Lawful intercept is the
process by which law enforcement agencies conduct electronic surveillance of
circuit and packet-mode communications, authorized by judicial or
administrative order. Service providers worldwide are legally required to
assist law enforcement agencies in conducting electronic surveillance in both
circuit-switched and packet-mode networks.
Only authorized service
provider personnel are permitted to process and configure lawfully authorized
intercept orders. Network administrators and technicians are prohibited from
obtaining knowledge of lawfully authorized intercept orders, or intercepts in
progress. Error messages or program messages for intercepts installed in the
router are not displayed on the console.
for Implementing Lawful Intercept
feature was introduced.
Information erroneously stating that data interception was
supported on the AAA RADIUS server was corrected.
information to intercept IPV6 packets was added. Support for intercepting IPV6
packets based on Flow ID mapping, VRF aware matching including 6VPE, mapping
packets in 6PE disposition and replicating tag2ip and ip2tag packets was added.
You must be in a user group associated with a task group that
includes the proper task IDs. The command reference guides include the task IDs
required for each command. If you suspect user group assignment is preventing
you from using a command, contact your AAA administrator for assistance.
Lawful intercept implementation also requires that these prerequisites are met:
router must be
already provisioned. For more information, see
Cisco IOS XR Getting Started Guide for the Cisco XR 12000 Series Router.
For the purpose of lawful intercept taps, provisioning a loopback interface has advantages over other interface types.
Understanding of SNMP Server commands in Cisco IOS XR software—Simple Network
Management Protocol, version 3 (SNMP v3), which is the basis for lawful intercept
enablement, is configured using commands described in the module SNMP Server
Cisco IOS XR System Management Command
Reference for the Cisco XR 12000 Series Router. To implement lawful
intercept, you must understand how the SNMP server functions. For this reason,
carefully review the information described in the module Implementing SNMP in
Cisco IOS XR System Management Configuration
Guide for the Cisco XR 12000 Series Router.
Lawful intercept must be explicitly disabled—It is automatically enabled on a
provisioned router. However, you should not disable LI if there is an active tap in
progress, because this deletes the tap.
Management plane configured to enable SNMPv3—Allows the
management plane to accept SNMP commands, so that the commands go to the interface
(preferably, a loopback) on the router. This allows the mediation device (MD) to
communicate with a physical interface.
VACM views enabled for SNMP server—View-based access control model (VACM)
views must be enabled on the router.
Provisioned MD—For detailed information, see the vendor
documentation associated with your MD. For a list of MD
equipment suppliers preferred by Cisco, see
VoIP surveillance-specific requirements
Lawful-intercept-enabled call agent—A lawful-intercept-enabled call
agent must support interfaces for communications with the MD,
for the target of interest to provide signaling information to the MD. The MD
extracts source and destination IP addresses and Real-Time Protocol (RTP)
port numbers from the Session Description Protocol (SDP) signaling information
for the target of interest. It uses these to form an SNMPv3 SET, which is sent
to the router acting as the content IAP to provision
the intercept for the target of interest.
The MD uses the CISCO-TAP2-MIB to set up communications between the
router acting as the content IAP, and the MD.
The MD uses the CISCO-IP-TAP-MIB to set up the filter for the IP addresses and port
numbers to be intercepted and derived from the SDP.
Routers to be used for calls by the target number must be provisioned
for this purpose through the MD.
The MD that has been provisioned with the target number to be intercepted.
Data session surveillance-specific requirements
Routers to be used by the data target that have been provisioned for this
purpose through the MD.
The MD that has been provisioned with the user login ID, mac address of the user
CPE device, or the DSLAM physical location ID—The IP address is the
binding that is most frequently used to identify the target in the network. However,
alternative forms of information that uniquely identify the target in the
network might be used in some network architectures. Such alternatives include
the MAC address and the acct-session-id.
The MD can be located anywhere in the network but must be reachable from the content IAP router, which is being used to intercept the target. MD should be reachable ONLY from global routing table and NOT from VRF routing table.
Implementing Lawful Intercept
Lawful intercept does
not provide support for these features on
Cisco XR 12000 Series Router:
Per tap drop
single tap to multiple MDs
Tapping of tag
Tapping L2 flows
integrity checking of replication device
Information About Lawful Intercept Implementation
Cisco lawful intercept is based on service-independent intercept (SII) architecture and SNMPv3 provisioning architecture. SNMPv3 addresses the requirements to authenticate data origin and ensure that the connection from the router to the MD is secure. This ensures that unauthorized parties cannot forge an intercept target.
