FRR support NHRP. We can use FRR nhrpd instead of openNHRP
Description
Description
Details
Details
- Version
- -
- Is it a breaking change?
- Unspecified (possibly destroys the router)
- Issue type
- Internal change (not visible to end users)
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | FEATURE REQUEST | a.apostoliuk | T2326 Migrate NHRP(DMVPN) to FRR | ||
| On hold | FEATURE REQUEST | None | T3040 NHRP IPv6 Support |
Event Timeline
Comment Actions
FRR nhrpd do not support multicasting over GRE tunnels so OSPF or EIGRP don't work since they use multicast addresses to discover neighbors
Comment Actions
As i remember the lack of multicast replication was the reason this stopped up last time it was discussed... And as ospf and eigrp is the most used protocols run over dmvpn i think this is a showstopper for implementimg nhrpd
Comment Actions
@hammerstud that would work for you - but it will break everyone elses implementation ;)
Comment Actions
@c-po There is some recent news on FRR's NHRPD and multicast support it seems, please see here:
http://docs.frrouting.org/en/latest/nhrpd.html#multicast-functionality
and here:
https://github.com/FRRouting/frr/commit/d75213d26036a2880f23f5e67cb1c890f20299de
This comment was removed by francis.
Comment Actions
@c-po @Viacheslav
Further news on this topic - FRR 8.0 released yesterday (7/29) which includes the aforementioned nhrpd multicast improvements, among a lot of other nice things:
July 29, 2021 The FRR community is pleased to announce FRR 8.0. In this release there are over 2200 commits from 91 different authors. Please note that we expect to release a bugfix point release relatively soon after this release. nhrpd - Add nhrp multicast-nflog-group (1-65535) command - Add configuration options for vici socket path - Add support for forwarding multicast packets - Fix handling of MTU - Fix handling of NAT extension - Retry IPsec under some conditions
Comment Actions
I think NHRP Cisco Auth is still missing: https://github.com/FRRouting/frr/blob/master/nhrpd/nhrp_peer.c#L1212
This was sited to me as a concern for migrating to FRR
Comment Actions
I agree it would be nice to have the Cisco Auth functionality, however, the original author of opennhrp themselves recommend using FRR nhrpd instead where possible. It appears that most effort going forward will be put into FRR's nhrpd, and not the original opennhrp.
Comment Actions
Cisco Auth is a necessity for those who want to migrate from this vendor's hardware to VyOS. You can easily add a VyOS node to an existing DMVPN.
Comment Actions
I have created a draft pull request for FRR, but I can still see a bunch of odd bugs.
I'm going to activate it after additional testing by the team.
Most issues involve Wireshark's inability to parse packets correctly and display an exception, although the demons seem to run fine.
https://github.com/FRRouting/frr/pull/14788
Comment Actions
Thanks to dleroy@labn.net, who has finished my PR, the Nhrp Cisco auth was merged today.
https://github.com/FRRouting/frr/pull/16172
During internal testing, we saw an issue when connecting to Cisco Hub or something like that.
This needs to be retested. Also, I expect some minor issues with the wireshark display, etc...
Let me know if my assistance is still needed)
Comment Actions
@volodymyr.huti I've checked a hub & spoke with Cisco nhrp and opennhrp , it works ,although, it has some issues related to establish spoke to spoke tunnel or when removing the password , here is my environment (it was merged for the master branch, not backport to stable) .
