NHRP

2.3 Configure and verify DMVPN (single hub)

📘CCNP Enterprise – ENARSI (300-410)

1. What is NHRP?

  • Definition: NHRP is a protocol used in DMVPN that allows a router (or “spoke”) to discover the public IP address of another router it wants to reach over a dynamic VPN network.
  • Think of it as a dynamic address book for routers in a DMVPN network.
  • Function:
    • Spokes register their public IP address with the hub.
    • When a spoke wants to send traffic to another spoke, it asks the hub, “What is the IP of that spoke?” The hub replies with the needed address.
    • This allows the spokes to form direct (spoke-to-spoke) tunnels dynamically.

2. Role of NHRP in DMVPN

DMVPN FeatureHow NHRP Supports It
Spoke registrationSpokes send NHRP Registration messages to the hub, so the hub knows where each spoke is.
Spoke-to-spoke communicationSpokes use NHRP Resolution requests to ask the hub the public IP of other spokes.
Dynamic tunnelsNHRP allows tunnels to be established only when needed, instead of keeping all tunnels active all the time.
ScalabilityNHRP reduces the configuration overhead because you don’t need a tunnel for every possible spoke pair.

3. NHRP Messages

There are a few key NHRP messages that you need to know for the exam:

  1. NHRP Registration Request:
    • Sent by the spoke to the hub when it comes online.
    • Purpose: “Hub, here is my public IP and private LAN address.”
  2. NHRP Registration Reply:
    • Sent by the hub to confirm registration.
    • Purpose: “Spoke, I’ve registered your information.”
  3. NHRP Resolution Request:
    • Sent by a spoke when it wants to communicate with another spoke.
    • Purpose: “Hub, what is the public IP of Spoke B?”
  4. NHRP Resolution Reply:
    • Sent by the hub to respond to the request.
    • Purpose: “Here is Spoke B’s public IP. You can create a direct tunnel.”
  5. NHRP Purge:
    • Sent when a spoke goes offline or is no longer reachable.
    • Purpose: “Hub, remove my entry.”

4. NHRP Commands on Cisco Routers

For the exam, you should know how to configure and verify NHRP.

Hub Router Example

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
  • ip nhrp map multicast dynamic → allows NHRP to handle multicast/broadcast traffic for spokes.
  • ip nhrp network-id 1 → assigns a unique NHRP network ID.

Spoke Router Example

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip nhrp map 10.0.0.1 192.168.1.1   ! hub’s public IP
 ip nhrp network-id 1
 ip nhrp nhs 10.0.0.1               ! defines the hub as NHS (Next Hop Server)
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
  • ip nhrp nhs 10.0.0.1 → tells the spoke which router is the hub (Next Hop Server).
  • The spoke will automatically register with the hub using NHRP Registration messages.

5. NHRP Resolution Flow (Spoke-to-Spoke Communication)

  1. Spoke A wants to send traffic to Spoke B.
  2. Spoke A checks its NHRP cache to see if it already knows Spoke B’s public IP.
  3. If it doesn’t know, it sends an NHRP Resolution Request to the hub.
  4. Hub replies with Spoke B’s public IP using an NHRP Resolution Reply.
  5. Spoke A now creates a direct GRE tunnel to Spoke B.
  6. Traffic flows directly between spokes without going through the hub (optimized routing).

Exam Tip: Spoke-to-spoke tunnels will only be created after NHRP resolution, which is why traffic initially goes through the hub.

6. NHRP Verification Commands

  1. Check NHRP cache (shows mappings of public IPs to private IPs):
show ip nhrp
  1. Check NHRP registrations at the hub:
show ip nhrp registrations
  1. Check NHRP statistics:
show ip nhrp detail

These commands are often tested in labs for DMVPN troubleshooting.

7. Key Exam Points About NHRP

  • NHRP is mandatory for DMVPN Phase 2 and 3 (Phase 1 only supports hub-and-spoke).
  • Hub always acts as NHS (Next Hop Server).
  • Spokes register their public IP and private LAN addresses with the hub.
  • Spoke-to-spoke tunnels are dynamically established only after NHRP resolution.
  • NHRP reduces manual configuration and allows DMVPN to scale efficiently.
  • Troubleshooting tips:
    • Ensure network IDs match between hub and spoke.
    • Verify spoke has ip nhrp nhs pointing to the hub.
    • Check NHRP cache and registrations if tunnels don’t form.

Summary for Students:

NHRP is the “address book” for DMVPN. It registers spokes at the hub and allows dynamic, direct tunnels between spokes. For the exam, know the NHRP messages, how to configure hub and spokes, and how to verify registrations and cache. Remember: no registration = no spoke-to-spoke communication.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by