Prerequisites for Implementing Lawful Intercept
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Lawful intercept implementation also requires that these prerequisites are met:
-
Cisco ASR 9000 Series Aggregation Services Router will be used as content Intercept Access Point (IAP) router in lawful interception operation.
-
Provisioned router—The router must be already provisioned. For more information, see Cisco ASR 9000 Series Aggregation Services Router Getting Started Guide.
Tip
For the purpose of lawful intercept taps, provisioning a loopback interface has advantages over other interface types.
-
Understanding of SNMP Server commands in Cisco IOS XR software—Simple Network Management Protocol, version 3 (SNMP v3), which is the basis for lawful intercept enablement, is configured using commands described in the module SNMP Server Commands in System Management Command Reference for Cisco ASR 9000 Series Routers. To implement lawful intercept, you must understand how the SNMP server functions. For this reason, carefully review the information described in the module Implementing SNMP in System Management Configuration Guide for Cisco ASR 9000 Series Routers.
-
Lawful intercept must be explicitly disabled—It is automatically enabled on a provisioned router. However, you should not disable LI if there is an active tap in progress, because this deletes the tap.
-
Management plane configured to enable SNMPv3— Allows the management plane to accept SNMP commands, so that the commands go to the interface (preferably, a loopback) on the router. This allows the mediation device (MD) to communicate with a physical interface.
-
VACM views enabled for SNMP server—View-based access control model (VACM) views must be enabled on the router.
-
Provisioned MD—For detailed information, see the vendor documentation associated with your MD. For a list of MD equipment suppliers preferred by Cisco, see http://www.cisco.com/en/US/tech/tk583/tk799/tsd_technology_support_protocol_home.html.
- VoIP surveillance-specific requirements
-
Lawful-intercept-enabled call agent—A lawful-intercept-enabled call agent must support interfaces for communications with the MD, for the target of interest to provide signaling information to the MD. The MD extracts source and destination IP addresses and Real-Time Protocol (RTP) port numbers from the Session Description Protocol (SDP) signaling information for the target of interest. It uses these to form an SNMPv3 SET, which is sent to the router acting as the content IAP to provision the intercept for the target of interest.
The MD uses the CISCO-TAP2-MIB to set up communications between the router acting as the content IAP, and the MD.
The MD uses the CISCO-IP-TAP-MIB to set up the filter for the IP addresses and port numbers to be intercepted and derived from the SDP.
-
Routers to be used for calls by the target number must be provisioned for this purpose through the MD.
-
The MD that has been provisioned with the target number to be intercepted.
-
- Data session surveillance-specific requirements
-
Routers to be used by the data target that have been provisioned for this purpose through the MD.
-
The MD that has been provisioned with the user login ID, mac address of the user CPE device, or the DSLAM physical location ID—The IP address is the binding that is most frequently used to identify the target in the network. However, alternative forms of information that uniquely identify the target in the network might be used in some network architectures. Such alternatives include the MAC address and the acct-session-id.
-
-
The MD can be located anywhere in the network but must be reachable from the content IAP router, which is being used to intercept the target. MD should be reachable ONLY from global routing table and NOT from VRF routing table.