ExtraHop Dedupe and changing VLAN IDs

With the ExtraHop L3 Dedup Enabled and I capture traffic on both sides of a switch, I know duplicate packets should be filtered out. But how should ExtraHop dedupe handle this scenario when I change the VLAN ID on the packets?

I created the following test scenario to try this out.

I could see the traffic as 25.9Mb/s at the each VLAN, But the traffic on device is 51.8Mb/s
It looks like the traffic on Device is is not being deduped for the raw packet rate.

Is the ExtraHop Dedupe feature designed to dedupe this traffic when switching VLAN IDs and sending all the traffic to the ExtraHop? What about if I send the traffic to more than one ExtraHop Capture interface?

I would expect L3 packet de-duplication to work as long as the duplicate packets meet the following criteria:

  1. TCP or UDP
  2. Consecutive packets for any given flow
  3. Matching L3 length
  4. Same IP identifier

Please verify that this is the case.

Duplicate packets are still accounted in the L2 byte and packet counts, so the VLAN metrics shown above would include them.

A great way to see if de-dup is working is to examine the Network - L3 Duplicate Packets metric. Note that you will need to select ExtraHop from the metric source protocol drop-down.

I hope this helps!

Hello.

The traffic is TCP and the conditions for de-dup is matched.

The wireshark show the packet from the L3 to Server as Retransmission.

If you need any information, Let me know.

PS. I could not upload the packet dump file.

Regards,
Hongso.

What does the Network - L3 Duplicate Packets metric show? L3 de-duplication will not affect the charts you included as those metrics are accrued at L2, before the de-dup occurs.