Next Hop Resolution Protocol (NHRP) Tidbit

NHRP is an important protocol used with DMVPNs & FlexVPNs that allows spokes to directly connect to other spokes. To break it down further, NHRP is essentially a resolution arp-like protocol that allows "next hop clients" (spokes) to dynamically register with "next hop servers" (hubs). In a topology, once all clients register with the hub/s, clients have the ability to discover other clients within the same NBMA (non-broadcast multiple-access) network.

Let's breakdown the phases & flow so we better understand how things work:

NHRP Redirect:

  • Spoke to spoke traffic is forwarded to hub

  • The hub then determines the ingress/egress interfaces sharing the same NHRP ID

  • The hub then sends a NHRP traffic redirection indicator to the source spoke with the destination spoke overlay tunnel address

NHRP Resolution:

  • The redirect receiving spoke then will initiate NHRP Resolution to the hub to resolve destination spoke

  • The hub will then forward the resolution request to the destination spoke

  • The destination spoke now receives the request, deploys a virtual-access interface and ipsec tunnel to the source spoke

  • Then the same destination spoke will send resolution reply via the direct spoke-spoke tunnel

  • Lastly, the destination spoke adds NHRP cache entry for source spoke

NHRP Shortcut:

  • The source spoke receives NHRP resolution reply

  • The source spoke adds a NHRP cache entry & shortcut route for the destination

NHRP Shortcut Overview:

To see NHRP in action check out other VPN related posts. Cheers!


Recent Posts

See All

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniqu

In this tidbit I will cover some ESA nice-to-know CLI commands & their purposes: > status = view counters/gauges; counters are a total of various events in the system; gauges show current utilization