Showing results for 
Search instead for 
Did you mean: 

CDP does not carry the correct voice VLAN downloaded from ISE


Hi all,

i'm trying to understand a very strange behaviuor of a Catalyst 3650. The switch authenticates user by using ISE 2.7. I configured some authorization profile, on of which is dedicated for IP phones. This profile contains a voice VLAN assignments. For completness i'm using Polycom VVX 201. This polycom is CDP and LLDP capable.

When i attach the phone to the switch, it gest assign to a "welcome" vlan (voice vlan 201). This vlan is just an empty container, it does not have a L3 interface or DHCP relay config. At this point, the phone gets correct bauthenticated. ISE sends all the authorization profile informaztion within the Access-Accept packets. From now on the phone will be stuck in the welcome vlan besides been assign to the vlan associated to the authorization profile (707). 

I've captured some packets with wireshark and i've seen that if CDP is enabled (on the switch interface or within the Polycom), switch send a CDP packet in which there is the "VoIP Vlan Reply" field set to 201 (instead of 707).

While turning off CDP (at the interface side with "no cdp enable" interface command or at the Polycom side) switch send an LLDP packets in which there is the corrct VLAN information (707).


Have you ever seen a scenario like this one?

15 Replies 15

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

you config open auth, 
open auth making SW authz the traffic before if full auth from ISE, this meaning that SW send CDP with voice VLAN config under switch port and not wait dyanmic voice vlan from ISE.
remove auth open and see result.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers