]> git.proxmox.com Git - mirror_frr.git/blob - doc/user/nhrpd.rst
projects / mirror_frr.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #8356 from LabNConsulting/working/lb/docker-ci-v2
[mirror_frr.git] / doc / user / nhrpd.rst
1 .. _nhrp:
2
3 ****
4 NHRP
5 ****
6
7 *nhrpd* is an implementation of the :abbr:`NHRP (Next Hop Routing Protocol)`.
8 NHRP is described in :rfc:`2332`.
9
10 NHRP is used to improve the efficiency of routing computer network traffic over
11 :abbr:`NBMA (Non-Broadcast, Multiple Access)` networks. NHRP provides an
12 ARP-like solution that allows a system to dynamically learn the NBMA address of
13 the other systems that are part of that network, allowing these systems to
14 directly communicate without requiring traffic to use an intermediate hop.
15
16 NHRP is a client-server protocol. The server side is called the :abbr:`NHS
17 (Next Hop Server)` or the hub, while a client is referred to as the :abbr:`NHC
18 (Next Hop Client)` or the spoke. When a node is configured as an NHC, it
19 registers its address with the NHS which keeps track of all registered spokes.
20 An NHC client can then query the addresses of other clients from NHS allowing
21 all spokes to communicate directly with each other.
22
23 Cisco Dynamic Multipoint VPN (DMVPN) is based on NHRP, and |PACKAGE_NAME| nhrpd
24 implements this scenario.
25
26 .. _routing-design:
27
28 Routing Design
29 ==============
30
31 nhrpd never handles routing of prefixes itself. You need to run some
32 real routing protocol (e.g. BGP) to advertise routes over the tunnels.
33 What nhrpd does it establishes 'shortcut routes' that optimizes the
34 routing protocol to avoid going through extra nodes in NBMA GRE mesh.
35
36 nhrpd does route NHRP domain addresses individually using per-host prefixes.
37 This is similar to Cisco FlexVPN; but in contrast to opennhrp which uses
38 a generic subnet route.
39
40 To create NBMA GRE tunnel you might use the following (Linux terminal
41 commands):
42
43 .. code-block:: console
44
45 ip tunnel add gre1 mode gre key 42 ttl 64
46 ip addr add 10.255.255.2/32 dev gre1
47 ip link set gre1 up
48
49
50 Note that the IP-address is assigned as host prefix to gre1. nhrpd will
51 automatically create additional host routes pointing to gre1 when
52 a connection with these hosts is established.
53
54 The gre1 subnet prefix should be announced by routing protocol from the
55 hub nodes (e.g. BGP 'network' announce). This allows the routing protocol
56 to decide which is the closest hub and determine the relay hub on prefix
57 basis when direct tunnel is not established.
58
59 nhrpd will redistribute directly connected neighbors to zebra. Within
60 hub nodes, these routes should be internally redistributed using some
61 routing protocol (e.g. iBGP) to allow hubs to be able to relay all traffic.
62
63 This can be achieved in hubs with the following bgp configuration (network
64 command defines the GRE subnet):
65
66 .. code-block:: frr
67
68 router bgp 65555
69 address-family ipv4 unicast
70 network 172.16.0.0/16
71 redistribute nhrp
72 exit-address-family
73
74
75 .. _configuring-nhrp:
76
77 Configuring NHRP
78 ================
79
80 .. clicmd:: ip nhrp holdtime (1-65000)
81
82 Holdtime is the number of seconds that have to pass before stopping to
83 advertise an NHRP NBMA address as valid. It also controls how often NHRP
84 registration requests are sent. By default registrations are sent every one
85 third of the holdtime.
86
87 .. clicmd:: ip nhrp map A.B.C.D|X:X::X:X A.B.C.D|local
88
89 Map an IP address of a station to the station's NBMA address.
90
91 .. clicmd:: ip nhrp network-id (1-4294967295)
92
93 Enable NHRP on this interface and set the interface's network ID. The
94 network ID is used to allow creating multiple nhrp domains on a router when
95 multiple interfaces are configured on the router. Interfaces configured
96 with the same ID are part of the same logical NBMA network. The ID is a
97 local only parameter and is not sent to other NHRP nodes and so IDs on
98 different nodes do not need to match. When NHRP packets are received on an
99 interface they are assigned to the local NHRP domain for that interface.
100
101 .. clicmd:: ip nhrp nhs A.B.C.D nbma A.B.C.D|FQDN
102
103 Configure the Next Hop Server address and its NBMA address.
104
105 .. clicmd:: ip nhrp nhs dynamic nbma A.B.C.D
106
107 Configure the Next Hop Server to have a dynamic address and set its NBMA
108 address.
109
110 .. clicmd:: ip nhrp registration no-unique
111
112 Allow the client to not set the unique flag in the NHRP packets. This is
113 useful when a station has a dynamic IP address that could change over time.
114
115 .. clicmd:: ip nhrp shortcut
116
117 Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others
118 directly after establishing a connection without going through the hub.
