The lawful intercept has two interception modes:

• Global LI: The taps are installed on all the line cards in the ingress direction. With the global tap, the traffic for the target can be intercepted regardless of ingress point. Only the tap that has wild cards in the interface field is supported.

• Interface LI: Taps each packet that is entering or leaving an interface without any additional filters.

Traffic interception can be configured for two inter-communicating intercepted hosts using overlapping taps.

For example, consider two taps, one configured for all traffic from source address A and another for all traffic going to destination address B. When a packet arrives with source address A and destination address B, the packet is tapped by TAP1 in ingress and TAP2 in egress, and copies will be generated and forwarded to both mediation devices. Overlapping taps can be enabled using overlap-tap enable command in Global configuration mode.

From Cisco IOS XR Software Release 7.0.1 and later, the Lawful Intercept overlapping tap functionality is available on Cisco ASR 9000 4th Generation QSFP28 based dense 100GE line cards (A9K-8X100GE-X-TR, A9K-16X100GE-TR, A9K-32X100GE-TR and A99-16x100-X-SE) as well.

Lawful Intercept provisioning for VoIP occurs in these ways:

• Security and authentication occurs because users define this through SNMPv3.

• The MD provisions lawful intercept information using SNMPv3.

• Network management occurs through standard MIBs.

VoIP calls are intercepted in this manner:

• The MD uses configuration commands to configure the intercept on the call control entity.

• The call control entity sends intercept-related information about the target to the MD.

• The MD initiates call content intercept requests to the content IAP router or trunk gateway through SNMPv3.

• The content IAP router or trunk gateway intercepts the call content, replicates it, and sends it to the MD in Packet Cable Electronic Surveillance UDP format. Specifically, the original packet starting at the first byte of the IP header is prefixed with a four-byte CCCID supplied by the MD in TAP2-MIB. It is then put into a UDP frame with the destination address and port of the MD.

• After replicated VoIP packets are sent to the MD, the MD then forwards a copy to a law-enforcement-agency-owned collection function, using a recognized standard.

Provisioning for data sessions occurs in a similar way to the way it does for lawful intercept for VoIP calls. (See Provisioning for VoIP Calls.)

Data are intercepted in this manner:

• If a lawful intercept-enabled authentication or accounting server is not available, a sniffer device can be used to detect the presence of the target in the network.

  • The MD uses configuration commands to configure the intercept on the sniffer.

  • The sniffer device sends intercept-related information about the target to the MD.

• The MD initiates communication content intercept requests to the content IAP router using SNMPv3.

• The content IAP router intercepts the communication content, replicates it, and sends it to the MD in UDP format.

• Intercepted data sessions are sent from the MD to the collection function of the law enforcement agency, using a supported delivery standard for lawful intercept.

This figure shows intercept access points and interfaces in a lawful intercept topology for both voice and data interception.

You can configure SNMP-based lawful intercept on a layer 2 interface. This intercepts all traffic passing through the particular interface.

You can now configure lawful intercept at the MPLS Layer 3 in the network using SNMP. This intercepts all traffic passing through the particular interface including the traffic with VPN labels. This is made possible by intercepting the traffic based on the VRF (VPN Routing and Forwarding) filter of the classing tap.

To add TAP for an MPLS Layer 3 network, use the following command in the SNMP server:

setany -v3 <ip-address> <user> citapStreamInterface.1.1 0 citapStreamAddrType.1.1 <ipv4/ipv6> citapStreamSourceAddress.1.1 "<ip>" citapStreamSourceLength.1.1 <length> citapStreamVRF.1.1 <vrf_name> citapStreamStatus.1.1 createAndGo 

In the command:

• ip-address is the IP address of the SNMP agent (router).

• user is the username for SNMPv3 authentication.

• ipv4/ipv6 is the address type of the SNMP agent (router).

• ip is the actual source IP address you want to monitor or capture.

• vrf_name is the VRF (Virtual Routing and Forwarding) instance that you want the LI to use.

Example:

setany -v3 192.0.2.5 li-user citapStreamInterface.1.1 0 citapStreamAddrType.1.1 ipv4 citapStreamSourceAddress.1.1 "203.0.113.17" citapStreamSourceLength.1.1 32 citapStreamVRF.1.1 l3vpn citapStreamStatus.1.1 createAndGo 

For more information on enabling MPLS Layer 3, refer to the MPLS Layer 3 VPN Configuration Guide for Cisco ASR 9000 Series Routers.

For more information on enabling SNMP-based lawful intercept, refer How to Configure SNMPv3 Access for Lawful Intercept.

New enhancements introduced on the Cisco ASR 9000 Series Router in terms of scalability and performance for lawful intercept are:

• IPv4 lawful intercept tap limit is 1000 taps per IPv4 except for the A9K-8x100G-LB-SE and A9K-8x100G-LB-TR line cards. These line cards have a tap limit of 2000 taps per IPv4.

• IPv6 lawful intercept tap limit is 1000 taps per IPv6.

• Interception rate is:

  • 50 Mbps per network processor (NP) for ASR9000-SIP-700 line card.

  • 100 Mbps for Gigabit Ethernet line cards.

  • 500 Mbps for Modular Weapon-X line cards.

  • 1000 Mbps for 100GE line cards.

• Support upto 512 MDs.

