7 *nhrpd* is an implementation of the :abbr:`NHRP (Next Hop Routing Protocol)`.
8 NHRP is described in :rfc:`2332`.
10 NHRP is used to improve the efficiency of routing computer network traffic over
11 :abbr:`NBMA (Non-Broadcast, Multiple Access)` networks. NHRP provides an
12 ARP-like solution that allows a system to dynamically learn the NBMA address of
13 the other systems that are part of that network, allowing these systems to
14 directly communicate without requiring traffic to use an intermediate hop.
16 NHRP is a client-server protocol. The server side is called the :abbr:`NHS
17 (Next Hop Server)` or the hub, while a client is referred to as the :abbr:`NHC
18 (Next Hop Client)` or the spoke. When a node is configured as an NHC, it
19 registers its address with the NHS which keeps track of all registered spokes.
20 An NHC client can then query the addresses of other clients from NHS allowing
21 all spokes to communicate directly with each other.
23 Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and |PACKAGE_NAME| nhrpd
24 implements this scenario.
31 nhrpd never handles routing of prefixes itself. You need to run some
32 real routing protocol (e.g. BGP) to advertise routes over the tunnels.
33 What nhrpd does it establishes 'shortcut routes' that optimizes the
34 routing protocol to avoid going through extra nodes in NBMA GRE mesh.
36 nhrpd does route NHRP domain addresses individually using per-host prefixes.
37 This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses
38 a generic subnet route.
40 To create NBMA GRE tunnel you might use the following (Linux terminal
43 .. code-block:: console
45 ip tunnel add gre1 mode gre key 42 ttl 64
46 ip addr add 10.255.255.2/32 dev gre1
50 Note that the IP-address is assigned as host prefix to gre1. nhrpd will
51 automatically create additional host routes pointing to gre1 when
52 a connection with these hosts is established.
54 The gre1 subnet prefix should be announced by routing protocol from the
55 hub nodes (e.g. BGP 'network' announce). This allows the routing protocol
56 to decide which is the closest hub and determine the relay hub on prefix
57 basis when direct tunnel is not established.
59 nhrpd will redistribute directly connected neighbors to zebra. Within
60 hub nodes, these routes should be internally redistributed using some
61 routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic.
63 This can be achieved in hubs with the following bgp configuration (network
64 command defines the GRE subnet):
69 address-family ipv4 unicast
80 .. index:: ip nhrp holdtime (1-65000)
81 .. clicmd:: ip nhrp holdtime (1-65000)
83 Holdtime is the number of seconds that have to pass before stopping to
84 advertise an NHRP NBMA address as valid. It also controls how often NHRP
85 registration requests are sent. By default registrations are sent every one
86 third of the holdtime.
88 .. index:: ip nhrp map A.B.C.D|X:X::X:X A.B.C.D|local
89 .. clicmd:: ip nhrp map A.B.C.D|X:X::X:X A.B.C.D|local
91 Map an IP address of a station to the station's NBMA address.
93 .. index:: ip nhrp network-id (1-4294967295)
94 .. clicmd:: ip nhrp network-id (1-4294967295)
96 Enable NHRP on this interface and set the interface's network ID. The
97 network ID is used to allow creating multiple nhrp domains on a router when
98 multiple interfaces are configured on the router. Interfaces configured
99 with the same ID are part of the same logical NBMA network. The ID is a
100 local only parameter and is not sent to other NHRP nodes and so IDs on
101 different nodes do not need to match. When NHRP packets are received on an
102 interface they are assigned to the local NHRP domain for that interface.
104 .. index:: ip nhrp nhs A.B.C.D nbma A.B.C.D|FQDN
105 .. clicmd:: ip nhrp nhs A.B.C.D nbma A.B.C.D|FQDN
107 Configure the Next Hop Server address and its NBMA address.
109 .. index:: ip nhrp nhs dynamic nbma A.B.C.D
110 .. clicmd:: ip nhrp nhs dynamic nbma A.B.C.D
112 Configure the Next Hop Server to have a dynamic address and set its NBMA
115 .. index:: ip nhrp registration no-unique
116 .. clicmd:: ip nhrp registration no-unique
118 Allow the client to not set the unique flag in the NHRP packets. This is
119 useful when a station has a dynamic IP address that could change over time.
121 .. index:: ip nhrp shortcut
122 .. clicmd:: ip nhrp shortcut
124 Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others
125 directly after establishing a connection without going through the hub.
127 .. index:: ip nhrp mtu
128 .. clicmd:: ip nhrp mtu
130 Configure NHRP advertised MTU.
133 .. _hub-functionality:
138 In addition to routing nhrp redistributed host prefixes, the hub nodes
139 are also responsible to send NHRP Traffic Indication messages that
140 trigger creation of the shortcut tunnels.
142 nhrpd sends Traffic Indication messages based on network traffic captured
143 using NFLOG. Typically you want to send Traffic Indications for network
144 traffic that is routed from gre1 back to gre1 in rate limited manner.
145 This can be achieved with the following iptables rule.
147 .. code-block:: shell
149 iptables -A FORWARD -i gre1 -o gre1 \\
150 -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
151 --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
152 --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
155 You can fine tune the src/dstmask according to the prefix lengths you announce
156 internal, add additional IP range matches, or rate limitation if needed.
