We use a Prizm Server to manage custoemr bandwidth and a radius server to manage authentication. We assign IPs by DHCP. Our subscriber modules all have the default IP address in them. My problem is that I have a customer’s assigned IP address which is sending malicous traffic and I can’t find them by just knowing the IP address. How are others handling their networks and does anyone have recommendations. I’m not a network engineer, all of this was set up by someone else but I’m trying to find a solution.
On whatever is handling your routing (hardware gizmo or a Linux or *BSD box) look up the ARP for that IP:
Cisco-Router# sh arp | inc 10.1.2.3
Internet 10.1.2.3 2 0013.4f01.6729 ARPA FastEthernet0/1
[linux-system]~#: arp -n | grep 10.1.2.3
10.1.2.3 ether 00:13:4F:01:67:29 C eth1
From there you can go digging through whatever equipment you’ve got between your router and the customer, be it managed switches, backhauls, or APs. Motorola APs have a Bridge Table page that will list MAC addresses and the LUID of the SM it’s coming from. After you’ve found the person responsible, well, have fun!
We are currently running partly this way and are moving over to use PPPoE for all of our customers. This eliminates a lot of troubleshooting as we can easily monitor flows per connection and can tie IPs to usernames to radios quite quickly.