7 *nhrpd* is an implementation of the :abbr:`NHRP (Next Hop Routing Protocol)`.
8 NHRP is described in :rfc:`2332`.
10 NHRP is used to improve the efficiency of routing computer network traffic over
11 :abbr:`NBMA (Non-Broadcast, Multiple Access)` networks. NHRP provides an
12 ARP-like solution that allows a system to dynamically learn the NBMA address of
13 the other systems that are part of that network, allowing these systems to
14 directly communicate without requiring traffic to use an intermediate hop.
16 NHRP is a client-server protocol. The server side is called the :abbr:`NHS
17 (Next Hop Server)` or the hub, while a client is referred to as the :abbr:`NHC
18 (Next Hop Client)` or the spoke. When a node is configured as an NHC, it
19 registers its address with the NHS which keeps track of all registered spokes.
20 An NHC client can then query the addresses of other clients from NHS allowing
21 all spokes to communicate directly with each other.
23 Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and |PACKAGE_NAME| nhrpd
24 implements this scenario.
31 nhrpd never handles routing of prefixes itself. You need to run some
32 real routing protocol (e.g. BGP) to advertise routes over the tunnels.
33 What nhrpd does it establishes 'shortcut routes' that optimizes the
34 routing protocol to avoid going through extra nodes in NBMA GRE mesh.
36 nhrpd does route NHRP domain addresses individually using per-host prefixes.
37 This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses
38 a generic subnet route.
40 To create NBMA GRE tunnel you might use the following (Linux terminal
43 .. code-block:: console
45 ip tunnel add gre1 mode gre key 42 ttl 64
46 ip addr add 10.255.255.2/32 dev gre1
50 Note that the IP-address is assigned as host prefix to gre1. nhrpd will
51 automatically create additional host routes pointing to gre1 when
52 a connection with these hosts is established.
54 The gre1 subnet prefix should be announced by routing protocol from the
55 hub nodes (e.g. BGP 'network' announce). This allows the routing protocol
56 to decide which is the closest hub and determine the relay hub on prefix
57 basis when direct tunnel is not established.
59 nhrpd will redistribute directly connected neighbors to zebra. Within
60 hub nodes, these routes should be internally redistributed using some
61 routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic.
63 This can be achieved in hubs with the following bgp configuration (network
64 command defines the GRE subnet):
69 address-family ipv4 unicast
80 .. clicmd:: ip nhrp holdtime (1-65000)
82 Holdtime is the number of seconds that have to pass before stopping to
83 advertise an NHRP NBMA address as valid. It also controls how often NHRP
84 registration requests are sent. By default registrations are sent every one
85 third of the holdtime.
87 .. clicmd:: ip nhrp map A.B.C.D|X:X::X:X A.B.C.D|local
89 Map an IP address of a station to the station's NBMA address.
91 .. clicmd:: ip nhrp network-id (1-4294967295)
93 Enable NHRP on this interface and set the interface's network ID. The
94 network ID is used to allow creating multiple nhrp domains on a router when
95 multiple interfaces are configured on the router. Interfaces configured
96 with the same ID are part of the same logical NBMA network. The ID is a
97 local only parameter and is not sent to other NHRP nodes and so IDs on
98 different nodes do not need to match. When NHRP packets are received on an
99 interface they are assigned to the local NHRP domain for that interface.
101 .. clicmd:: ip nhrp nhs A.B.C.D nbma A.B.C.D|FQDN
103 Configure the Next Hop Server address and its NBMA address.
105 .. clicmd:: ip nhrp nhs dynamic nbma A.B.C.D
107 Configure the Next Hop Server to have a dynamic address and set its NBMA
110 .. clicmd:: ip nhrp registration no-unique
112 Allow the client to not set the unique flag in the NHRP packets. This is
113 useful when a station has a dynamic IP address that could change over time.
115 .. clicmd:: ip nhrp shortcut
117 Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others
118 directly after establishing a connection without going through the hub.
120 .. clicmd:: ip nhrp mtu
122 Configure NHRP advertised MTU.
125 .. _hub-functionality:
130 In addition to routing nhrp redistributed host prefixes, the hub nodes
131 are also responsible to send NHRP Traffic Indication messages that
132 trigger creation of the shortcut tunnels.
134 nhrpd sends Traffic Indication messages based on network traffic captured
135 using NFLOG. Typically you want to send Traffic Indications for network
136 traffic that is routed from gre1 back to gre1 in rate limited manner.
137 This can be achieved with the following iptables rule.
139 .. code-block:: shell
141 iptables -A FORWARD -i gre1 -o gre1 \\
142 -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
143 --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
144 --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
147 You can fine tune the src/dstmask according to the prefix lengths you announce
148 internal, add additional IP range matches, or rate limitation if needed.
149 However, the above should be good in most cases.
151 This kernel NFLOG target's nflog-group is configured in global nhrp config
154 .. clicmd:: nhrp nflog-group (1-65535)
156 To start sending these traffic notices out from hubs, use the nhrp
157 per-interface directive:
159 .. clicmd:: ip nhrp redirect
161 This enable redirect replies on the NHS similar to ICMP redirects except this
162 is managed by the nhrp protocol. This setting allows spokes to communicate with
163 each others directly.
165 .. _integration-with-ike:
170 nhrpd needs tight integration with IKE daemon for various reasons.