debian12-frr# show ip nhrp Iface Type Protocol NBMA Claimed NBMA Flags Identity gre1 nhs 10.0.253.134 192.168.139.101 192.168.139.101 T gre1 local 10.0.253.133 192.168.139.102 192.168.139.102 - debian12-frr# show ip nhrp opennhrp Status: ok Type: nhs Flags: up Protocol-Address: 10.0.253.134/32 NBMA-Address: 192.168.139.101 Type: local Flags: Protocol-Address: 10.0.253.133/32 debian12-frr# show ip nhrp nhs Iface FQDN NBMA Protocol gre1 192.168.139.101 192.168.139.101 10.0.253.134 ### FRR config -spoke : frr version 10.2-dev-FRR-dev frr defaults traditional hostname debian12-frr log file /etc/log/frr/frr.log ! debug zebra events debug nhrp all ! ip route 0.0.0.0/0 gre1 ! interface gre1 description DMVPN Spoke ip address 10.0.253.133/32 ip nhrp authentication secret ip nhrp holdtime 60 ip nhrp network-id 1 ip nhrp nhs dynamic nbma 192.168.139.101 ip nhrp redirect ip nhrp registration no-unique ip nhrp shortcut no link-detect tunnel source ens3 exit ! S>* 0.0.0.0/0 [1/0] is directly connected, gre1, weight 1, 00:16:49 L * 10.0.253.133/32 is directly connected, gre1, 00:16:49 C>* 10.0.253.133/32 is directly connected, gre1, 00:16:49 N>* 10.0.253.134/32 [10/0] is directly connected, gre1, weight 1, 00:16:48 C>* 192.168.139.0/24 is directly connected, ens3, 00:16:49 L>* 192.168.139.102/32 is directly connected, ens3, 00:16:49 debian12-frr# ping 10.0.253.134 PING 10.0.253.134 (10.0.253.134) 56(84) bytes of data. 64 bytes from 10.0.253.134: icmp_seq=1 ttl=255 time=0.555 ms 64 bytes from 10.0.253.134: icmp_seq=2 ttl=255 time=0.516 ms ^C --- 10.0.253.134 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.516/0.535/0.555/0.019 ms
cisco hub :
hub#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel100 is up/up, Addr. is 10.0.253.134, VRF ""
Tunnel Src./Dest. addr: 192.168.139.101/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect ""
Interface State Control: Disabled
nhrp event-publisher : Disabled
IPv4 Registration Timer: 60 seconds
Type:Hub, Total NBMA Peers (v4/v6): 2
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 192.168.139.102 10.0.253.133 UP 00:19:40 D 10.0.253.133/32
Crypto Session Details:
--------------------------------------------------------------------------------
Pending DMVPN Sessions:
hub#show ip nhrp detail
10.0.253.133/32 via 10.0.253.133
Tunnel100 created 00:20:04, expire 00:00:55
Type: dynamic, Flags: registered used nhop
NBMA address: 192.168.139.102
hub#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.253.128/29 is directly connected, Tunnel100
L 10.0.253.134/32 is directly connected, Tunnel100
192.168.139.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.139.0/24 is directly connected, Ethernet0/1
L 192.168.139.101/32 is directly connected, Ethernet0/1
hub#log :
2024/06/27 00:43:49 NHRP: [N2D3R-FSGYB] gre1: IPv4 address changed to 10.0.253.1 33/32 2024/06/27 00:43:49 NHRP: [Y8MQK-M3R2Z] cache: new type 0/7, or peer same, or mt u 0/0, nbma (unspec) --> (NULL) (map 0) 2024/06/27 00:43:49 NHRP: [KBRW1-VCH1W] cache: gre1 10.0.253.133: accept 2024/06/27 00:43:49 NHRP: [Q70EN-P89TF] cache (peer check failed: no p) 2024/06/27 00:43:49 NHRP: [Q5SCG-KA6PJ] gre1: gre interface 6 vr 0 obtained from system 2024/06/27 00:43:49 NHRP: [KCKXM-TF1BY] gre1: GRE: 1000000 2 0 2024/06/27 00:43:49 NHRP: [VTVCM-Y2NW3] Configuration Read in Took: 00:00:00 2024/06/27 00:43:49 NHRP: [G6NKK-8C6DV] end_config: VTY:0x55b096032ad0, pending SET-CFG: 0 2024/06/27 00:43:49 NHRP: [RQD0X-A6AJP] if-route-add: 0.0.0.0/0 via 0.0.0.0 dev gre1 2024/06/27 00:43:50 NHRP: [Z7K3A-GSQPT] NHS: Register 10.0.253.133 -> 10.0.253.1 33 (timeout 1) 2024/06/27 00:43:50 NHRP: [PTQ80-8JY6C] Send Registration-Request(3) 10.0.253.13 3 -> 10.0.253.133 2024/06/27 00:43:50 NHRP: [WSA6E-5GM0H] PACKET: Send 192.168.139.102 -> 192.168. 139.101 2024/06/27 00:43:50 NHRP: [K0534-5VD2M] PACKET: Recv 192.168.139.101 -> 192.168. 139.102 2024/06/27 00:43:50 NHRP: [PTQ80-8JY6C] Recv Registration-Reply(4) 10.0.253.134 -> 10.0.253.133 2024/06/27 00:43:50 NHRP: [RHB3H-QNGNH] Processing Authentication Extension for (secret:secret�|0) 2024/06/27 00:43:50 NHRP: [PTQ80-8JY6C] !LOCAL Registration-Reply(4) 10.0.253.13 4 -> 10.0.253.133 2024/06/27 00:43:50 NHRP: [HNSEW-AYHEP] NHS: Reg.reply received 2024/06/27 00:43:50 NHRP: [TZGHZ-EV5AB] NHS: CIE registration: 10.0.253.133: 0 2024/06/27 00:43:50 NHRP: [Y8MQK-M3R2Z] cache: new type 0/5, or peer diff, or mt u 0/0, nbma (unspec) --> (NULL) (map 0) 2024/06/27 00:43:50 NHRP: [KBRW1-VCH1W] cache: gre1 10.0.253.134: accept 2024/06/27 00:43:50 NHRP: [R4TF4-BYXGE] cache (remote_nbma_natoa unspec): Upda
although , spoke to spoke with FRR and Cisco couldn't work, at least for the moment.
