NHRP - Authentication

NHRP can be configured with authentication in a DMVPN environment. This can be done using the ip nhrp authentication <auth_string> command.

When this command is configured, all NHRP control messages that are exchanged between devices include the authentication string within an NHRP Authentication Extension. This extension is a part of the NHRP packet and is used to carry the plaintext authentication string.

The following is an image of a Wireshark capture of an NHRP resolution request from a device that has been configured with an authentication string of cisco123.


You can see the NHRP Authentication Extension that is highlighted in the left pane. The value shown in the “data” section of the Authentication Extension is displayed in hexadecimal. If you look at the pane to the right you will see the plain text password.

Using an authentication string is actually more for the purpose of keeping multiple NHRP domains separate rather than for security reasons. The Cisco documentation linked below states the following:

We recommend using an NHRP authentication string, especially to help keep multiple NHRP domains separate from each other. The NHRP authentication string is not encrypted, so it cannot be used as a true authentication for an NHRP node trying to enter the NHRP network.

Indeed there is no security extension to this particular command such as using a hash value or otherwise. If your concern is security, it is recommended to use DMVPN over IPSec which doesn’t only authenticate the spokes and hub, but also encrypts the traffic exchanged between the devices.