I would like to write a script that when an interface binds to an IP, that it disables the port. Is this possible, I'm not sure how to program the trigger for that. It is to prevent people from putting a rogue DHCP server on the network, so I have the ports ready to bind, and turn it off if one of them gets an IP. Right now, I'm doing it manually, but I have to catch it early otherwise im resetting a bunch of other tenants equipment.

Look into DHCP alerts in the IP > DHCP Server configuration.

It supports executing a script "on alert"

I need it backwards though, so when a port binds to an IP, that it turns off. So basically, I have a CCR-1072 that currently ends up at 450 952's, and I need the 952's to turn off the port if it detects incoming DHCP. The DHCP server alerts, doesn't always tell me that it detected a rogue, and I still have to deal with it. So the idea is, turn off the port and send us an email and we can reference right where it is.

I'm trying to do it by using DHCP clients on each port, and deal with it upon binding.

But that's what DHCP alert is for. Instead of binding an address, it just listens for active DHCP servers on the network and if it detects a rogue DHCP it will run the alert script and add the server's information to the DHCP alert information. Since it runs a script, you can make the script do whatever you need - perhaps triggering some SNMP commands to find and shutdown a particular port.

Honestly, the easier thing to do is use switches with port isolation so that they can plug whatever evil thing they like into the network, but won't be able to reach neighboring hosts anyway, so it won't matter if they connect a rogue DHCP server.

We are actually using mikrotik switches, normally use procurve. Any idea how to setup the isolation? We have the horizon set, but still seems to cause headaches. We have around 5000 users minimum at a time at this location, but we don't mind shutting down a section if needed.

We are actually using mikrotik switches, normally use procurve. Any idea how to setup the isolation? We have the horizon set, but still seems to cause headaches. We have around 5000 users minimum at a time at this location, but we don't mind shutting down a section if needed.

I assume you're using CRS - here's a Wiki entry on the subject:
http://wiki.mikrotik.com/wiki/Manual:CR ... _Isolation