Next Hop Resolution Protocol (NHRP) Tidbit

NHRP is an important protocol used with DMVPNs & FlexVPNs that allows spokes to directly connect to other spokes. To break it down further, NHRP is essentially a resolution arp-like protocol that allows "next hop clients" (spokes) to dynamically register with "next hop servers" (hubs). In a topology, once all clients register with the hub/s, clients have the ability to discover other clients within the same NBMA (non-broadcast multiple-access) network.

Let's breakdown the phases & flow so we better understand how things work:

NHRP Redirect:

  • Spoke to spoke traffic is forwarded to hub

  • The hub then determines the ingress/egress interfaces sharing the same NHRP ID

  • The hub then sends a NHRP traffic redirection indicator to the source spoke with the destination spoke overlay tunnel address

NHRP Resolution:

  • The redirect receiving spoke then will initiate NHRP Resolution to the hub to resolve destination spoke

  • The hub will then forward the resolution request to the destination spoke

  • The destination spoke now receives the request, deploys a virtual-access interface and ipsec tunnel to the source spoke

  • Then the same destination spoke will send resolution reply via the direct spoke-spoke tunnel

  • Lastly, the destination spoke adds NHRP cache entry for source spoke

NHRP Shortcut:

  • The source spoke receives NHRP resolution reply

  • The source spoke adds a NHRP cache entry & shortcut route for the destination

NHRP Shortcut Overview:

To see NHRP in action check out other VPN related posts. Cheers!


Recent Posts

See All

ASA MultiContext Mode Packet Classification Tidbit

In order to understand how traffic flows through the segregated contexts it is important to understand how the ASA determines the context in which it will send the packets. This process is known as c

ASA Security Contexts Tidbit

In this tidbit I want to explain what Cisco ASA Security Contexts are in this blog. A very plain & simple way to put it, security contexts are a way to logically divide the ASA into multiple logical

Fundamentals of PKI Tidbit

I want to touch on some of the fundamentals and standards involved with PKI to give us an overview of what things are/mean. To start let's cover what the standards are. So you have probably seen or