Hi, thank for you reply.

This is the output of show int g1/0/48 trunk. As you can see, 701 is allowed.

Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/48    on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/48    235,601,648,701,707,748,811

Port        Vlans allowed and active in management domain
Gi1/0/48    235,601,648,701,707,748,811

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/48    235,601,648,701,707,748,811

 Note that there is no layer 3 interface for VLAN 701 in this switch. It also acts as L2 device.

Checking for spanning tree (through sh spanning-tree vlan 701) info i obtained the following 

VLAN0701
  Spanning tree enabled protocol rstp
  Root ID    Priority    701
             Address     7018.a7af.f480
             Cost        3007
             Port        48 (GigabitEthernet1/0/48)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33469  (priority 32768 sys-id-ext 701)
             Address     002c.c8dd.7f80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/46            Desg FWD 19        128.46   P2p Edge
Gi1/0/48            Root FWD 4         128.48   P2p Peer(STP)

Using also sh spanning-tree summary.

Switch is in rapid-pvst mode
Root bridge for: VLAN0200, VLAN0235
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0200                     0         0        0          1          1
VLAN0235                     0         0        0          1          1
VLAN0601                     0         0        0          1          1
VLAN0648                     0         0        0          1          1
VLAN0701                     0         0        0          2          2
VLAN0707                     0         0        0          1          1
VLAN0748                     0         0        0          1          1
VLAN0811                     0         0        0          1          1

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
---------------------- -------- --------- -------- ---------- ----------
8 vlans  

Last but not least i didn't enable ARP inspection but only DHCP snooping (to using it for profiling).

Hi, thank you for your reply.

So the 701 VLAN is allowed on trunk interface

Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/48    on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/48    235,601,648,701,707,748,811

Port        Vlans allowed and active in management domain
Gi1/0/48    235,601,648,701,707,748,811

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/48    235,601,648,701,707,748,811

And it is in forwarding state seeing the following 2 output:

show spanning-tree vlan 701 output

VLAN0701
  Spanning tree enabled protocol rstp
  Root ID    Priority    701
             Address     7018.a7af.f480
             Cost        3007
             Port        48 (GigabitEthernet1/0/48)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33469  (priority 32768 sys-id-ext 701)
             Address     002c.c8dd.7f80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/46            Desg FWD 19        128.46   P2p Edge
Gi1/0/48            Root FWD 4         128.48   P2p Peer(STP)

show spanning-tree detail output

 VLAN0701 is executing the rstp compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, sysid 701, address 002c.c8dd.7f80
  Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
  Current root has priority 701, address 7018.a7af.f480
  Root port is 48 (GigabitEthernet1/0/48), cost of root path is 3007
  Topology change flag not set, detected flag not set
  Number of topology changes 2 last change occurred 20:02:39 ago
          from GigabitEthernet1/0/48
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 300

 Port 46 (GigabitEthernet1/0/46) of VLAN0701 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.46.
   Designated root has priority 701, address 7018.a7af.f480
   Designated bridge has priority 33469, address 002c.c8dd.7f80
   Designated port id is 128.46, designated path cost 3007
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 1386, received 0

 Port 48 (GigabitEthernet1/0/48) of VLAN0701 is root forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.48.
   Designated root has priority 701, address 7018.a7af.f480
   Designated bridge has priority 49853, address 00b0.e13a.de00
   Designated port id is 128.47, designated path cost 3003
   Timers: message age 15, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default, Peer is STP
   BPDU: sent 4, received 36032

I didn't enable IP ARP inspection so i don't think this is the source of the problem. Do you have other ideas?

No, this are "welcome VLAN". They don't have neither a L3 interface nor a IP helper address. This is because, (referring to voice VLAN 201) as soon as the IP phones get authenticated, they are moved to VLAN 701. By doing so, IP phone DHCP discover messages are managed by DHCP server in VLAN 701. Even if the IP phone transmits a DHCP discover in VLAN 201, it isn't managed and so the phone does not receive any DHCP offer. The IP phone will hence continue to broadcast DHCP discover.

but the 

authentication open<<<- this make SW open port it meaning NO AUTH NEED FOR THIS PORT 

let me simple explain
1- using dynamic VLAN
in this case you need Closed Mode dot1x and you push the VLAN ID from AAA server

2-using dACL
in this case you config the VLAN in Port and config pre-auth ACL and you push dACL from AAA server

here I don't know what exactly you want ? 

Yes you're right. Tha packets pass even before authentication. But as i said before, the voice vlan that is configured on scwitch interface (VLAN 201) has no ip dhcp helper address. VLAN 201 is like an empty container where messages are forwarded to a L2 brodcast. The DHCP discover messages will be trasmitted but nobody can answer to them and so the IP phone will continue to transmit them. Once the IP phone has authenticated, it is associated with VLAN 701 from the ISE, which has a working DHCP server.

What I want to do is send both a VLAN and an ACL from ISE.

one by one, as I inform you before 
dynamic VLAN + dACL together , this my first time I see such as this config, 

check do one step for test 
under SVI of VLAN 201 config the IP Helper check if the IP Phone get IP <this step to sure there is no issue with DHCP server and DHCP snooping>

second if you want dynamic VLAN 
config already VACL or ACL under the SVI of voice VLAN 701 
and make AAA server push only the VLAN ID.

Hi MHM, thank you for you reply. I'm gonna open a new thread because i don't think that the problemi is related to DHCP snooping