NHRP is an arp-like protocol meant for resolution of dynamic addressing of remote routers across an NBMA network. It allows a Next-Hop client (NHC) to register with a Next-Hop server (NHS). It allows for direct communications between spoke sites on an as-needed basis, which provides for smaller branch routers with fewer resources to communicate across the NBMA network to only the spokes required without a need to map the entire WAN.
NHRP operates in a client-server model:
- NHS = the hub router (server)
- NHC = the spoke routers (client)
The NHS, or hub router, maintains an NHRP database which maps the physical and tunnel addresses of all registered spokes.
The NHC, or spoke routers, self-register with the NHS upon startup, and are able to query the NHRP database on the hub to obtain addressing information of other spokes when spoke-to-spoke communications are required.
In a hub-and-spoke DMVPN deployment, the hub does not contain any GRE or IPsec configuration for any of the remote spokes. Instead, the spokes are configured with the hub’s IP addressing information. When they come online, they build an IPsec tunnel to the hub router, and provide their addressing information as part of the NHRP registration process.
Because of the registration process, the hub is able to accommodate dynamic addressing on the part of the NHCs; addresses can change, and the hub just updates the database accordingly.
Using the following diagram, here is an explanation of the NHRP process.
- The NHS maintains the NHRP database. Notice all spoke sites have logical tunnel addresses (172.16.10.0/24) shared between them, and are each associated with a /30 network ID representing local peering with their ISP.
- When a new spoke appears, it self-registers with the NHS and the NHRP database is updated with the logical tunnel and physical interface information.
- If a client at a remote spoke site requires communication to another site, it sends an NHRP query to the NHS for the IP addressing information associated with it. The NHS replies with the database information; with the other spoke’s address information, the client is able to dynamically build a tunnel between them without the need to traverse the hub.
Because of the ability to create dynamic spoke-to-spoke tunnels, the DMVPN network as a whole can achieve a greater bandwidth than what the hub router is capable of handling because of these spoke-to-spoke connections.
Stuck-in-Active: Journal of an IT-Network Administrator 