@cjoseph wrote:
We need more information. You are talking about two functions: Profiling, which is identification via CPPM using DHCP signatures and identification using the switch via LLDP. Which one is not working, and how do you have things configured to identify both?
Fair point. My bad.
Let's start again.
DHCP method used for profiling.
Special 'quarantine vlan' is set and helper of CPPM is applied to this SVI/RVI/subnet.
Service of 'Allow all MAC Auth' is used with enforcement profile to push this quarantine vlan, and the profiling option, plus CoA.
The mindset is, allow mac, update endpoint DB, and profile, push CoA, then the next service is condition matched (with a rule that says 'Username EXISTS', the allow all mac auth is 'Username DOES NOT EXIST'.. obviously).
This works fine for printers, workstations, etc.
Not the case for phones.
Now,.. I think because LLDP, LLDP-MED is enforced on the switch ports carrying phones, this quarantine vlan is never pushed.. so it's actually/maybe/probably not the profiling function that's at fault.. it's the the fact that the quarantine vlan is not pushed.. though a simple 'show vlan' on the port on the HPE switch indicates that the port is pushed the quarantine vlan.
But to add insult to injury.. the port has got the ole' tagged and untagged vlan (for the whole daisy chained phone + pc scenario)..
So, static port configuration on switch side before this profiling/quarantine vlan enforcement is pushed by CPPM, is 210 vlan for voice (tagged), and 113 for data (untagged).
When CPPM service 'Allow All MAC Auth and profile' fires.. I check vlan assignment on port, and, appropriately, 210 remains as tagged, but 4000 appears as the untagged (the quarantine vlan)... everything working great so far.
Problem is profiling takes ages.. and I don't think CoA is ever sent. And that's with non LLDP-MED enabled. With LLDP-MED enabled it doesn't work period. Because it's trumping the push of this quarantine/4000 vlan ..
Does all that make sense now ?