Configuring Dedicated Interfaces for HSM and Sideband Communication on a new Avi SE
Background
This article explains how to configure dedicated interfaces for hardware security module (HSM) and sideband (ASM) communication on a new Avi Service Engine. Dedicated HSM and sideband interfaces on Avi Service Engines use the following configuration parameters. For new SEs, these parameters can be provided in the day-zero YAML file.
YAML parameters
- HSM parameters
- avi.hsm-ip.SE
Description: This is the IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM device).
Format: IP-address/subnet-mask.
Example: avi.hsm-ip.SE: 10.160.103.227/24
- avi.hsm-ip.SE
-
avi.hsm-static-routes.SE
Description: These are comma-separated, static routes to reach HSM devices. Even /32 routes can be provided.
Note: If there is a single static route, provide the same and ensure the square brackets are matched. Also, if HSM devices are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.
Format: [ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ]
Example: avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2] -
avi.hsm-vnic-id.SE
Description: This is the ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface, and vNIC2 is data-out interface).
Format: ‘numeric vNIC ID’.
Example: avi.hsm-vnic-id.SE: ‘3’
YAML Parameter | Description | Format | Example |
---|---|---|---|
avi.hsm-ip.SE | IP address of the dedicated HSM vNIC on the SE (this is NOT the IP address of the HSM device) | IP-address/subnet-mask | avi.hsm-ip.SE: 10.160.103.227/24 |
avi.hsm-static-routes.SE | Comma-separated, static routes to reach the HSM devices. Even /32 routes can be provided | [ hsm network1/mask1 via gateway1, hsm network2/mask2 via gateway2 ] OR [ hsm network1/mask1 via gateway1 ] | avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2] |
avi.hsm-vnic-id.SE | ID of the dedicated HSM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface, and vNIC2 is data-out interface) | numeric vNIC ID | avi.hsm-vnic-id.SE: '3' |
- ASM parameters
- avi.asm-ip.SE
Description: This is the ip address of the dedicated sideband interface on the SE (this is NOT the self IP or virtual service IP of the ASM device).
Format: IP-address/subnet-mask.
Example: avi.asm-ip.SE: 10.160.103.227/24
- avi.asm-ip.SE
-
avi.asm-static-routes.SE
Description: These are comma-separated, static routes to reach the sideband ASM vips. Even /32 routes can be provided. The gateway will be the self IP of the ASM device.
Note: If there is a single static route, provide the same and ensure the square brackets are matched. Also, if the ASM virtual service IPs are in the same subnet as the dedicated interfaces, provide the gateway as the default gateway for the subnet.
Format: [ asm-vip-network1/mask1 via gateway1, asm-vip-network2/mask2 via gateway2 ] or [ asm-vip-network1/mask1 via gateway1 ]
Example: avi.asm-static-routes.SE: [169.254.1.0/24 via 10.160.102.1, 169.254.2.0/24 via 10.160.102.2] -
avi.hsm-vnic-id.SE
Description: This is the ID of the dedicated ASM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface, and vNIC2 is data-out interface)
Format: ‘numeric vNIC ID’.
Example: avi.asm-vnic-id.SE: ‘3’YAML Parameter Description Format Example avi.asm-ip.SE IP address of the dedicated ASM vNIC on the SE (this is NOT the IP address of the ASM) IP-address/subnet-mask avi.asm-ip.SE: 10.160.103.227/24 avi.hsm-static-routes.SE Comma-separated, static routes to reach the ASM devices. Even /32 routes can be provided [ asm-vip-network1/mask1 via gateway1, asm-vip-network2/mask2 via gateway2 ] or [ asm-vip-network1/mask1 via gateway1 ] avi.asm-static-routes.SE: [169.254.1.0/24 via 10.160.102.1, 169.254.2.0/24 via 10.160.102.2] avi.asm-vnic-id.SE ID of the dedicated ASM vNIC and is typically 3 on CSP (vNIC0 is management interface, vNIC1 is data-in interface, and vNIC2 is data-out interface) numeric vNIC ID avi.asm-vnic-id.SE: '3'
Instructions
A sample Service Engine YAML file for the Day Zero configuration on Cisco CSP will look like as follows:
bash# cat avi_meta_data_dedicated_asm_hsm_SE.yml
avi.mgmt-ip.SE: "10.128.2.18"
avi.mgmt-mask.SE: "255.255.255.0"
avi.default-gw.SE: "10.128.2.1"
AVICNTRL: "10.10.22.50"
AVICNTRL_AUTHTOKEN: “febab55d-995a-4523-8492-f798520d4515”
avi.hsm-ip.SE: 10.160.103.227/24
avi.hsm-static-routes.SE:[ 10.128.1.0/24 via 10.160.103.1, 10.128.2.0/24 via 10.160.103.2]
avi.hsm-vnic-id.SE: '3'
avi.asm-vnic-id.SE: ‘4'
avi.asm-static-routes.SE: [169.254.1.0/24 via 10.160.102.1, 169.254.2.0/24 via 10.160.102.2]
avi.asm-ip.SE: 10.160.102.227/24
Once SE is created with this Day Zero configuration and appropriate virtual NIC interfaces are added to the SE service instance in CSP, verify that the dedicated vNIC configuration is applied successfully and the HSM devices and ASM virtual service IPs are reachable via the dedicated interfaces. In this sample configuration, the interface eth3 is configured as the dedicated HSM interface with IP 10.160.103.227/24 and the interface eth4 is configured as the sideband ASM interface with IP 10.160.102.227/24.
Note: Avi Service Engine requires 5 interfaces for this configuration.
- vNIC0: Management interface
- vNIC1: Data in interface
- vNIC2: Data out interface
- vNIC3: Dedicated HSM interface
- vNIC4: Dedicated sideband interface
To verify configuration of both the dedicated interfaces, ssh
to Avi SE IP, run ip route
command, and perform a ping test.
bash# ssh admin@10.10.2.18
bash# ifconfig eth3
eth3 Link encap:Ethernet HWaddr 02:6a:80:02:11:05
inet addr:10.160.103.227 Bcast:10.160.103.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4454601 errors:0 dropped:1987 overruns:0 frame:0
TX packets:4510346 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:672683711 (672.6 MB) TX bytes:875329395 (875.3 MB)
bash# ip route
default via 10.10.2.1 dev eth0
10.10.1.0/24 via 10.160.103.1 dev eth3
10.10.2.0/24 via 10.160.103.2 dev eth3
10.10.2.0/24 dev eth0 proto kernel scope link src 10.128.2.27
10.160.103.0/24 dev eth3 proto kernel scope link src 10.160.103.227
bash# ping -I eth3 <HSM-IP>
ping -I eth3 10.10.1.51
PING 10.10.1.51 (10.128.1.51) from 10.160.103.227 eth3: 56(84) bytes of data.
64 bytes from 10.10.1.51: icmp_seq=1 ttl=62 time=0.229 ms
For different types of supported configuration for HSM and ASM communication on Avi Vantage, refer to How to configure dedicated interfaces for HSM and ASM communication on Cisco CSP.