Comment Actions
confirm that it works as well , spoke to spoke connection adding authentication. :
#cisco spoke :
interface Tunnel10
description To VyOS-HUB
ip address 10.0.253.129 255.255.255.248
no ip redirects
ip nhrp authentication secret
ip nhrp map 10.0.253.134 192.168.139.101
ip nhrp map multicast 192.168.139.101
ip nhrp network-id 1
ip nhrp holdtime 60
ip nhrp nhs 10.0.253.134
ip nhrp registration timeout 60
tunnel source Ethernet0/2
tunnel mode gre multipoint
tunnel key 1
!
interface Ethernet0/2
ip address 192.168.139.105 255.255.255.0
!
rt-spoke2# ping 10.0.253.133
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.253.133, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
rt-spoke2#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel10 is up/up, Addr. is 10.0.253.129, VRF ""
Tunnel Src./Dest. addr: 192.168.139.105/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect ""
Interface State Control: Disabled
nhrp event-publisher : Disabled
IPv4 Registration Timer: 60 seconds
IPv4 NHS:
10.0.253.134 RE priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 3
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 192.168.139.105 10.0.253.129 UP 00:00:41 DLX 10.0.253.129/32
1 192.168.139.102 10.0.253.133 UP 00:00:41 D 10.0.253.133/32
1 192.168.139.101 10.0.253.134 UP 15:41:51 S 10.0.253.134/32
Crypto Session Details:
--------------------------------------------------------------------------------
Pending DMVPN Sessions:
rt-spoke2#show ip nhrp brief
Target Via NBMA Mode Intfc Claimed
10.0.253.129/32 10.0.253.129 192.168.139.105 dynamic Tu10 < >
10.0.253.133/32 10.0.253.133 192.168.139.102 dynamic Tu10 < >
10.0.253.134/32 10.0.253.134 192.168.139.101 static Tu10 < >
rt-spoke2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.253.128/29 is directly connected, Tunnel10
L 10.0.253.129/32 is directly connected, Tunnel10
192.168.139.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.139.0/24 is directly connected, Ethernet0/2
L 192.168.139.105/32 is directly connected, Ethernet0/FRR spoke:
debian12-frr# show ip route
Codes: K - kernel route, C - connected, L - local, S - static,
R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric, t - Table-Direct,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
S>* 0.0.0.0/0 [1/0] is directly connected, gre1, weight 1, 14:45:49
S>* 10.0.253.0/24 [1/0] via 10.0.253.134, gre1 onlink, weight 1, 01:13:54
N>* 10.0.253.129/32 [10/0] is directly connected, gre1, weight 1, 00:00:04
L * 10.0.253.133/32 is directly connected, gre1, 14:45:49
C>* 10.0.253.133/32 is directly connected, gre1, 14:45:49
N>* 10.0.253.134/32 [10/0] is directly connected, gre1, weight 1, 14:45:48
C>* 192.168.139.0/24 is directly connected, ens3, 14:45:49
L>* 192.168.139.102/32 is directly connected, ens3, 14:45:49
debian12-frr# show ip nhrp nhs
Iface FQDN NBMA Protocol
gre1 192.168.139.101 192.168.139.101 10.0.253.134
debian12-frr#
debian12-frr#
debian12-frr# show ip nhrp
Iface Type Protocol NBMA Claimed NBMA Flags Identity
gre1 dynamic 10.0.253.129 192.168.139.105 192.168.139.105 T
gre1 nhs 10.0.253.134 192.168.139.101 192.168.139.101 T
gre1 local 10.0.253.133 192.168.139.102 192.168.139.102 -
debian12-frr# show ip nhrp opennhrp
Status: ok
Type: dynamic
Flags: up
Protocol-Address: 10.0.253.129/32
NBMA-Address: 192.168.139.105
NBMA-NAT-OA-Address: 192.168.139.105
Type: nhs
Flags: up
Protocol-Address: 10.0.253.134/32
NBMA-Address: 192.168.139.101
Type: local
Flags:
Protocol-Address: 10.0.253.133/32Comment Actions
Can't reassign it to me, I will have time next weeks.
Would appreciate minimal mod permissions, so I can close my old work.
Contact me for details if needed, thx!)