NHRP show ip nhrp flags

When issuing the show ip nhrp command, the output includes a list of flags that indicate the state of NHRP.

An example of output of this command can be seen below:

Router# show ip nhrp via, Tunnel0 created 00:17:49, expire 00:01:30 Type: dynamic, Flags: unique registered used NBMA address: Group: test-group-0 via, Tunnel0 created 00:00:11, expire 01:59:48 Type: dynamic, Flags: unique registered used NBMA address: Group: test-group-0 via, Tunnel1 created 00:17:49, expire 00:02:10 Type: dynamic, Flags: unique registered used NBMA address: Group: test-group-1

Note that for each NHRP association, a list of flags is shown. These flags have the following meanings:

  • authoritative--Indicates that the NHRP information was obtained directly from the Next Hop Server or router that maintains and is authoritative for the NBMA-to-IP address mapping for a particular destination.
  • implicit--Indicates that the local node learned about the NHRP mapping entries from the source mapping information of an NHRP resolution request received by the local router, or from an NHRP resolution packet being forwarded through the local router.
  • local--Indicates NHRP mapping entries that are for networks local to this router (that is, serviced by this router). These flag entries are created when this router answers an NHRP resolution request that has this information and is used to store the transport (tunnel) IP address of all the other NHRP nodes to which it has sent this information.
  • nat--Indicates that the remote node (NHS client) supports the new NHRP NAT extension type for dynamic spoke-spoke tunnels to/from spokes behind a NAT router.
  • negative--For negative caching, indicates that the requested NBMA mapping has not yet been or could not be obtained.
  • (no socket)--Indicates that the NHRP mapping entries will not trigger IPsec to set up encryption because data traffic does not need to use this tunnel. Later, if data traffic needs to use this tunnel, the flag will change from a “(no socket)” to a “(socket)” entry and IPsec will be triggered to set up the encryption for this tunnel.
  • registered--Indicates that the mapping entry was created in response to an NHRP registration request.
  • router--Indicates that NHRP mapping entries for a remote router (that is accessing a network or host behind the remote router) are marked with the router flag.
  • unique--NHRP registration requests have the unique flag set on by default. This flag indicates that an NHRP mapping entry cannot be overwritten by a mapping entry that has the same IP address and a different NBMA address.
  • used--When data packets are process-switched and this mapping entry was used, the mapping entry is marked as used. The mapping database is checked every 60 seconds. If the used flag is set and more than 120 seconds remain until expire time, the used flag is cleared. If fewer than 120 seconds are left, this mapping entry is “refreshed” by the transmission of another NHRP resolution request.