Discover devices by IP address

When Discover by IP is enabled, devices are discovered when the ExtraHop system detects a response to an Address Resolution Protocol (ARP) request for an IP address. Two device entries are created in the ExtraHop system: one for the MAC address (L2) and one for the IP address (L3).

You can disable Discover by IP and only discover local devices by their unique MAC address.

Note:Packet brokers can filter ARP requests. The ExtraHop system relies on ARP requests to associate L3 IP addresses with L2 MAC addresses.

Learn more about device discovery.

Discover local devices by IP address

If you want to discover local devices by both MAC address and IP address, enable this setting. Disable this setting to only discover devices by their MAC address.

  1. Log into the Admin UI on the Discover appliance.
  2. In the System Configuration section, click Capture.
  3. Click Discover by IP.
  4. In the Local Device Discovery section, select the Enable checkbox.
  5. Click Save.

Discover remote devices by IP address

You can configure the ExtraHop system to automatically discover devices on remote subnets by adding a range of IP addresses.

Important considerations about remote discovery:

  • L2 information, such as device MAC address and L2 traffic, is not available if the device is on a different network from the one being monitored by the ExtraHop appliance. This information is not forwarded by routers, and therefore is not visible to the ExtraHop appliance.
  • Exercise caution when specifying CIDR notation. A /24 subnet prefix might result in 255 new devices discovered by the ExtraHop system. A wide /16 subnet prefix might result in 65,535 new devices discovered, which might exceed your device limit.
  • If an IP address is removed from the Remote Device Discovery settings, the IP address will persist in the ExtraHop system as a remote L3 device as long as there are existing active flows for that IP address or until the capture is restarted. After a restart, the device is listed as an inactive remote L3 device.

    If the same IP address is later added through the local data feed, that remote L3 device can transition to a local L3 device, but only if the capture process is restarted and the Local Device Discovery setting is enabled.

  1. Log into the Admin UI on the Discover appliance.
  2. In the System Configuration section, click Capture.
  3. Click Discover by IP.
  4. In the Remote Device Discovery section, type the IP address in the IP address ranges field. You can specify one IP address or a CIDR notation, such as 192.168.0.0/24 for an IPv4 network or 2001:db8::/32 for an IPv6 network.
    Important:Every actively communicating remote IP address that matches the CIDR block will be discovered as a single device in the ExtraHop appliance. Specifying wide subnet prefixes such as /16 might result in thousands of discovered devices, which might exceed your device limit.
  5. Click the green plus icon (+) to add the IP address. You can add another IP address or range of IP addresses by repeating steps 5-6.
Important:The capture process must be restarted when removing IP address ranges before the changes take effect. We recommend deleting all entries before restarting the capture process. The capture process does not need to be restarted when adding IP address ranges.
Published 2020-02-24 10:52