FRR support NHRP. We can use FRR nhrpd instead of openNHRP
Description
Details
- Version
- -
- Is it a breaking change?
- Unspecified (possibly destroys the router)
- Issue type
- Internal change (not visible to end users)
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Needs testing | FEATURE REQUEST | a.apostoliuk | T2326 Migrate NHRP(DMVPN) to FRR | ||
On hold | FEATURE REQUEST | None | T3040 NHRP IPv6 Support |
Event Timeline
FRR nhrpd do not support multicasting over GRE tunnels so OSPF or EIGRP don't work since they use multicast addresses to discover neighbors
As i remember the lack of multicast replication was the reason this stopped up last time it was discussed... And as ospf and eigrp is the most used protocols run over dmvpn i think this is a showstopper for implementimg nhrpd
@hammerstud that would work for you - but it will break everyone elses implementation ;)
@c-po There is some recent news on FRR's NHRPD and multicast support it seems, please see here:
http://docs.frrouting.org/en/latest/nhrpd.html#multicast-functionality
and here:
https://github.com/FRRouting/frr/commit/d75213d26036a2880f23f5e67cb1c890f20299de
@c-po @Viacheslav
Further news on this topic - FRR 8.0 released yesterday (7/29) which includes the aforementioned nhrpd multicast improvements, among a lot of other nice things:
July 29, 2021 The FRR community is pleased to announce FRR 8.0. In this release there are over 2200 commits from 91 different authors. Please note that we expect to release a bugfix point release relatively soon after this release. nhrpd - Add nhrp multicast-nflog-group (1-65535) command - Add configuration options for vici socket path - Add support for forwarding multicast packets - Fix handling of MTU - Fix handling of NAT extension - Retry IPsec under some conditions
I think NHRP Cisco Auth is still missing: https://github.com/FRRouting/frr/blob/master/nhrpd/nhrp_peer.c#L1212
This was sited to me as a concern for migrating to FRR
I agree it would be nice to have the Cisco Auth functionality, however, the original author of opennhrp themselves recommend using FRR nhrpd instead where possible. It appears that most effort going forward will be put into FRR's nhrpd, and not the original opennhrp.
Cisco Auth is a necessity for those who want to migrate from this vendor's hardware to VyOS. You can easily add a VyOS node to an existing DMVPN.
I have created a draft pull request for FRR, but I can still see a bunch of odd bugs.
I'm going to activate it after additional testing by the team.
Most issues involve Wireshark's inability to parse packets correctly and display an exception, although the demons seem to run fine.
https://github.com/FRRouting/frr/pull/14788
Thanks to dleroy@labn.net, who has finished my PR, the Nhrp Cisco auth was merged today.
https://github.com/FRRouting/frr/pull/16172
During internal testing, we saw an issue when connecting to Cisco Hub or something like that.
This needs to be retested. Also, I expect some minor issues with the wireshark display, etc...
Let me know if my assistance is still needed)
@volodymyr.huti I've checked a hub & spoke with Cisco nhrp and opennhrp , it works ,although, it has some issues related to establish spoke to spoke tunnel or when removing the password , here is my environment (it was merged for the master branch, not backport to stable) .
debian12-frr# show ip nhrp Iface Type Protocol NBMA Claimed NBMA Flags Identity gre1 nhs 10.0.253.134 192.168.139.101 192.168.139.101 T gre1 local 10.0.253.133 192.168.139.102 192.168.139.102 - debian12-frr# show ip nhrp opennhrp Status: ok Type: nhs Flags: up Protocol-Address: 10.0.253.134/32 NBMA-Address: 192.168.139.101 Type: local Flags: Protocol-Address: 10.0.253.133/32 debian12-frr# show ip nhrp nhs Iface FQDN NBMA Protocol gre1 192.168.139.101 192.168.139.101 10.0.253.134 ### FRR config -spoke : frr version 10.2-dev-FRR-dev frr defaults traditional hostname debian12-frr log file /etc/log/frr/frr.log ! debug zebra events debug nhrp all ! ip route 0.0.0.0/0 gre1 ! interface gre1 description DMVPN Spoke ip address 10.0.253.133/32 ip nhrp authentication secret ip nhrp