ExtraHop EDA sees remote Internet IP addresses as local L2 devices. (Is Proxy ARP causing you headaches?)


#1

Our ExtraHop device was seeing L2 parent and L3 devices created for things like 8.8.8.8 (Google’s public DNS) associated with the MAC address of one of our switches. This is certainly not on our network! This can be odd when reviewing all of your devices or alerting based on dynamic groups that include this device.

First, how does ExtraHop determine devices? Per ExtraHop documentation:

Discovery of L2 Devices
As traffic is channeled to ExtraHop for monitoring, every packet has at least two things in common–it has both a source and destination MAC address. Device discovery begins here, with ExtraHop creating an entry in its device database corresponding to each L2 (MAC) address observed to source traffic in the data feed. (A MAC address that appears only as a destination is ignored.) ExtraHop refers to these devices as “L2 devices” and they are discovered independently of whether L2 discovery or L3 discovery is in use.

Unless and until “L3 devices” are discovered (see below), all monitored traffic is associated with an L2 device.

Most Cisco and other networking devices have proxy arp turned on by default. It was when we unknowingly had proxy arp turned on for part of our internal network that we started seeing some Internet resources misrepresented as local devices.

Proxy arps are when your switching or routing gear will respond to an arp for something that is not actually on your L2 network. This is sometimes necessary when your network has incorrectly configured L3 routing, incorrect subnetting, or complex NAT rules. You can read more about that here: http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/13718-5.html

What did we do about this?

We CAREFULLY disabled proxy arp on internal interfaces of our switching and routing gear. Our internal Extrahop devices now only discover the devices we want them to once we disabled proxy arp in the places we could.

If you believe proxy arp is causing similar issues in your environment you may wish to investigate which devices are employing it and if it can be turned off safely. Be warned that this can cause network interruptions and full on outages if your network topology depends on proxy arp - do your research first and move slowly!


#2

You can disable ARP-based discovery and enable ARP-less discovery in the running config:

"capture": {
    "device_ip_discover_by_arp_disabled": true,
    "device_ip_discover_cache_timeout_sec": 60
}

The previously discovered devices will remain active, unfortunately. We can prune them with a diag pack or reset the datastore.