The basic difference between L2 and L3 devices in ExtraHop



Under Devices on the Metrics tab you will see a list of all the devices that ExtraHop has auto-discovered and created a device object for in the datastore. Many people wonder why there are L2 and L3 devices. This is an artifact of how ExtraHop does default device discovery. A typical path through device discovery and metric recording would have these stages:

  1. ExtraHop first learns of a device via its MAC; it creates (discovers) an L2 device and associates the flows (and L7 metrics) with that L2 device.

  2. Once it sees an ARP involving that MAC, it creates (discovers) the L3 version of the device and begins associating future flows (and L7 metrics) with the L3 device; the L2 device stops getting any metrics of consequence. This L2 device then is associated with the L3 device as a “parent” and does not count towards the device count limit.

Router devices are handled in a slightly different way, and there are also multiple additional ways to enable device discovery, but this post just aims to cover the most common approach.


My customer try to find out the way to monitor the traffic of router interface.

As you know, router is related to two kinds of devices type. The first is L2 device and the second is L3 device. When I compare the total traffic of L2 device type of the router’s interface to SNMP data of the router’s interface, it looks like the total traffic is almost same. So, it seems to me that L2 device of the router is still getting metrics from wire data. So, L2 device of the router’s interface can be used for monitoring of router’s interface.

@acro and @coachk - Will one of you please help clarify if @jaeseog’s assumption is correct? Thank you.


@jaeseog your assumption is correct. When the ExtraHop system detects a routing device it continues to tie traffic to it. ExtraHop classifies a device as a routing device when many IP’s are associated with the same MAC.

Hope that helps.


Many thanks to your kind explanation.