157 However, the above should be good in most cases.
159 This kernel NFLOG target's nflog-group is configured in global nhrp config
162 .. index:: nhrp nflog-group (1-65535)
163 .. clicmd:: nhrp nflog-group (1-65535)
165 To start sending these traffic notices out from hubs, use the nhrp
166 per-interface directive:
168 .. index:: ip nhrp redirect
169 .. clicmd:: ip nhrp redirect
171 This enable redirect replies on the NHS similar to ICMP redirects except this
172 is managed by the nhrp protocol. This setting allows spokes to communicate with
173 each others directly.
175 .. _integration-with-ike:
180 nhrpd needs tight integration with IKE daemon for various reasons.
181 Currently only strongSwan is supported as IKE daemon.
183 nhrpd connects to strongSwan using VICI protocol based on UNIX socket which
184 can be configured using the command below (default to /var/run/charon.vici).
186 strongSwan currently needs few patches applied. Please check out the
188 https://git-old.alpinelinux.org/user/tteras/strongswan/
190 Actively maintained patches are also available at:
191 https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan
198 .. index:: nhrp event socket SOCKET
199 .. clicmd:: nhrp event socket SOCKET
201 Configure the Unix path for the event socket.
208 .. index:: show [ip|ipv6] nhrp cache [json]
209 .. clicmd:: show [ip|ipv6] nhrp cache [json]
211 Dump the cache entries.
213 .. index:: show [ip|ipv6] nhrp opennhrp [json]
214 .. clicmd:: show [ip|ipv6] nhrp opennhrp [json]
216 Dump the cache entries with opennhrp format.
218 .. index:: show [ip|ipv6] nhrp nhs [json]
219 .. clicmd:: show [ip|ipv6] nhrp nhs [json]
221 Dump the hub context.
223 .. index:: show dmvpn [json]
224 .. clicmd:: show dmvpn [json]
226 Dump the security contexts.
228 Configuration Example
229 =====================
231 .. figure:: ../figures/fig_dmvpn_topologies.png
236 IPSec configurration example
237 ----------------------------
239 This changes required on all nodes as HUB and Spokes.
243 .. code-block:: shell
250 ike=aes256-aes256-sha256-modp2048
251 esp=aes256-aes256-sha256-modp2048
265 .. code-block:: shell
267 %any : PSK "some_s3cret!"
270 HUB configuration example
271 -------------------------
273 Creating gre interface
275 .. code-block:: console
277 ip tunnel add gre1 mode gre key 42 ttl 64
278 ip addr add 10.0.0.254/32 dev gre1
281 Adding iptables rules to provide possibility shortcut tunnels and connect spokes directly
283 .. code-block:: shell
285 iptables -A FORWARD -i gre1 -o gre1 \\
286 -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
287 --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
288 --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
297 description DMVPN Tunnel Interface
298 ip address 10.0.0.254/32
301 ip nhrp registration no-unique
303 tunnel protection vici profile dmvpn
307 bgp router-id 10.0.0.254
308 no bgp ebgp-requires-policy
309 neighbor SPOKES peer-group
310 neighbor SPOKES disable-connected-check
311 neighbor 10.0.0.1 remote-as 65001
312 neighbor 10.0.0.1 peer-group SPOKES
313 neighbor 10.0.0.2 remote-as 65002
314 neighbor 10.0.0.2 peer-group SPOKES
315 neighbor 10.0.0.3 remote-as 65003
316 neighbor 10.0.0.3 peer-group SPOKES
318 address-family ipv4 unicast
319 network 172.16.0.0/24
326 Creating gre interface
328 .. code-block:: console
330 ip tunnel add gre1 mode gre key 42 ttl 64
331 ip addr add 10.0.0.1/32 dev gre1
340 description DMVPN Tunnel Interface
341 ip address 10.0.0.1/32
343 ip nhrp nhs dynamic nbma 198.51.100.1
345 ip nhrp registration no-unique
348 tunnel protection vici profile dmvpn
352 no bgp ebgp-requires-policy
353 neighbor 10.0.0.254 remote-as 65000
354 neighbor 10.0.0.254 disable-connected-check
356 address-family ipv4 unicast
357 network 172.16.1.0/24
364 Creating gre interface
366 .. code-block:: console
368 ip tunnel add gre1 mode gre key 42 ttl 64
369 ip addr add 10.0.0.1/32 dev gre1
377 description DMVPN Tunnel Interface
378 ip address 10.0.0.2/32
380 ip nhrp nhs dynamic nbma 198.51.100.1
382 ip nhrp registration no-unique
385 tunnel protection vici profile dmvpn
389 no bgp ebgp-requires-policy
390 neighbor 10.0.0.254 remote-as 65000
391 neighbor 10.0.0.254 disable-connected-check
393 address-family ipv4 unicast
394 network 172.16.2.0/24
401 Creating gre interface
403 .. code-block:: console
405 ip tunnel add gre1 mode gre key 42 ttl 64
406 ip addr add 10.0.0.3/32 dev gre1
414 description DMVPN Tunnel Interface
415 ip address 10.0.0.3/32
417 ip nhrp nhs dynamic nbma 198.51.100.1
419 ip nhrp registration no-unique
422 tunnel protection vici profile dmvpn
426 no bgp ebgp-requires-policy
427 neighbor 10.0.0.254 remote-as 65000
428 neighbor 10.0.0.254 disable-connected-check
430 address-family ipv4 unicast
431 network 172.16.3.0/24