Briefly, we have several external CCTV cameras connected to a specific vlan across our campus network. These ports are setup for dot1x, and we push a dACL down to the port based on MAC addresses (certificates cannot be loaded on these cameras). A member of our security team voiced some concerns about spoofing these MAC addresses, and then just connecting any device to the camera's ethernet cable (even though the connector is enclosed in the device).
I was looking for a way to automatically shutdown these ports (link-flap errdisable comes to mind) if the end of the cable were disconnected for any reason and send a syslog message or SNMP trap. I am do not want to change the link-flap timers, etc. as this does not appear to be an interface specific feature, but rather a global one, which would errdisable a user port when he shuts down his machine for the evening for example.
Does anyone have any ideas how I can implement this?
Joe
