Can someone explain how L3 discovery works?


#1

Two questions: What do I give up / gain if I enable L3 discovery? What if I just use the check box as opposed to configuring specific remote networks?


#2

The way I understand it is; L3 discovery uses VLAN tag + IP to form the unique key for a device. If you check the box and do nothing with the remote networks, you are configuring ExtraHop to create a new device every time it sees a unique combination of the above attributes.

If you define a remote network, you are restricting L3 discovery mode to just the networks you set up. All other devices will be identified using MAC + VLAN (L2).
I’ll let others chime in on what you gain/give up.


#3

Just to clarify a couple of things in @CoachK’s post, L3 discovery uses IP + vlanid. It does not use the ethernet or MAC address. This is important for certain environments where IPs can float to different physical servers.

Without a remote network defined, L3 discovery only discovers devices for which there is an ARP. This is important if the deployment uses VACL capture or an ag-tap that filters out the ARPs. Remote networks relax this restriction and are required if you want to discover devices on a non-local network segment; for example, devices on the other side of a router or gateway. The primary caveat with remote networks is that it’s easy to inadvertently discover a lot of devices and exceed the device limit of your system.
I hope this helps!