171 Currently only strongSwan is supported as IKE daemon.
173 nhrpd connects to strongSwan using VICI protocol based on UNIX socket which
174 can be configured using the command below (default to /var/run/charon.vici).
176 strongSwan currently needs few patches applied. Please check out the
178 https://git-old.alpinelinux.org/user/tteras/strongswan/
180 Actively maintained patches are also available at:
181 https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan
183 .. _multicast-functionality:
185 Multicast Functionality
186 =======================
188 nhrpd can be configured to forward multicast packets, allowing routing
189 protocols that use multicast (such as OSPF) to be supported in the DMVPN
192 This support requires an iptables NFLOG rule to allow nhrpd to intercept
193 multicast packets. A second iptables rule is also usually used to drop the
194 original multicast packet.
196 .. code-block:: shell
198 iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j NFLOG --nflog-group 2
199 iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j DROP
201 .. clicmd:: nhrp multicast-nflog-group (1-65535)
203 Sets the nflog group that nhrpd will listen on for multicast packets. This
204 value must match the nflog-group value set in the iptables rule.
206 .. clicmd:: ip nhrp map multicast A.B.C.D|X:X::X:X A.B.C.D|dynamic
208 Sends multicast packets to the specified NBMA address. If dynamic is
209 specified then destination NBMA address (or addresses) are learnt
217 .. clicmd:: nhrp event socket SOCKET
219 Configure the Unix path for the event socket.
226 .. clicmd:: show [ip|ipv6] nhrp cache [json]
228 Dump the cache entries.
230 .. clicmd:: show [ip|ipv6] nhrp opennhrp [json]
232 Dump the cache entries with opennhrp format.
234 .. clicmd:: show [ip|ipv6] nhrp nhs [json]
236 Dump the hub context.
238 .. clicmd:: show dmvpn [json]
240 Dump the security contexts.
242 Configuration Example
243 =====================
245 .. figure:: ../figures/fig_dmvpn_topologies.png
250 IPSec configurration example
251 ----------------------------
253 This changes required on all nodes as HUB and Spokes.
257 .. code-block:: shell
264 ike=aes256-aes256-sha256-modp2048
265 esp=aes256-aes256-sha256-modp2048
279 .. code-block:: shell
281 %any : PSK "some_s3cret!"
284 HUB configuration example
285 -------------------------
287 Creating gre interface
289 .. code-block:: console
291 ip tunnel add gre1 mode gre key 42 ttl 64
292 ip addr add 10.0.0.254/32 dev gre1
295 Adding iptables rules to provide possibility shortcut tunnels and connect spokes directly
297 .. code-block:: shell
299 iptables -A FORWARD -i gre1 -o gre1 \\
300 -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
301 --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
302 --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
311 description DMVPN Tunnel Interface
312 ip address 10.0.0.254/32
315 ip nhrp registration no-unique
317 tunnel protection vici profile dmvpn
321 bgp router-id 10.0.0.254
322 no bgp ebgp-requires-policy
323 neighbor SPOKES peer-group
324 neighbor SPOKES disable-connected-check
325 neighbor 10.0.0.1 remote-as 65001
326 neighbor 10.0.0.1 peer-group SPOKES
327 neighbor 10.0.0.2 remote-as 65002
328 neighbor 10.0.0.2 peer-group SPOKES
329 neighbor 10.0.0.3 remote-as 65003
330 neighbor 10.0.0.3 peer-group SPOKES
332 address-family ipv4 unicast
333 network 172.16.0.0/24
340 Creating gre interface
342 .. code-block:: console
344 ip tunnel add gre1 mode gre key 42 ttl 64
345 ip addr add 10.0.0.1/32 dev gre1
354 description DMVPN Tunnel Interface
355 ip address 10.0.0.1/32
357 ip nhrp nhs dynamic nbma 198.51.100.1
359 ip nhrp registration no-unique
362 tunnel protection vici profile dmvpn
366 no bgp ebgp-requires-policy
367 neighbor 10.0.0.254 remote-as 65000
368 neighbor 10.0.0.254 disable-connected-check
370 address-family ipv4 unicast
371 network 172.16.1.0/24
378 Creating gre interface
380 .. code-block:: console
382 ip tunnel add gre1 mode gre key 42 ttl 64
383 ip addr add 10.0.0.1/32 dev gre1
391 description DMVPN Tunnel Interface
392 ip address 10.0.0.2/32
394 ip nhrp nhs dynamic nbma 198.51.100.1
396 ip nhrp registration no-unique
399 tunnel protection vici profile dmvpn
403 no bgp ebgp-requires-policy
404 neighbor 10.0.0.254 remote-as 65000
405 neighbor 10.0.0.254 disable-connected-check
407 address-family ipv4 unicast
408 network 172.16.2.0/24
415 Creating gre interface
417 .. code-block:: console
419 ip tunnel add gre1 mode gre key 42 ttl 64
420 ip addr add 10.0.0.3/32 dev gre1
428 description DMVPN Tunnel Interface
429 ip address 10.0.0.3/32
431 ip nhrp nhs dynamic nbma 198.51.100.1
433 ip nhrp registration no-unique
436 tunnel protection vici profile dmvpn
440 no bgp ebgp-requires-policy
441 neighbor 10.0.0.254 remote-as 65000
442 neighbor 10.0.0.254 disable-connected-check
444 address-family ipv4 unicast
445 network 172.16.3.0/24