119
120 .. clicmd:: ip nhrp mtu
121
122 Configure NHRP advertised MTU.
123
124
125 .. _hub-functionality:
126
127 Hub Functionality
128 =================
129
130 In addition to routing nhrp redistributed host prefixes, the hub nodes
131 are also responsible to send NHRP Traffic Indication messages that
132 trigger creation of the shortcut tunnels.
133
134 nhrpd sends Traffic Indication messages based on network traffic captured
135 using NFLOG. Typically you want to send Traffic Indications for network
136 traffic that is routed from gre1 back to gre1 in rate limited manner.
137 This can be achieved with the following iptables rule.
138
139 .. code-block:: shell
140
141 iptables -A FORWARD -i gre1 -o gre1 \\
142 -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
143 --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
144 --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
145
146
147 You can fine tune the src/dstmask according to the prefix lengths you announce
148 internal, add additional IP range matches, or rate limitation if needed.
149 However, the above should be good in most cases.
150
151 This kernel NFLOG target's nflog-group is configured in global nhrp config
152 with:
153
154 .. clicmd:: nhrp nflog-group (1-65535)
155
156 To start sending these traffic notices out from hubs, use the nhrp
157 per-interface directive:
158
159 .. clicmd:: ip nhrp redirect
160
161 This enable redirect replies on the NHS similar to ICMP redirects except this
162 is managed by the nhrp protocol. This setting allows spokes to communicate with
163 each others directly.
164
165 .. _integration-with-ike:
166
167 Integration with IKE
168 ====================
169
170 nhrpd needs tight integration with IKE daemon for various reasons.
171 Currently only strongSwan is supported as IKE daemon.
172
173 nhrpd connects to strongSwan using VICI protocol based on UNIX socket which
174 can be configured using the command below (default to /var/run/charon.vici).
175
176 strongSwan currently needs few patches applied. Please check out the
177 original patches at:
178 https://git-old.alpinelinux.org/user/tteras/strongswan/
179
180 Actively maintained patches are also available at:
181 https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan
182
183 .. _multicast-functionality:
184
185 Multicast Functionality
186 =======================
187
188 nhrpd can be configured to forward multicast packets, allowing routing
189 protocols that use multicast (such as OSPF) to be supported in the DMVPN
190 network.
191
192 This support requires an iptables NFLOG rule to allow nhrpd to intercept
193 multicast packets. A second iptables rule is also usually used to drop the
194 original multicast packet.
195
196 .. code-block:: shell
197
198 iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j NFLOG --nflog-group 2
199 iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j DROP
200
201 .. index:: nhrp multicast-nflog-group (1-65535)
202 .. clicmd:: nhrp multicast-nflog-group (1-65535)
203
204 Sets the nflog group that nhrpd will listen on for multicast packets. This
205 value must match the nflog-group value set in the iptables rule.
206
207 .. index:: ip nhrp map multicast A.B.C.D|X:X::X:X A.B.C.D|dynamic
208 .. clicmd:: ip nhrp map multicast A.B.C.D|X:X::X:X A.B.C.D|dynamic
209
210 Sends multicast packets to the specified NBMA address. If dynamic is
211 specified then destination NBMA address (or addresses) are learnt
212 dynamically.
213
214 .. _nhrp-events:
215
216 NHRP Events
217 ===========
218
219 .. clicmd:: nhrp event socket SOCKET
220
221 Configure the Unix path for the event socket.
222
223 .. _show-nhrp:
224
225 Show NHRP
226 ==========
227
228 .. clicmd:: show [ip|ipv6] nhrp cache [json]
229
230 Dump the cache entries.
231
232 .. clicmd:: show [ip|ipv6] nhrp opennhrp [json]
233
234 Dump the cache entries with opennhrp format.
235
236 .. clicmd:: show [ip|ipv6] nhrp nhs [json]
237
238 Dump the hub context.
239
240 .. clicmd:: show dmvpn [json]
241
242 Dump the security contexts.
243
244 Configuration Example
245 =====================
246
247 .. figure:: ../figures/fig_dmvpn_topologies.png
248 :alt: image
249
250 image
251
252 IPSec configurration example
253 ----------------------------
254
255 This changes required on all nodes as HUB and Spokes.
256
257 ipsec.conf file
258
259 .. code-block:: shell
260
261 config setup
262 conn dmvpn
263 authby=secret
264 auto=add
265 keyexchange=ikev2
266 ike=aes256-aes256-sha256-modp2048
267 esp=aes256-aes256-sha256-modp2048
268 dpdaction=clear
269 dpddelay=300s
270 left=%any
271 leftid=%any
272 right=%any
273 rightid=%any
274 leftprotoport=gre
275 rightprotoport=gre
276 type=transport
277 keyingtries=%forever
278
279 ipsec.secrets file
280
281 .. code-block:: shell
282
283 %any : PSK "some_s3cret!"
