Hi all,

i'm trying to understand a very strange behaviuor of a Catalyst 3650. The switch authenticates user by using ISE 2.7. I configured some authorization profile, on of which is dedicated for IP phones. This profile contains a voice VLAN assignments. For completness i'm using Polycom VVX 201. This polycom is CDP and LLDP capable.

When i attach the phone to the switch, it gest assign to a "welcome" vlan (voice vlan 201). This vlan is just an empty container, it does not have a L3 interface or DHCP relay config. At this point, the phone gets correct bauthenticated. ISE sends all the authorization profile informaztion within the Access-Accept packets. From now on the phone will be stuck in the welcome vlan besides been assign to the vlan associated to the authorization profile (707). 

I've captured some packets with wireshark and i've seen that if CDP is enabled (on the switch interface or within the Polycom), switch send a CDP packet in which there is the "VoIP Vlan Reply" field set to 201 (instead of 707).

While turning off CDP (at the interface side with "no cdp enable" interface command or at the Polycom side) switch send an LLDP packets in which there is the corrct VLAN information (707).

Have you ever seen a scenario like this one?