Switchport auto shutdown

ziutek · ‎01-08-2016

Briefly, we have several external CCTV cameras connected to a specific vlan across our campus network. These ports are setup for dot1x, and we push a dACL down to the port based on MAC addresses (certificates cannot be loaded on these cameras). A member of our security team voiced some concerns about spoofing these MAC addresses, and then just connecting any device to the camera's ethernet cable (even though the connector is enclosed in the device).

I was looking for a way to automatically shutdown these ports (link-flap errdisable comes to mind) if the end of the cable were disconnected for any reason and send a syslog message or SNMP trap. I am do not want to change the link-flap timers, etc. as this does not appear to be an interface specific feature, but rather a global one, which would errdisable a user port when he shuts down his machine for the evening for example.

Does anyone have any ideas how I can implement this?

Joe

Joseph W. Doherty · ‎01-08-2016

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

On devices that support EEM scripting, a device script could be invoked with a link down. Then it could shut a port "known" to host a CCTV camera. (The script could have an embedded list of CCTV ports, or perhaps look at the port's description.)