Configuring Lawful Intercept Support
This chapter describes how to configure lawful intercept. This is necessary to ensure that unauthorized users cannot perform lawful intercepts or access information related to intercepts.
This chapter contains the following sections:
•Restrictions and Limitations
•Accessing the Lawful Intercept MIBs
•Enabling SNMP Traps for Lawful Intercept
Consider the following security issues as you configure VXSM for lawful intercept:
•SNMP traps for lawful intercept must be sent to UDP port 161 on the mediation device, not port 162 (which is the SNMP default). See the "Enabling SNMP Traps for Lawful Intercept" section for instructions.
•The only users who should be allowed to access the Lawful Intercept MIBs are the mediation device and system administrators who need to know about lawful intercepts on VXSM. In addition, these users must have authPriv or authNoPriv access rights to access the Lawful Intercept MIBs.
•You cannot use the SNMP-VACM-MIB to create a view that includes the Lawful Intercept MIBs.
•The default SNMP view excludes the following MIBs:
•SII intercept continues uninterrupted even during VXSM switchover.
For additional information, see the "Restrictions and Limitations" section.
Restrictions and Limitations
•To maintain VXSM performance, lawful intercept is limited to no more than 60 active calls.
•PXM logs are not updated by VXSM with SII intercepts and related data.
•Statistics of intercepted calls are not supported.
•Taps on time-division multiplexing (TDM) hairpin and real time control protocol (RTCP) are not supported.
For VXSM to communicate with the mediation device to execute a lawful intercept, the following configuration requirements must be met:
•The domain name for both VXSM and the mediation device must be registered in the Domain Name System (DNS).
•The mediation device must have an access function (AF) and an access function provisioning interface (AFPI).
•You must add the mediation device to the SNMP user group that has access to the CISCO-TAP2-MIB view. Specify the username of the mediation device as the user to add to the group.
When you add the mediation device as a CISCO-TAP2-MIB user, you can include the mediation device's authorization password if you want. The password must be at least eight characters in length.
Accessing the Lawful Intercept MIBs
Due to its sensitive nature, the Cisco Lawful Intercept MIBs are only available in software images that support the lawful intercept feature. These MIBs are not accessible through the Network Management Software MIBs Support page (http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml).
Restricting Access to the Lawful Intercept MIBs
Only the mediation device and users who need to know about lawful intercepts should be allowed to access the Lawful Intercept MIBs. To restrict access to these MIBs, you must:
1. Create a view that includes the Cisco Lawful Intercept MIBs.
2. Create an SNMP user group that has read and write access to the view. Only users assigned to this user group can access information in the MIBs.
3. Add users to the Cisco Lawful Intercept user groups to define who can access the MIBs and any information related to lawful intercepts. Be sure to add the mediation device as a user in this group; otherwise, VXSM cannot perform lawful intercepts.
Note Access to the CISCO-TAP2-MIB and CISCO-IP-TAP-MIB view should be restricted to the mediation device and to system administrators who need to be aware of lawful intercepts on VXSM. To access the MIB, users must appropriate access rights on VXSM.
To perform the following procedures, SNMPv3 must be configured on Cisco MGX switches. For information about how to configure SNMPv3, and for detailed information about the commands described in the sections that follow, see the Cisco MGX 8800/8900 Series Software Configuration Guide release 5.5.
Creating a Restricted SNMP View that Includes the Lawful Intercept MIBs
To create and assign users to an SNMP view that includes the Cisco Lawful Intercept MIBs, perform the following procedure at the CLI, in global configuration mode with level-15 access rights. After completing this procedure, the mediation device is able to access the Lawful Intercept MIBs, and issue SNMP set and get requests to configure and run lawful intercepts on VXSM.
Step 1 Make sure that SNMPv3 is configured on Cisco MGX switches. For instructions, see the document listed in the "Configuring SNMPv3" section.
Step 2 To configure the SNMP security model, use the cnfsnmpmode command.
Step 3 Create an SNMP view that includes the CISCO-TAP2-MIB and CISCO-IP-TAP-MIB (where view_name is the name of the view to create for the MIB).
addsnmpview <viewName> <subTree> <mask> <type>
Step 4 Create an SNMP user group that has access to the CISCO-TAP2-MIB and CISCO-IP-TAP-MIB view and define the group's access rights to the view.
addsnmpgroup <groupName> <securityModel> <securityLevel> [-read <readview>] [-write <writeview>] [-notify <notify>]
Step 5 Add users to the user group you just created (where username is the user, authProtocol is the authentication protocol, and privProtocol is the private protocol):
addsnmpuser <userName> <authProtocol> <privProtocol>
Note Be sure to add the mediation device to the user group; otherwise, VXSM cannot perform lawful intercepts. Access to the CISCO-TAP2-MIB view should be restricted to the mediation device and to system administrators who need to know about lawful intercepts on VXSM.
Step 6 Add destination address and mediation device ID on VXSM.
setany -v3 <nodeIP> < userName> <ObjectID> -<Objecttype> <Objectvalue>
The command syntax in the above procedure includes only those keywords required to perform each task. For information on command syntax, see the documents listed in the "Configuring SNMPv3" section.
For instructions on how to configure VXSM to send SNMP traps to the mediation device, go to the "Enabling SNMP Traps for Lawful Intercept" section.
Enabling SNMP Traps for Lawful Intercept
SNMP automatically generates traps for lawful intercept events (see Table 9-1). This is because the default value of the cTap2MediationNotificationEnable object is true(1).
Table 9-1 lists the MIB traps generated for lawful intercept events.
Table 9-1 SNMP Traps for Lawful Intercept Events
VXSM is ready to intercept packets for a traffic stream configured in the CISCO-TAP2-MIB.
A lawful intercept was terminated (for example, because cTap2MediationTimeout expired).
Intervention is required for events related to cTap2MediationTable entries.
Intervention is required for events related to cTap2StreamTable entries.