIC related parameters. The file looks like the following:


  bash# cat /home/admin/ovf_properties.saved
  AVICNTRL: 10.128.2.18, AVICNTRL_AUTHTOKEN: 1403771c-	fc59-4d76-89b2-b3c35682b342,
  avi.default-gw.SE: 10.128.2.1,
  avi.hsm-ip.SE: 10.160.103.227/24,
  avi.hsm-static-routes.SE:[10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2],
  avi.hsm-vnic-id.SE: '3',
  avi.mgmt-ip.SE: 10.128.2.27, ovf_source: CSP,
  uuid: FCE9B12D-A1B0-4EF3-B922-BDC2A5F8AA11
  

  bash# cp /home/admin/ovf_properties.saved /etc/ovf_config
  bash# /opt/avi/scripts/start_se.sh
  1. Verify that the dedicated vNIC information is applied correctly and the HSM devices are reachable via this interface. In this sample configuration, the eth3 dedicated HSM interface is configured with IP 10.160.103.227/24.

 bash# ssh admin@<SE-MGMT-IP>
 bash# ifconfig eth3
 eth3      Link encap:Ethernet  HWaddr 02:6a:80:02:11:05  
          inet addr:10.160.103.227  Bcast:10.160.103.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4454601 errors:0 dropped:1987 overruns:0 frame:0
          TX packets:4510346 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:672683711 (672.6 MB)  TX bytes:875329395 (875.3 MB)
  bash# ip route
 default via 10.128.2.1 dev eth0 
 10.128.1.0/24 via 10.160.103.1 dev eth3
 10.128.2.0/24 via 10.160.103.2 dev eth3
 10.128.2.0/24 dev eth0  proto kernel  scope link  src 10.128.2.27 
 10.160.103.0/24 dev eth3 proto kernel  scope link  src 10.160.103.227
bash# ping -I eth3 <HSM-IP>
ping -I eth3 10.128.1.51
PING 10.128.1.51 (10.128.1.51) from 10.160.103.227 eth3: 56(84) bytes of data.
64 bytes from 10.128.1.51: icmp_seq=1 ttl=62 time=0.229 ms

Additional Information

For different types of supported configuration for HSM and ASM communication on Avi Vantage, refer to How to configure dedicated interfaces for HSM and ASM communication on Cisco CSP.