Came across some endpoint behavior that caused some confusion with a MAC authentication bypass (MAB) setup, and I was wondering if this is some kind of well known behavior.

The endpoints (Pure storage arrays) are using the expected MAC addresses, both fixed and a “virtual” shared MAC for 99.9% of the traffic.

The one exception is that the LLDP multicasts have a random-looking source MAC. The source MAC has the non-unique bit flipped on.

Is this a well known type of behavior? Quick Google turned up some others noticing this in very different devices. May be more wide spread, but how often would people notice?