holdtime 60 ip nhrp network-id 1 ip nhrp nhs dynamic nbma 192.168.139.101 ip nhrp redirect ip nhrp registration no-unique ip nhrp shortcut no link-detect tunnel source ens3 exit ! S>* 0.0.0.0/0 [1/0] is directly connected, gre1, weight 1, 00:16:49 L * 10.0.253.133/32 is directly connected, gre1, 00:16:49 C>* 10.0.253.133/32 is directly connected, gre1, 00:16:49 N>* 10.0.253.134/32 [10/0] is directly connected, gre1, weight 1, 00:16:48 C>* 192.168.139.0/24 is directly connected, ens3, 00:16:49 L>* 192.168.139.102/32 is directly connected, ens3, 00:16:49 debian12-frr# ping 10.0.253.134 PING 10.0.253.134 (10.0.253.134) 56(84) bytes of data. 64 bytes from 10.0.253.134: icmp_seq=1 ttl=255 time=0.555 ms 64 bytes from 10.0.253.134: icmp_seq=2 ttl=255 time=0.516 ms ^C --- 10.0.253.134 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.516/0.535/0.555/0.019 ms
cisco hub :
hub#show dmvpn detail Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket T1 - Route Installed, T2 - Nexthop-override C - CTS Capable # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface Tunnel100 is up/up, Addr. is 10.0.253.134, VRF "" Tunnel Src./Dest. addr: 192.168.139.101/MGRE, Tunnel VRF "" Protocol/Transport: "multi-GRE/IP", Protect "" Interface State Control: Disabled nhrp event-publisher : Disabled IPv4 Registration Timer: 60 seconds Type:Hub, Total NBMA Peers (v4/v6): 2 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network ----- --------------- --------------- ----- -------- ----- ----------------- 1 192.168.139.102 10.0.253.133 UP 00:19:40 D 10.0.253.133/32 Crypto Session Details: -------------------------------------------------------------------------------- Pending DMVPN Sessions: hub#show ip nhrp detail 10.0.253.133/32 via 10.0.253.133 Tunnel100 created 00:20:04, expire 00:00:55 Type: dynamic, Flags: registered used nhop NBMA address: 192.168.139.102 hub#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.253.128/29 is directly connected, Tunnel100 L 10.0.253.134/32 is directly connected, Tunnel100 192.168.139.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.139.0/24 is directly connected, Ethernet0/1 L 192.168.139.101/32 is directly connected, Ethernet0/1 hub#
log :
2024/06/27 00:43:49 NHRP: [N2D3R-FSGYB] gre1: IPv4 address changed to 10.0.253.1 33/32 2024/06/27 00:43:49 NHRP: [Y8MQK-M3R2Z] cache: new type 0/7, or peer same, or mt u 0/0, nbma (unspec) --> (NULL) (map 0) 2024/06/27 00:43:49 NHRP: [KBRW1-VCH1W] cache: gre1 10.0.253.133: accept 2024/06/27 00:43:49 NHRP: [Q70EN-P89TF] cache (peer check failed: no p) 2024/06/27 00:43:49 NHRP: [Q5SCG-KA6PJ] gre1: gre interface 6 vr 0 obtained from system 2024/06/27 00:43:49 NHRP: [KCKXM-TF1BY] gre1: GRE: 1000000 2 0 2024/06/27 00:43:49 NHRP: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00 2024/06/27 00:43:49 NHRP: [G6NKK-8C6DV] end_config: VTY:0x55b096032ad0, pending SET-CFG: 0 2024/06/27 00:43:49 NHRP: [RQD0X-A6AJP] if-route-add: 0.0.0.0/0 via 0.0.0.0 dev gre1 2024/06/27 00:43:50 NHRP: [Z7K3A-GSQPT] NHS: Register 10.0.253.133 -> 10.0.253.1 33 (timeout 1) 2024/06/27 00:43:50 NHRP: [PTQ80-8JY6C] Send Registration-Request(3) 10.0.253.13 3 -> 10.0.253.133 2024/06/27 00:43:50 NHRP: [WSA6E-5GM0H] PACKET: Send 192.168.139.102 -> 192.168. 139.101 2024/06/27 00:43:50 NHRP: [K0534-5VD2M] PACKET: Recv 192.168.139.101 -> 192.168. 139.102 2024/06/27 00:43:50 NHRP: [PTQ80-8JY6C] Recv Registration-Reply(4) 10.0.253.134 -> 10.0.253.133 2024/06/27 00:43:50 NHRP: [RHB3H-QNGNH] Processing Authentication Extension for (secret:secret�|0) 2024/06/27 00:43:50 NHRP: [PTQ80-8JY6C] !LOCAL Registration-Reply(4) 10.0.253.13 4 -> 10.0.253.133 2024/06/27 00:43:50 NHRP: [HNSEW-AYHEP] NHS: Reg.reply received 2024/06/27 00:43:50 NHRP: [TZGHZ-EV5AB] NHS: CIE registration: 10.0.253.133: 0 2024/06/27 00:43:50 NHRP: [Y8MQK-M3R2Z] cache: new type 0/5, or peer diff, or mt u 0/0, nbma (unspec) --> (NULL) (map 0) 2024/06/27 00:43:50 NHRP: [KBRW1-VCH1W] cache: gre1 10.0.253.134: accept 2024/06/27 00:43:50 NHRP: [R4TF4-BYXGE] cache (remote_nbma_natoa unspec): Upda
although , spoke to spoke with FRR and Cisco couldn't work, at least for the moment.
