5

Today I saw this record in my log files:

dhcpd: DHCPDISCOVER from ff:ff:ff:ff:ff:ff via vlan400: network 40.60.100.10/24: no free leases                                                                                                              
dhcpd: DHCPDISCOVER from ff:ff:ff:ff:ff:ff via vlan300: network 100.100.120.0/24: no free leases

And so on, on all VLANs connected to the same ethernet card em1.

I am 99% sure that I have no devices on these VLANs which are able to send DHCP requests.

Also ff:ff:ff is a strange MAC.

So, my question is: is it something bad? Some errors on the ethernet-card or switch or something?

MadHatter
  • 79,770
  • 20
  • 184
  • 232
Korjavin Ivan
  • 2,250
  • 2
  • 26
  • 41

1 Answers1

1

This is at least something weird. ff:ff:ff:ff:ff:ff is the broadcast mac address. Neither a broadcast nor a multicast address may be used as the source address for Ethernet frames as per IEEE 802.3 as it does not uniquely identify the originator:

IEEE 802.3-2002, Section 3.2.3(b):

The first bit (LSB) shall be used in the Destination Address field as an address type designation bit to identify the Destination Address either as an individual or as a group address. If this bit is 0, it shall indicate that the address field contains an individual address. If this bit is 1, it shall indicate that the address eld contains a group address that identies none, one or more, or all of the stations connected to the LAN. In the Source Address field, the first bit is reserved and set to 0.

It is very likely that something is misconfigured in your network and you should start looking for where exactly those frames / packets are originating.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174