NHRP can be used to provide an overlay VPN which dynamically initiates tunnels between nodes. Previously it was only possible to manually create tunnels which meant that it wasn’t scalable and the topology was restricted to a hub-spoke solution (realistically speaking, otherwise tunnels would need to be configured on each node to each other node).
Normally (but not necessarily) NHRP is combined with IPSEC encryption to provide a private tunnel between sites.
In terms of configuration we can break the process up into stages.
- Create GRE multipoint tunnel interfaces
- Establish NHRP negotiation
- Enable a dynamic routing protocol to distribute routing information
- Enable encryption within tunnels to protect data
interface Tunnel0 ip address 192.168.10.1 255.255.255.0 no ip redirects no ip next-hop-self eigrp 100 ip nhrp map multicast dynamic ip nhrp network-id 99 no ip split-horizon eigrp 100 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000
router eigrp 100 network 10.53.3.4 0.0.0.3 network 192.168.10.0 no auto-summary
crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key SECRET_KEY address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set MY_TRANSFORM_SET ah-md5-hmac esp-3des mode transport ! crypto ipsec profile MY_IPSEC_PROFILE set transform-set MY_TRANSFORM_SET
tunnel protection ipsec profile MY_IPSEC_PROFILE