Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
1
Helpful
2
Replies

Why is NHRP configuraiton on the virtual-template interface necessary?

Go to solution
mario.jost
Level 3
Level 3

‎08-22-2023 04:53 AM - last edited on ‎08-24-2023 03:11 AM by Community Manager

I am reading thru this manual on how to configure

NHRP

on FlexVPN:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-mt-book/sec-flex-spoke.html#GUID-C52DFA6D-CF76-484E-B348-51CA0792C1AB

I am in particular talking about the spoke part where there they use the same

NHRP

configuration on the tunnel and virtual template interface. Example:

interface Tunnel0
 ip address negotiated
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel destination 10.0.0.100
 tunnel protection ipsec profile default
!
interface Virtual-Template1 type tunnel
 ip unnumbered Tunnel0
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel protection ipsec profile default
!

So as there is traffic from spokeA to spokeB, the hub creates a redirect message causing the two spokes to create direct VPN tunnel in between eachother. At this point, traffic that is sourced from spokeA and destined for spokeB (and vice versa) will go thru this tunnel that is a virtual-access interface. So why do we have to have

NHRP

even runnning on this virtual access interface? We are not doing routing (because of the next-hop-override of

NHRP

) so there is no possibility that any traffic destined for another spoke would arrive via this virtual-access interface where

NHRP

would have to jump in an

redirect

it in any way. So my undertanding is, that we can leave out all 3

NHRP

commands from the virtual-template interface. But surely, if that is the case, then cisco wouldnt put such a configuration into a template. So what am i missing here?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎08-22-2023 05:19 AM - last edited on ‎08-24-2023 02:57 AM by Community Manager

Hello @mario.jost,

As concerned

NHRP

configuration on the virtual-template interface, you're correct that you may not need the

NHRP

commands on the virtual-template interface since it's used for tunnel establishment and encapsulation, not routing decisions. However, Cisco might include these commands for consistency and ease of configuration, especially in a template where it's assumed to be part of a larger deployment.

If you're confident that the

NHRP

commands on the virtual-template interface aren't necessary for your specific use case and network design, you can certainly omit them without adversely affecting the DMVPN functionality. Just ensure that the

NHRP

configuration on the tunnel interface and the spoke interfaces is correctly set up to handle the

NHRP

traffic and shortcut creation.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

2 Replies 2

Go to solution
M02@rt37
VIP
VIP

‎08-22-2023 05:19 AM - last edited on ‎08-24-2023 02:57 AM by Community Manager

Hello @mario.jost,

As concerned

NHRP

configuration on the virtual-template interface, you're correct that you may not need the

NHRP

commands on the virtual-template interface since it's used for tunnel establishment and encapsulation, not routing decisions. However, Cisco might include these commands for consistency and ease of configuration, especially in a template where it's assumed to be part of a larger deployment.

If you're confident that the

NHRP

commands on the virtual-template interface aren't necessary for your specific use case and network design, you can certainly omit them without adversely affecting the DMVPN functionality. Just ensure that the

NHRP

configuration on the tunnel interface and the spoke interfaces is correctly set up to handle the

NHRP

traffic and shortcut creation.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
mario.jost
Level 3
Level 3

‎08-23-2023 12:52 PM - last edited on ‎08-24-2023 03:03 AM by Community Manager

Hey M02@rt37 

Thank you very much for the reply and the explanation. Follow up question that belongs in the same category. Am i right to assume that only the Hub needs to have

ip nhrp redirect

active on its interfaces and the spokes dont need this. Because as it is described in this step of the same document:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-mt-book/sec-flex-spoke.html#GUID-2762C965-B052-4876-8F9A-2ACCEF05BBE4

under the illustration, it explains as step 3:

The traffic from Host1 to Host2 traverses the hub through virtual access interface1 and virtual access interface2. The hub determines that ingress and the egress interfaces (virtual access interface1 and virtual access interface2) belong to same

NHRP

network (network D configured on both the interfaces). The hub sends out an

NHRP redirect

message to spoke1 on virtual access interface1.

So i understand it like. If the traffic has to do a "turn" on a router between two interfaces belonging to the same

NHRP

group, this

redirect

command is necessary. But if i understand our design, there is no traffic going to one of our spoke routers and getting "redirected" to another spoke router. So therefore the

redirect

is not necessary on the spokes tunnel interface. Am i right?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card