Lawful intercept offers these capabilities:
Voice-over IP (VoIP) and data session intercept provisioning from the MD using SNMPv3
Delivery of intercepted VoIP and data session data to the MD
SNMPv3 lawful intercept provisioning interface
Lawful intercept MIB: CISCO-TAP2-MIB, version 2
CISCO-IP-TAP-MIB manages the Cisco intercept feature for IP and is used along with CISCO-TAP2-MIB to intercept IP traffic.
User datagram protocol (UDP) encapsulation to the MD
Replication and forwarding of intercepted packets to the MD
Voice-over IP (VoIP) call intercept, based on any rules configured for received packets.
Voice-over IP (VoIP) intercept with LI-enabled call agent
Lawful Intercept provisioning for VoIP occurs in these ways:
Security and authentication occurs because users define this through SNMPv3.
The MD provisions lawful intercept information using SNMPv3.
Network management occurs through standard MIBs.
VoIP calls are intercepted in this manner:
The MD uses configuration commands to configure the intercept on the call control entity.
The call control entity sends intercept-related information about the target to the MD.
The MD initiates call content intercept requests to the content IAP router or trunk gateway through SNMPv3.
The content IAP router or trunk gateway intercepts the call content, replicates it, and sends it to the MD in Packet Cable Electronic Surveillance UDP format. Specifically, the original packet starting at the first byte of the IP header is prefixed with a four-byte CCCID supplied by the MD in TAP2-MIB. It is then put into a UDP frame with the destination address and port of the MD.
After replicated VoIP packets are sent to the MD, the MD then forwards a copy to a law-enforcement-agency-owned collection function, using a recognized standard.
Provisioning for Data Sessions
Provisioning for data sessions occurs in a similar way to the way it does for lawful intercept for VoIP calls. (See Provisioning for VoIP Calls.)
Data are intercepted in this manner:
If a lawful intercept-enabled authentication or accounting server is not available, a sniffer device can be used to detect the presence of the target in the network.
The MD uses configuration commands to configure the intercept on the sniffer.
The sniffer device sends intercept-related information about the target to the MD.
The MD initiates communication content intercept requests to the content IAP router using SNMPv3.
The content IAP router intercepts the communication content, replicates it, and sends it to the MD in UDP format.
Intercepted data sessions are sent from the MD to the collection function of the law enforcement agency, using a supported delivery standard for lawful intercept.
Information About the MD
The MD performs these tasks:
Activates the intercept at the authorized time and removes it when the authorized time period elapses.
Periodically audits the elements in the network to ensure that:
only authorized intercepts are in place.
all authorized intercepts are in place.
Lawful Intercept Topology
This figure shows intercept access points and interfaces in a lawful
intercept topology for both voice and data interception.
Figure 1. Lawful Intercept Topology for Both Voice and Data Interception
Scale or Performance
New enhancements introduced
Cisco XR 12000 Series Router in terms of scalability and
performance for lawful intercept are:
Increase in number
of taps from 50 taps to 100 taps per protocol each for IPv4 and IPv6.
interception rate from 25 Kbps to 50 Kbps per slot.
and IPv6 Packets
This section provides
details for intercepting IPv4 and IPv6 packets supported on the
Cisco XR 12000 Series Router.
Based on Flow ID (Applies to IPv6 only)
To further extend
filteration criteria for IPv6 packets, an additional support to intercept IPv6
packets based on flow ID has been introduced on the
Cisco XR 12000 Series Router. All IPv6 packets are intercepted
based on the fields in the IPv6 header which comprises numerous fields defined
in IPv6 Header Field Details table:
The field length or
payload length is not used for intercepting packets.
Table 1 IPv6 Header Field
IPv6 Field Name
traffic priority delivery value.
Flow ID (Flow
specifying special router handling from source to destination(s) for a sequence
length of the data in the packet. When cleared to zero, the option is a
hop-by-hop Jumbo payload.
16 bits unassigned
next encapsulated protocol. The values are compatible with those specified for
the IPv4 protocol field.
router that forwards the packet, the hop limit is decremented by 1. When the
hop limit field reaches zero, the packet is discarded. This replaces the TTL
field in the IPv4 header that was originally intended to be used as a time
based hop limit.
8 bits unsigned
address of the sending node.
address of the destination node.
The flow ID or flow
label is a 20 bit field in the IPv6 packet header that is used to discriminate
traffic flows. Each flow has a unique flow ID. The filteration criteria to
intercept packets matching a particular flow ID is defined in the tap
configuration file. From the line card, the intercepted mapped flow IDs are
sent to the next hop, specified in the MD configuration file. The intercepted
packets are replicated and sent to the MD fom the line card.