284
285
286 HUB configuration example
287 -------------------------
288
289 Creating gre interface
290
291 .. code-block:: console
292
293 ip tunnel add gre1 mode gre key 42 ttl 64
294 ip addr add 10.0.0.254/32 dev gre1
295 ip link set gre1 up
296
297 Adding iptables rules to provide possibility shortcut tunnels and connect spokes directly
298
299 .. code-block:: shell
300
301 iptables -A FORWARD -i gre1 -o gre1 \\
302 -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \\
303 --hashlimit-mode srcip,dstip --hashlimit-srcmask 24 --hashlimit-dstmask 24 \\
304 --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
305
306 FRR config on HUB
307
308 .. code-block:: frr
309
310 nhrp nflog-group 1
311 !
312 interface gre1
313 description DMVPN Tunnel Interface
314 ip address 10.0.0.254/32
315 ip nhrp network-id 1
316 ip nhrp redirect
317 ip nhrp registration no-unique
318 ip nhrp shortcut
319 tunnel protection vici profile dmvpn
320 tunnel source eth0
321 !
322 router bgp 65000
323 bgp router-id 10.0.0.254
324 no bgp ebgp-requires-policy
325 neighbor SPOKES peer-group
326 neighbor SPOKES disable-connected-check
327 neighbor 10.0.0.1 remote-as 65001
328 neighbor 10.0.0.1 peer-group SPOKES
329 neighbor 10.0.0.2 remote-as 65002
330 neighbor 10.0.0.2 peer-group SPOKES
331 neighbor 10.0.0.3 remote-as 65003
332 neighbor 10.0.0.3 peer-group SPOKES
333 !
334 address-family ipv4 unicast
335 network 172.16.0.0/24
336 redistribute nhrp
337 exit-address-family
338
339 Spoke1 configuration
340 --------------------
341
342 Creating gre interface
343
344 .. code-block:: console
345
346 ip tunnel add gre1 mode gre key 42 ttl 64
347 ip addr add 10.0.0.1/32 dev gre1
348 ip link set gre1 up
349
350
351 FRR config on Spoke1
352
353 .. code-block:: frr
354
355 interface gre1
356 description DMVPN Tunnel Interface
357 ip address 10.0.0.1/32
358 ip nhrp network-id 1
359 ip nhrp nhs dynamic nbma 198.51.100.1
360 ip nhrp redirect
361 ip nhrp registration no-unique
362 ip nhrp shortcut
363 no link-detect
364 tunnel protection vici profile dmvpn
365 tunnel source eth0
366 !
367 router bgp 65001
368 no bgp ebgp-requires-policy
369 neighbor 10.0.0.254 remote-as 65000
370 neighbor 10.0.0.254 disable-connected-check
371 !
372 address-family ipv4 unicast
373 network 172.16.1.0/24
374 exit-address-family
375
376
377 Spoke2 configuration
378 --------------------
379
380 Creating gre interface
381
382 .. code-block:: console
383
384 ip tunnel add gre1 mode gre key 42 ttl 64
385 ip addr add 10.0.0.1/32 dev gre1
386 ip link set gre1 up
387
388 FRR config on Spoke2
389
390 .. code-block:: frr
391
392 interface gre1
393 description DMVPN Tunnel Interface
394 ip address 10.0.0.2/32
395 ip nhrp network-id 1
396 ip nhrp nhs dynamic nbma 198.51.100.1
397 ip nhrp redirect
398 ip nhrp registration no-unique
399 ip nhrp shortcut
400 no link-detect
401 tunnel protection vici profile dmvpn
402 tunnel source eth0
403 !
404 router bgp 65002
405 no bgp ebgp-requires-policy
406 neighbor 10.0.0.254 remote-as 65000
407 neighbor 10.0.0.254 disable-connected-check
408 !
409 address-family ipv4 unicast
410 network 172.16.2.0/24
411 exit-address-family
412
413
414 Spoke3 configuration
415 --------------------
416
417 Creating gre interface
418
419 .. code-block:: console
420
421 ip tunnel add gre1 mode gre key 42 ttl 64
422 ip addr add 10.0.0.3/32 dev gre1
423 ip link set gre1 up
424
425 FRR config on Spoke3
426
427 .. code-block:: frr
428
429 interface gre1
430 description DMVPN Tunnel Interface
431 ip address 10.0.0.3/32
432 ip nhrp network-id 1
433 ip nhrp nhs dynamic nbma 198.51.100.1
434 ip nhrp redirect
435 ip nhrp registration no-unique
436 ip nhrp shortcut
437 no link-detect
438 tunnel protection vici profile dmvpn
439 tunnel source eth0
440 !
441 router bgp 65003
442 no bgp ebgp-requires-policy
443 neighbor 10.0.0.254 remote-as 65000
444 neighbor 10.0.0.254 disable-connected-check
445 !
446 address-family ipv4 unicast
447 network 172.16.3.0/24
448 exit-address-family
449
FRRouting mirror