DMVPN Next-Hop Server Explained including NHS Clusters

« 2022 Nov 21 »

Table of Contents

Jump to section:

Top of page

What is NHS in DMVPN?

In a DMVPN network the spoke routers are the Next-Hop Clients (NHC), and they register with one or more hub routers. The hub router is also called the Next-Hop Server (NHS) and it is an integral part of the DMVPN control plane. The NHS collects information from the spoke routers by exchanging Next-Hop Resolution Protocol (NHRP) messages.

Information collected by the NHS hub router includes the spoke routers' virtual tunnel interface and physical IP addresses, and also the advertised prefixes of the branch locations. Dual hub routers can be configured for improved fault tolerance using the NHS Cluster configuration.

The following table shows the role of the NHS in different DMVPN Phases, including the NHRP packets used in each phase.

NHS and DMVPN Phases introduction
Phase Description
Phase 1 With DMVPN Phase 1 there is no direct spoke-to-spoke communication. The hub router (NHS) receives NHRP Registration Requests from the spoke routers, and keeps track of the tunnel and physical IP address bindings of the spokes. These bindings may be updated over time if spoke routers have dynamic addresses. Also, the NHS learns branch location IP addresses from each spoke router through routing protocol updates. However, traffic flows through the NHS at all times.
Phase 2 With DMVPN Phase 2 there is direct spoke-to-spoke communication. The NHS learns and advertises each branch location IP address to the spoke routers. In effect, each spoke router receives all other branch location routes from the NHS. The spoke routers send NHRP Resolution Requests to the NHS in order to initiate direct spoke-to-spoke communication.

The NHS forwards the Resolution Request to the destination spoke router which responds with a NHRP Resolution Reply message to the originator spoke. Through this mechanism, a spoke can update its routing table with the correct next-hop NBMA IP address of another spoke router.
DMVPN NHRP Resolution Request and Reply
Phase Description
Phase 3 With DMVPN Phase 3 there is direct spoke-to-spoke communication. The NHS learns each branch location IP address from the spoke routers. However, the NHS may only advertise a single default route to the spoke routers. In fact, the default route may be statically configured on the spoke routers, without the NHS advertising any routes to the spokes. When spoke-to-spoke communication is needed, the spoke router sends the first data packet to the NHS. The NHS replies with the NHRP Redirect Traffic Indication message. This initiates the NHRP Resolution Request/Reply process, and finally NHRP installs the necessary next-hop route in the spoke's routing table.

What is NHS Cluster in DMVPN?

There can be multiple NHS deployed in a redundant DMVPN network. Consequently, there needs to be a mechanism to differentiate between primary and secondary NHS, and control the failover process. With NHS Clusters, this can be achieved. NHS Clusters are configured on the spoke router. They provide the option to define a cluster of NHS, and assign a priority to each NHS. Also, a spoke router can be configured to register only with a specific number of NHS at a given time.

How to configure NHS Cluster?

In the following scenario there are two NHS hub routers configured in a single Cluster with a DMVPN Phase 3 overlay network using iBGP as the routing protocol. A single default route is advertised by each Hub device. Due to the NHRP Traffic Indication (Redirect) feature, there is direct spoke-to-spoke communication.

The NHS Cluster feature is configured on the spoke routers under the DMVPN tunnel interface. Two parameters are adjusted, the cluster identifier and the priority of each NHS within a cluster. A lower number value assigns a higher priority, zero is the highest priority.

DMVPN NHS Cluster configuration introduction

Configuration:

Hub1 
    Hub1#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to Internet Provider **
 ip address 172.16.1.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45

Hub1#show run int Tu10 | sec int
interface Tunnel10
 description ** DMVPN Phase 3 - Cloud **
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip nhrp authentication P4SSW0RD
 ip nhrp network-id 10
 ip nhrp redirect
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint

Hub1#show run | sec ^ip route
ip route 172.16.0.0 255.255.0.0 GigabitEthernet0/0 172.16.1.1

Hub1#show run | sec ^router
router bgp 65001
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 neighbor 10.0.0.3 remote-as 65001
 neighbor 10.0.0.3 default-originate
 neighbor 10.0.0.4 remote-as 65001
 neighbor 10.0.0.4 default-originate
Hub2 
    Hub2#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to Internet Provider **
 ip address 172.16.2.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45

Hub2#show run int Tu10 | sec int
interface Tunnel10
 description ** DMVPN Phase 3 - Cloud **
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip nhrp authentication P4SSW0RD
 ip nhrp network-id 10
 ip nhrp redirect
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint

Hub2#show run | sec ^ip route
ip route 172.16.0.0 255.255.0.0 GigabitEthernet0/0 172.16.2.1

Hub2#show run | sec ^router
router bgp 65001
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 neighbor 10.0.0.3 remote-as 65001
 neighbor 10.0.0.3 default-originate
 neighbor 10.0.0.4 remote-as 65001
 neighbor 10.0.0.4 default-originate
R2 (Spoke) 
    R2#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to Host2 (Site 2 LAN) **
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45

R2#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
 description ** to Internet Provider **
 ip address 172.16.3.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45

