NHRP can be used to provide an overlay VPN which dynamically initiates tunnels between nodes. Previously it was only possible to manually create tunnels which meant that it wasn’t scalable and the topology was restricted to a hub-spoke solution (realistically speaking, otherwise tunnels would need to be configured on each node to each other node).

Normally (but not necessarily) NHRP is combined with IPSEC encryption to provide a private tunnel between sites.

In terms of configuration we can break the process up into stages.

  • Create GRE multipoint tunnel interfaces
  • Establish NHRP negotiation
  • Enable a dynamic routing protocol to distribute routing information
  • Enable encryption within tunnels to protect data


interface Tunnel0
 ip address
 no ip redirects
 no ip next-hop-self eigrp 100
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 no ip split-horizon eigrp 100
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100000
router eigrp 100
 no auto-summary
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key SECRET_KEY address
crypto ipsec transform-set MY_TRANSFORM_SET ah-md5-hmac esp-3des 
 mode transport
crypto ipsec profile MY_IPSEC_PROFILE
 set transform-set MY_TRANSFORM_SET 
tunnel protection ipsec profile MY_IPSEC_PROFILE
NHRP with Spoke to Spoke Connectivity
Tagged on:             

Leave a Reply