Configuring Dedicated Interfaces for HSM Communication on an Existing Avi Controller

Background

Dedicated HSM interfaces on an Avi Controller uses the following YAML parameters:

  • avi.hsm-ip.Controller
  • avi.hsm-static-routes.Controller
  • avi.hsm-vnic-id.Controller

For an existing Avi Controller, these parameters can be populated in the /etc/ovf_config file. All the parameters in this file are comma-separated, and the file format is slightly different from the YAML file used for spinning up a new Avi Controller. However, the parameters and their respective formats are same as they are for a new Avi Controller.

YAML parameters

  1. avi-hsm-ip.Controller
    Description: This is the ip address of the dedicated HSM vNIC on the Controller (this is not the IP address of the HSM).
    Format: IP-address/subnet-mask
    Example: avi.asm-ip.Controller: 10.160.103.230/24

  2. avi.hsm-static-routes.Controller
    Description: These are comma-separated, static routes to reach the HSM devices from the respective Avi Controllers. Even /32 routes can be provided.
    Note: If there is a single static route, provide the same and ensure the square brackets are matched. Also, if the HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.
    Format: [ hsm-network1/mask1 via gateway1, hsm-network2/mask2 via gateway2 ] or [ hsm-network1/mask1 via gateway1 ]
    Example: avi.hsm-static-routes.Controller: [10.128.1.0/24 via 10.160.103.1, 10.130.1.0/24 via 10.160.103.1]

  3. avi.hsm-vnic-id.Controller
    Description: This is the ID of the dedicated HSM vNIC and is typically 1 on CSP. vNIC0 is the management interface, which is the only interface on Avi Controllers by default.
    Format: ‘numeric-vnic-id’
    Example: avi.hsm-vnic-id.Controller: ‘1’

YAML Parameter Description Format Example
avi.hsm-ip.Controller IP address of the dedicated HSM vNIC on Avi Controller (this is not the IP address of the HSM device) IP-address/subnet-mask avi.hsm-ip.SE: 10.160.103.230/24
avi.hsm-static-routes.Controller Comma-separated, static routes to reach the HSM devices from the respective Avi Controllers. Even /32 routes can be provided. [ hsm-network1/mask1 via gateway1, hsm-network2/mask2 via gateway2 ] or [ hsm-network1/mask1 via gateway1 ] avi.hsm-static-routes.Controller: [10.128.1.0/24 via 10.160.103.1, 10.130.1.0/24 via 10.160.103.1]
avi.asm-vnic-id.Controller ID of the dedicated HSM vNIC and is typically 1 on CSP numeric-vnic-id avi.hsm-vnic-id.Controller: '1'

Instructions

Follow these steps to add the dedicated HSM vnic interfaces on an existing Controller CSP service. In the sample example mentioned below, vNIC1 is configured as the dedicated HSM interface (vNIC0 is the Avi Controller management interface)

Cisco CSP configuration

  1. Navigate to Configuration > Services > Action and select Power Off to power off the SE service on Cisco CSP.
  2. To add a new vNIC for the Avi Controller with the desired parameters, navigate to Configuration > Services > Action > Service Edit , click on Add vNIC and provide VLAN id, VLAN type, VLAN tag, network name, Model etc., and choose Submit.
  3. Navigate to Configuration > Services > Action and select Power On to power on the Avi Controller service on Cisco CSP.

Avi Controller configuration

Login to the Avi Controller bash shell and perform the following steps:


bash# cat avi_meta_data_ctlr-dedicated-hsm.yml 
ssh admin@<Controller-MGMT-IP>
	bash#
	bash# sudo su
	bash# mv /var/run/avi/ovf_properties.saved /home/admin

Note: Perform a move operation; do not copy this file. Edit it to provide the three comma-separated, HSM dedicated NIC related parameters. The file looks like the following:


bash# cat /home/admin/ovf_properties.saved
{avi.default-gw.CONTROLLER: 10.128.2.1, 
avi.mgmt-ip.CONTROLLER: 10.128.2.18, 
avi.mgmt-mask.CONTROLLER: 255.255.255.0,
   avi.hsm-ip.CONTROLLER: 10.160.103.230/24,
   avi.hsm-static-routes.CONTROLLER: [10.128.1.0/24 via   10.160.103.1, 10.130.1.0/24 via 10.160.103.1],
   avi.hsm-vnic-id.CONTROLLER: '1',
   ovf_source: CSP, uuid: E8FEBCCD-497E-4458-A933-B8317C1D8743}

  bash# cp /home/admin/ovf_properties.saved /etc/ovf_config
  bash# shutdown -h now

Verify that the dedicated vNIC configuration is applied correctly and the HSM devices are reachable via the dedicated interface. In this case , the interface eth1 is configured as the dedicated HSM interface with IP 10.160.103.230/24.


bash# ssh admin@<CONTROLLER-MGMT-IP>
bash# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 02:4a:80:02:11:04  
          inet addr:10.160.103.230  Bcast:10.160.103.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:342620 errors:0 dropped:2855 overruns:0 frame:0
          TX packets:78 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:29201376 (29.2 MB)  TX bytes:11230 (11.2 KB)
bash# ip route
default via 10.128.2.1 dev eth0 
10.128.1.0/24 via 10.160.103.1 dev eth1 
10.128.2.0/24 dev eth0  proto kernel  scope link  src 10.128.2.18 
10.130.1.0/24 via 10.160.103.1 dev eth1 
10.160.103.0/24 dev eth1  proto kernel  scope link  src 10.160.103.218 
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 
bash# ping -I eth1 <HSM-IP>
ping -I eth1 10.130.1.10
PING 10.130.1.10 (10.130.1.10) from 10.160.103.230 eth1: 56(84) bytes of data.
64 bytes from 10.130.1.10: icmp_seq=1 ttl=62 time=0.229 ms

Additional Information

For different types of supported configuration for HSM and ASM communication on Avi Vantage, refer to How to configure dedicated interfaces for HSM and ASM communication on Cisco CSP.