R2#show run int Tu10 | sec int
interface Tunnel10
 description ** DMVPN Phase 3 - Cloud **
 ip address 10.0.0.3 255.255.255.0
 no ip redirects
 ip nhrp authentication P4SSW0RD
 ip nhrp map 10.0.0.1 172.16.1.2
 ip nhrp map 10.0.0.2 172.16.2.2
 ip nhrp network-id 10
 ip nhrp nhs 10.0.0.1 priority 1 cluster 1
 ip nhrp nhs 10.0.0.2 priority 2 cluster 1
 ip nhrp nhs cluster 1 max-connections 1
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint

R2#show run all | i Tunnel10|ip nhrp sh
interface Tunnel10
 ip nhrp shortcut

R2#show run | sec ^ip route
ip route 172.16.0.0 255.255.0.0 GigabitEthernet0/1 172.16.3.1

R2#show run | sec ^router
router bgp 65001
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 network 192.168.2.0
 neighbor 10.0.0.1 remote-as 65001
 neighbor 10.0.0.2 remote-as 65001
R3 (Spoke) 
    R3#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to Host3 (Site 3 LAN) **
 ip address 192.168.3.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45

R3#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
 description ** to Internet Provider **
 ip address 172.16.4.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45

R3#show run int Tu10 | sec int
interface Tunnel10
 description ** DMVPN Phase 3 - Cloud **
 ip address 10.0.0.4 255.255.255.0
 no ip redirects
 ip nhrp authentication P4SSW0RD
 ip nhrp map 10.0.0.1 172.16.1.2
 ip nhrp map 10.0.0.2 172.16.2.2
 ip nhrp network-id 10
 ip nhrp nhs 10.0.0.1 priority 1 cluster 1
 ip nhrp nhs 10.0.0.2 priority 2 cluster 1
 ip nhrp nhs cluster 1 max-connections 1
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint

R3#show run all | i Tunnel10|ip nhrp sh
interface Tunnel10
 ip nhrp shortcut

R3#show run | sec ^ip route
ip route 172.16.0.0 255.255.0.0 GigabitEthernet0/1 172.16.4.1

R3#show run | sec ^router
router bgp 65001
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 network 192.168.3.0
 neighbor 10.0.0.1 remote-as 65001
 neighbor 10.0.0.2 remote-as 65001
Host2 
    Host2#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
 description ** to R2 **
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45

Host2#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.2.2

R2#show ip nhrp nhs redundancy

Legend: E=Expecting replies, R=Responding, W=Waiting
No.  Interface  Cluster             NHS Priority  Cur-State  Cur-Queue Prev-State Prev-Queue
  1   Tunnel10        1        10.0.0.1        1         RE    Running          E    Running      « Spoke has single connection to primary Hub
  2   Tunnel10        1        10.0.0.2        2          W    Waiting          E    Running

No.  Interface  Cluster   Status  Max-Con  Total-NHS Registering/UP  Expecting  Waiting Fallback
  1   Tunnel10        1   Enable        1          2              1          0        1        0




R2#show ip bgp sum | beg Ne
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.1        4        65001     145     143        3    0    0 02:07:41        1               « BGP neighborship only with primary Hub
10.0.0.2        4        65001       0       0        1    0    0 never    Idle




R2#show ip route | beg Ga 
Gateway of last resort is 10.0.0.1 to network 0.0.0.0

B*    0.0.0.0/0 [200/0] via 10.0.0.1, 02:06:50                 « Single default route is received from primary Hub
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/24 is directly connected, Tunnel10
L        10.0.0.3/32 is directly connected, Tunnel10
      172.16.0.0/16 is variably subnetted, 3 subnets, 3 masks
S        172.16.0.0/16 [1/0] via 172.16.3.1, GigabitEthernet0/1
C        172.16.3.0/30 is directly connected, GigabitEthernet0/1
L        172.16.3.2/32 is directly connected, GigabitEthernet0/1
      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.2.0/24 is directly connected, GigabitEthernet0/0
L        192.168.2.2/32 is directly connected, GigabitEthernet0/0

As visible in the above outputs, the spoke router only establishes a BGP connection with the primary Hub router, but not with the secondary Hub. This is because the spoke is instructed to only connect to a single Hub (per NHS Cluster) at any given time. This is achieved by adding the command ip nhrp nhs cluster 1 max-connections 1 to the DMVPN tunnel interface.

In case the NHS priority is changed on the spoke router's interface, the spoke router sends an NHRP Purge request to the NHS, which responds with a Purge reply. The NHRP Purge message is used to signal an outdated NHRP cache entry, and is used during a DMVPN network reconvergence (such as in case of NHS priority change). Details are described in the RFC 2332.

Hub1#show ip nhrp traffic
Tunnel10: Max-send limit:10000Pkts/10Sec, Usage:0%
   Sent: Total 1379
         0 Resolution Request  0 Resolution Reply  0 Registration Request  
         128 Registration Reply  0 Purge Request  1 Purge Reply  
         0 Error Indication  1250 Traffic Indication  0 Redirect Suppress  
   Rcvd: Total 129
         0 Resolution Request  0 Resolution Reply  128 Registration Request  
         0 Registration Reply  1 Purge Request  0 Purge Reply  
         0 Error Indication  0 Traffic Indication  0 Redirect Suppress






R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable, I2 - Temporary
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel10, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 172.16.1.2             10.0.0.1  NHRP 00:01:28    SX       « Spoke R2 no longer uses Hub1 as primary NHS
     1 172.16.2.2             10.0.0.2    UP 00:00:05     S