Configuring NHRP

Context

NHRP enables a source Spoke on a public network to dynamically obtain the public network address of a destination Spoke. When a Spoke connects to a public network, it sends NHRP Registration Request packets to the Hub by using the public network address of the outbound interface. The Hub creates or updates NHRP mapping entries based on the packets received. Two Spokes exchange NHRP Resolution Request and Reply packets to create or update NHRP mapping entries between them.

During configuration of the authentication string of NHRP negotiation, if plain or md5 is specified, there are potential security risks during authentication string transmission. You are advised to use sha1, sha2-256, sha2-384, or sha2-512.

Perform the following operations on the Hub and Spokes.

Procedure

Configure the Hub.
1. Run system-view
  The system view is displayed.
2. Run interface tunnel interface-number
  The tunnel interface view is displayed.
3. (Optional) Run nhrp network-id number
  An NHRP domain is configured for the tunnel interface.
  
  By default, a tunnel interface belongs to NHRP domain 0.
4. (Optional)Run nhrp entry multicast { multicast-address | dynamic }
  The NHRP multicast member table is configured.
  
  By default, the NHRP multicast member table is configured.
5. (Optional)Run nhrp authentication { hash { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } | plain } authentication-string
  The NHRP authentication string and the algorithm for transmitting this authentication string are configured.
  
  By default, no NHRP authentication string is configured. If an NHRP authentication string is configured, it is transmitted in plain text.
6. (Optional) Run nhrp entry holdtime seconds seconds
  The aging time of NHRP mapping entries is configured.
  
  By default, the aging time of NHRP mapping entries is 7200 seconds.
7. (Optional) Enable the device to learn the DSVPN network device identity and ESN.
  1. Run nhrp identity enable
    
    The device is enabled to learn the DSVPN network device identity and ESN.
    
    By default, learning of DSVPN network device identity and ESN is enabled.
  2. Run nhrp identity name identity-name
    
    The identity of an mGRE interface is configured.
    
    By default, the device name is used as the identity of an mGRE interface.
8. (Optional) Run nhrp redirect
  The NHRP redirect function is enabled.
  
  This configuration is required only when the shortcut mode is used. By default, the NHRP redirect function is disabled.
9. (Optional) Run nhrp dscp dscp-value
  The DSCP value of NHRP packets is set.
  
  By default, the global DSCP value of NHRP packets is 48 (CS6).
  
  In DSVPN scenarios, if the DSCP value of NHRP packets is small, NHRP packets may be discarded when network congestion occurs, causing DSVPN tunnel teardown. In this case, perform this step to configure a proper DSCP value to provide preferential treatment to NHRP packets on the network.
Configure the Spokes.
1. Run system-view
  The system view is displayed.
2. Run interface tunnel interface-number
  The tunnel interface view is displayed.
3. (Optional) Run nhrp network-id number
  An NHRP domain is configured for the tunnel interface.
  
  By default, a tunnel interface belongs to NHRP domain 0.
4. Run nhrp entry multicast { multicast-address | dynamic }
  The NHRP multicast member table is configured.
  
  By default, no NHRP multicast member table is configured.
5. (Optional) Run nhrp entry protocol-address { dns-name | nbma-address } [ register [ preference preference-value ] ]
  An NHRP mapping entry is configured.
6. (Optional) Run nhrp registration no-unique
  The device is configured to send NHRP packets that carry the no-unique flag to instruct the remote end to overwrite conflicting NHRP peer entries.
  
  By default, the device sends NHRP packets that do not carry the no-unique flag to instruct the remote end not to overwrite conflicting NHRP peer entries.
7. (Optional) Run nhrp authentication { hash { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } | plain } authentication-string
  The NHRP authentication string and the algorithm for transmitting this authentication string are configured.
  
  By default, no NHRP authentication string is configured. If an NHRP authentication string is configured, it is transmitted in plain text.
  
  If the NHRP authentication string is configured on the Hub, it must also be configured on the Spoke.
8. (Optional) Run nhrp registration interval seconds
  The NHRP registration interval is configured.
  
  By default, a Spoke registers with the Hub at an interval of 1800 seconds.
9. (Optional) Run nhrp entry holdtime seconds seconds
  The aging time of NHRP mapping entries is configured.
  
  By default, the aging time of NHRP mapping entries is 7200 seconds.
10. (Optional) Enable the device to learn the DSVPN network device identity and ESN.
  1. Run nhrp identity enable
    
    The device is enabled to learn the DSVPN network device identity and ESN.
    
    By default, learning of DSVPN network device identity and ESN is enabled.
  2. Run nhrp identity name identity-name
    
    The identity of an mGRE interface is configured.
    
    By default, the device name is used as the identity of an mGRE interface.
11. (Optional) Run nhrp shortcut
  The NHRP shortcut function is enabled.
  
  This configuration is required only when the shortcut mode is used. By default, the NHRP shortcut function is disabled.
12. (Optional) Run nhrp dscp dscp-value
  The DSCP value of NHRP packets is set.
  
  By default, the global DSCP value of NHRP packets is 48 (CS6).
  
  In DSVPN scenarios, if the DSCP value of NHRP packets is small, NHRP packets may be discarded when network congestion occurs, causing DSVPN tunnel teardown. In this case, perform this step to configure a proper DSCP value to provide preferential treatment to NHRP packets on the network.