Intercepting VRF (6VPE) and 6PE Packets
This section provides information about intercepting VRF aware packets and 6PE packets. Before describing how it works, a basic understanding of 6VPE networks is discussed.
The MPLS VPN model is a true peer VPN model. It enforces traffic separations by assigning unique VPN route forwarding (VRF) tables to each customer's VPN at the provider content IAP router. Thus, users in a specific VPN cannot view traffic outside their VPN.
Cisco XR 12000 Series Router supports intercepting IPv6 packets of the specified VRF ID for 6VPE. To distiguish traffic on VPN, VRFs are defined containing a specific VRF ID. The filter criteria to tap a particular VRF ID is specified in the tap. IPv6 packets are intercepted with the VRF context on both scenarios: imposition (ip2mpls) and disposition (mpls2ip).
The 6PE packets carry IPv6 packets over VPN. The packets do not have a VRF ID. Only IP traffic is intercepted; no MPLS based intercepts are supported. The IPv6 traffic is intercepted at the content IAP of the MPLS cloud at imposition (ip2mpls) and at disposition (mpls2ip).
Intercepting IPv6 packets is also performed for ip2tag and tag2ip packets. Ip2tag packets are those which are converted from IPv6 to Tagging (IPv6 to MPLS), and tag2ip packects are those which are converted from Tagging to IPv6 (MPLS to IPv6) at the provider content IAP router.
Encapsulation Type Supported for Intercepted Packets
Intercepted packets mapping the tap are replicated, encapsulated, and then sent to the MD. IPv4 and IPv6 packets are encapsulated using UDP (User Datagram Protocol) encapsulation. The replicated packets are forwarded to MD using UDP as the content delivery protocol. Both IPv4 and IPv6 MD encapsulations are supported. The encapsulation type (IPv4 or IPv6) depends on the address of MD.
The intercepted packet gets a new UDP header and IPv4 header. Information for IPv4 header is derived from MD configuration. Apart from the IP and UDP headers, a 4 byte channel identifier (CCCID) is also inserted after the UDP header in the packet. After adding the MD encapsulation, if the packet size is above the MTU, the egress LC CPU fragments the packet. Moreover, there is a possibility that the packet tapped is already a fragment. Each tap is associated with only one MD. Cisco XR 12000 Series Router does not support forwarding replicated packets to multiple MDs.
Encapsulation types, such as RTP and RTP-NOR, are not supported.
Per Tap Drop Counter Support
Cisco XR 12000 Series Router line cards provide SNMP server as an interface to export each tap forwarded to MD packet and drop counts. Any intercepted packets that are dropped prior to getting forwarded to the MD due to policer action are counted and reported. The drops due to policer action are the only drops that are counted under per tap drop counters. If a lawful intercept filter is modified, the packet counts are reset to 0.
How to Configure SNMPv3 Access for Lawful Intercept on the Cisco ASR 9000 Series Router
Perform these procedures in the order presented to configure SNMPv3 for the purpose of Lawful Intercept enablement:
taps are dropped when lawful intercept is disabled.
Configuring the Inband Management Plane Protection Feature
If MPP was not earlier configured to work with another protocol, then ensure that the MPP feature is also not configured to enable the SNMP server to communicate with the mediation device for lawful interception. In such cases, MPP must be configured specifically as an inband interface to allow SNMP commands to be accepted by the router, using a specified interface or all interfaces.
Ensure this task is performed, even if you have recently migrated to Cisco IOS XR Software from Cisco IOS, and you had MPP
configured for a given protocol.
For lawful intercept, a loopback interface is often the choice for SNMP messages. If you choose this interface type, you must include it in your
inband management configuration.
RP/0/0/CPU0:router(config)# snmp-server view TapName ciscoTap2MIB included
Creates or modifies a view record and includes the CISCO-TAP2-MIB family in the view. The SNMP management objects in the CISCO-TAP2-MIB that controls lawful intercepts
are included. This MIB is used by the mediation device to configure and run lawful intercepts on targets sending traffic through the router.
RP/0/0/CPU0:router(config)# snmp-server view TapName ciscoUserConnectionTapMIB included
Creates or modifies a view record and includes the CISCO-USER-CONNECTION-TAP-MIB family, to manage the Cisco intercept feature for user connections. This MIB is used along with the CISCO-TAP2-MIB to intercept and
filter user traffic.
Configuring the Inband Management Plane Protection Feature: Example
You must specifically enable management activities, either globally or on a
per-inband-port basis, using this procedure. To globally enable
inbound MPP, use the keyword all with the
interface command, rather than use a particular
interface type and instance ID with it.
Cisco Architecture for Lawful Intercept in IP Networks
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access more content.