Hi Gurus

i have C9K running 16.9.5 where miniswitch is connected to the dot1x/mab authenticated access-mode port. miniswitch is connected to the port. Endpoints being assumed to operate in the different VLANs are connected to the miniswitch.

interface range GigabitEthernet1/0/1 
cdp filter-tlv-list ACCESS-CDP-INFO
eapol announcement
storm-control broadcast level 1.00
storm-control multicast level 5.00
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode access
switchport voice vlan <VOICE-VLAN>
ip dhcp snooping limit rate 10
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan 670
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity server
authentication violation restrict
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10

on the ISE side (2.2) MAB is configured for the clients connecting to the miniswitch so that i can see they are properly authenticated and assigned corresponding VLANs on the port of authenticator.

authenticator's port remains in access-mode with the VLAN X from the 1st authenticated endpoints. MACs of the endpoints are shown as assigned to different VLANs as expected. device-tracking confirms that endpoints receive IP-addressing by DHCP in the corresponding VLANs. but traffic doesnt seem to flow (ICMP f.e.) between SVIs & endpoints belonging to VLANs different from VLAN X.

i'd assume it expected behavior unless output from device-tracking & some memories from the past there was feature introduced the access-mode port can run multiple vlans. unfortunately i cannot find that sources anymore. am i totally wrong or i just missed something?