confirm that it works as well , spoke to spoke connection adding authentication. :
#cisco spoke :
interface Tunnel10 description To VyOS-HUB ip address 10.0.253.129 255.255.255.248 no ip redirects ip nhrp authentication secret ip nhrp map 10.0.253.134 192.168.139.101 ip nhrp map multicast 192.168.139.101 ip nhrp network-id 1 ip nhrp holdtime 60 ip nhrp nhs 10.0.253.134 ip nhrp registration timeout 60 tunnel source Ethernet0/2 tunnel mode gre multipoint tunnel key 1 ! interface Ethernet0/2 ip address 192.168.139.105 255.255.255.0 ! rt-spoke2# ping 10.0.253.133 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.253.133, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms rt-spoke2#show dmvpn detail Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket T1 - Route Installed, T2 - Nexthop-override C - CTS Capable # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface Tunnel10 is up/up, Addr. is 10.0.253.129, VRF "" Tunnel Src./Dest. addr: 192.168.139.105/MGRE, Tunnel VRF "" Protocol/Transport: "multi-GRE/IP", Protect "" Interface State Control: Disabled nhrp event-publisher : Disabled IPv4 Registration Timer: 60 seconds IPv4 NHS: 10.0.253.134 RE priority = 0 cluster = 0 Type:Spoke, Total NBMA Peers (v4/v6): 3 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network ----- --------------- --------------- ----- -------- ----- ----------------- 1 192.168.139.105 10.0.253.129 UP 00:00:41 DLX 10.0.253.129/32 1 192.168.139.102 10.0.253.133 UP 00:00:41 D 10.0.253.133/32 1 192.168.139.101 10.0.253.134 UP 15:41:51 S 10.0.253.134/32 Crypto Session Details: -------------------------------------------------------------------------------- Pending DMVPN Sessions: rt-spoke2#show ip nhrp brief Target Via NBMA Mode Intfc Claimed 10.0.253.129/32 10.0.253.129 192.168.139.105 dynamic Tu10 < > 10.0.253.133/32 10.0.253.133 192.168.139.102 dynamic Tu10 < > 10.0.253.134/32 10.0.253.134 192.168.139.101 static Tu10 < > rt-spoke2#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.253.128/29 is directly connected, Tunnel10 L 10.0.253.129/32 is directly connected, Tunnel10 192.168.139.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.139.0/24 is directly connected, Ethernet0/2 L 192.168.139.105/32 is directly connected, Ethernet0/
FRR spoke:
debian12-frr# show ip route Codes: K - kernel route, C - connected, L - local, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, t - Table-Direct, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure S>* 0.0.0.0/0 [1/0] is directly connected, gre1, weight 1, 14:45:49 S>* 10.0.253.0/24 [1/0] via 10.0.253.134, gre1 onlink, weight 1, 01:13:54 N>* 10.0.253.129/32 [10/0] is directly connected, gre1, weight 1, 00:00:04 L * 10.0.253.133/32 is directly connected, gre1, 14:45:49 C>* 10.0.253.133/32 is directly connected, gre1, 14:45:49 N>* 10.0.253.134/32 [10/0] is directly connected, gre1, weight 1, 14:45:48 C>* 192.168.139.0/24 is directly connected, ens3, 14:45:49 L>* 192.168.139.102/32 is directly connected, ens3, 14:45:49 debian12-frr# show ip nhrp nhs Iface FQDN NBMA Protocol gre1 192.168.139.101 192.168.139.101 10.0.253.134 debian12-frr# debian12-frr# debian12-frr# show ip nhrp Iface Type Protocol NBMA Claimed NBMA Flags Identity gre1 dynamic 10.0.253.129 192.168.139.105 192.168.139.105 T gre1 nhs 10.0.253.134 192.168.139.101 192.168.139.101 T gre1 local 10.0.253.133 192.168.139.102 192.168.139.102 - debian12-frr# show ip nhrp opennhrp Status: ok Type: dynamic Flags: up Protocol-Address: 10.0.253.129/32 NBMA-Address: 192.168.139.105 NBMA-NAT-OA-Address: 192.168.139.105 Type: nhs Flags: up Protocol-Address: 10.0.253.134/32 NBMA-Address: 192.168.139.101 Type: local Flags: Protocol-Address: 10.0.253.133/32
Can't reassign it to me, I will have time next weeks.
Would appreciate minimal mod permissions, so I can close my old work.
Contact me for details if needed, thx!)