]>
Commit | Line | Data |
---|---|---|
0efdf0fe | 1 | .. _nhrp: |
caba6093 | 2 | |
42fc5d26 QY |
3 | **** |
4 | NHRP | |
5 | **** | |
6 | ||
c1a54c05 QY |
7 | *nhrpd* is an implementation of the :abbr:NHRP `(Next Hop Routing Protocol)`. |
8 | NHRP is described in :rfc`2332`. | |
caba6093 | 9 | |
c1a54c05 QY |
10 | NHRP is used to improve the efficiency of routing computer network traffic over |
11 | :abbr:`NBMA (Non-Broadcast, Multiple Access)` networks. NHRP provides an | |
12 | ARP-like solution that allows a system to dynamically learn the NBMA address of | |
13 | the other systems that are part of that network, allowing these systems to | |
14 | directly communicate without requiring traffic to use an intermediate hop. | |
caba6093 | 15 | |
c1a54c05 QY |
16 | Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and |PACKAGE_NAME| nhrpd |
17 | implements this scenario. | |
caba6093 | 18 | |
0efdf0fe | 19 | .. _routing-design: |
caba6093 | 20 | |
42fc5d26 QY |
21 | Routing Design |
22 | ============== | |
caba6093 TT |
23 | |
24 | nhrpd never handles routing of prefixes itself. You need to run some | |
25 | real routing protocol (e.g. BGP) to advertise routes over the tunnels. | |
26 | What nhrpd does it establishes 'shortcut routes' that optimizes the | |
27 | routing protocol to avoid going through extra nodes in NBMA GRE mesh. | |
28 | ||
29 | nhrpd does route NHRP domain addresses individually using per-host prefixes. | |
30 | This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses | |
31 | a generic subnet route. | |
32 | ||
c1a54c05 QY |
33 | To create NBMA GRE tunnel you might use the following (Linux terminal |
34 | commands)::: | |
42fc5d26 | 35 | |
42fc5d26 QY |
36 | ip tunnel add gre1 mode gre key 42 ttl 64 |
37 | ip addr add 10.255.255.2/32 dev gre1 | |
38 | ip link set gre1 up | |
a8c90e15 | 39 | |
caba6093 TT |
40 | |
41 | Note that the IP-address is assigned as host prefix to gre1. nhrpd will | |
42 | automatically create additional host routes pointing to gre1 when | |
43 | a connection with these hosts is established. | |
44 | ||
45 | The gre1 subnet prefix should be announced by routing protocol from the | |
46 | hub nodes (e.g. BGP 'network' announce). This allows the routing protocol | |
47 | to decide which is the closest hub and determine the relay hub on prefix | |
48 | basis when direct tunnel is not established. | |
49 | ||
50 | nhrpd will redistribute directly connected neighbors to zebra. Within | |
51 | hub nodes, these routes should be internally redistributed using some | |
52 | routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic. | |
53 | ||
54 | This can be achieved in hubs with the following bgp configuration (network | |
9eb95b3b QY |
55 | command defines the GRE subnet): |
56 | ||
57 | .. code-block:: frr | |
42fc5d26 | 58 | |
42fc5d26 QY |
59 | router bgp 65555 |
60 | address-family ipv4 unicast | |
61 | network 172.16.0.0/16 | |
62 | redistribute nhrp | |
63 | exit-address-family | |
a8c90e15 | 64 | |
caba6093 | 65 | |
0efdf0fe | 66 | .. _configuring-nhrp: |
caba6093 | 67 | |
42fc5d26 QY |
68 | Configuring NHRP |
69 | ================ | |
caba6093 TT |
70 | |
71 | FIXME | |
72 | ||
0efdf0fe | 73 | .. _hub-functionality: |
42fc5d26 QY |
74 | |
75 | Hub Functionality | |
76 | ================= | |
caba6093 TT |
77 | |
78 | In addition to routing nhrp redistributed host prefixes, the hub nodes | |
79 | are also responsible to send NHRP Traffic Indication messages that | |
80 | trigger creation of the shortcut tunnels. | |
81 | ||
82 | nhrpd sends Traffic Indication messages based on network traffic captured | |
83 | using NFLOG. Typically you want to send Traffic Indications for network | |
84 | traffic that is routed from gre1 back to gre1 in rate limited manner. | |
85 | This can be achieved with the following iptables rule. | |
86 | ||
9eb95b3b | 87 | .. code-block:: shell |
42fc5d26 | 88 | |
9eb95b3b QY |
89 | iptables -A FORWARD -i gre1 -o gre1 \\ |
90 | -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\ | |
91 | --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\ | |
92 | --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128 | |
a8c90e15 | 93 | |
caba6093 TT |
94 | |
95 | You can fine tune the src/dstmask according to the prefix lengths you | |
96 | announce internal, add additional IP range matches, or rate limitation | |
97 | if needed. However, the above should be good in most cases. | |
98 | ||
99 | This kernel NFLOG target's nflog-group is configured in global nhrp config | |
9eb95b3b QY |
100 | with: |
101 | ||
102 | .. code-block:: frr | |
42fc5d26 | 103 | |
9eb95b3b | 104 | nhrp nflog-group 1 |
a8c90e15 | 105 | |
caba6093 | 106 | To start sending these traffic notices out from hubs, use the nhrp |
9eb95b3b QY |
107 | per-interface directive: |
108 | ||
109 | .. code-block:: frr | |
110 | ||
111 | interface gre1 | |
112 | ip nhrp redirect | |
42fc5d26 | 113 | |
a8c90e15 | 114 | |
0efdf0fe | 115 | .. _integration-with-ike: |
caba6093 | 116 | |
42fc5d26 QY |
117 | Integration with IKE |
118 | ==================== | |
caba6093 TT |
119 | |
120 | nhrpd needs tight integration with IKE daemon for various reasons. | |
121 | Currently only strongSwan is supported as IKE daemon. | |
122 | ||
123 | nhrpd connects to strongSwan using VICI protocol based on UNIX socket | |
124 | (hardcoded now as /var/run/charon.vici). | |
125 | ||
126 | strongSwan currently needs few patches applied. Please check out the | |
42fc5d26 | 127 | `http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release,release <http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release,release>`_ |
caba6093 | 128 | and |
42fc5d26 | 129 | `http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras,working tree <http://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras,working tree>`_ |
caba6093 TT |
130 | git repositories for the patches. |
131 | ||
0efdf0fe | 132 | .. _nhrp-events: |
42fc5d26 QY |
133 | |
134 | NHRP Events | |
135 | =========== | |
caba6093 TT |
136 | |
137 | FIXME | |
138 | ||
42fc5d26 QY |
139 | Configuration Example |
140 | ===================== | |
caba6093 TT |
141 | |
142 | FIXME | |
42fc5d26 | 143 |