The filters used for classifying a tap are:

• IP address type

• Destination address

• Destination mask

• Source address

• Source mask

• ToS (Type of Service) and ToS mask

• Protocol

• Destination port with range

• Source port with range

• VRF (VPN Routing and Forwarding)

• Flow ID

To further extend filteration criteria for IPv6 packets, an additional support to intercept IPv6 packets based on flow ID has been introduced on the Cisco ASR 9000 Series Router. All IPv6 packets are intercepted based on the fields in the IPv6 header which comprises numerous fields defined in IPv6 Header Field Details table:

Note	The field length or payload length is not used for intercepting packets.

The flow ID or flow label is a 20 bit field in the IPv6 packet header that is used to discriminate traffic flows. Each flow has a unique flow ID. The filteration criteria to intercept packets matching a particular flow ID is defined in the tap configuration file. From the line card, the intercepted mapped flow IDs are sent to the next hop, specified in the MD configuration file. The intercepted packets are replicated and sent to the MD fom the line card.

This section provides information about intercepting VRF aware packets and 6PE packets. Before describing how it works, a basic understanding of 6VPE networks is discussed.

The MPLS VPN model is a true peer VPN model. It enforces traffic separations by assigning unique VPN route forwarding (VRF) tables to each customer's VPN at the provider content IAP router. Thus, users in a specific VPN cannot view traffic outside their VPN.

Cisco ASR 9000 Series Router supports intercepting IPv6 packets of the specified VRF ID for 6VPE. To distiguish traffic on VPN, VRFs are defined containing a specific VRF ID. The filter criteria to tap a particular VRF ID is specified in the tap. IPv6 packets are intercepted with the VRF context on both scenarios: imposition (ip2mpls) and disposition (mpls2ip).

The 6PE packets carry IPv6 packets over VPN. The packets do not have a VRF ID. Only IP traffic is intercepted; no MPLS based intercepts are supported. The IPv6 traffic is intercepted at the content IAP of the MPLS cloud at imposition (ip2mpls) and at disposition (mpls2ip).

Intercepting IPv6 packets is also performed for ip2tag and tag2ip packets. Ip2tag packets are those which are converted from IPv6 to Tagging (IPv6 to MPLS), and tag2ip packects are those which are converted from Tagging to IPv6 (MPLS to IPv6) at the provider content IAP router.

Intercepted packets mapping the tap are replicated, encapsulated, and then sent to the MD. IPv4 and IPv6 packets are encapsulated using UDP (User Datagram Protocol) encapsulation. The replicated packets are forwarded to MD using UDP as the content delivery protocol. Only IPv4 MD encapsulation is supported.

The intercepted packet gets a new UDP header and IPv4 header. Information for IPv4 header is derived from MD configuration. Apart from the IP and UDP headers, a 4 byte channel identifier (CCCID) is also inserted after the UDP header in the packet. After adding the MD encapsulation, if the packet size is above the MTU, the egress LC CPU fragments the packet. Moreover, there is a possibility that the packet tapped is already a fragment. Each tap is associated with only one MD. Cisco ASR 9000 Series Router does not support forwarding replicated packets to multiple MDs.

Note	Encapsulation types, such as RTP and RTP-NOR, are not supported.

Cisco ASR 9000 Series Router line cards provide SNMP server as an interface to export each tap forwarded to MD packet and drop counts. Any intercepted packets that are dropped prior to getting forwarded to the MD due to policer action are counted and reported. The drops due to policer action are the only drops that are counted under per tap drop counters. If a lawful intercept filter is modified, the packet counts are reset to 0.

Note	Per tap drop counter support is available only for ASR9000-SIP-700 line card, and not for ethernet line cards.

At any point in time, MD has the responsibility to detect the loss of the taps via SNMP configuration process.

After RPFO is completed, MD should re-provision all the entries in the stream tables, MD tables, and IP taps with the same values they had before fail over. As long as an entry is re-provisioned in time, existing taps will continue to flow without any loss.

The following restrictions are listed for re-provisioning MD and tap tables with respect to behavior of SNMP operation on citapStreamEntry, cTap2StreamEntry, cTap2MediationEntry MIB objects:

• After RPFO, table rows that are not re-provisioned, shall return NO_SUCH_INSTANCE value as result of SNMP Get operation.

• Entire row in the table must be created in a single configuration step, with exactly same values as before RPFO, and with the rowStatus as CreateAndGo. Only exception is the cTap2MediationTimeout object, that should reflect valid future time.

The replay timer is an internal timeout that provides enough time for MD to re-provision tap entries while maintaining existing tap flows. It resets and starts on the active RP when RPFO takes place. The replay timer is a factor of number of LI entries in router with a minimum value of 10 minutes.

After replay timeout, interception stops on taps that are not re-provisioned.

Note	In case high availability is not required, MD waits for entries to age out after fail over. MD cannot change an entry before replay timer expiry. It can either reinstall taps as is, and then modify; or wait for it to age out.

This section describes the possible upgrade and downgrade scenarios with respect to the Lawful Intercept (LI) package.

This example configuration demonstrates how to upgrade or downgrade the Cisco IOS XR software with or without the LI package. Suppose you have two versions of software images, V1 and V2. If you want to upgrade or downgrade from V1 to V2 without the LI package, you need to perform the following steps for the upgrade or the downgrade procedure:

Note	Ensure that you use Turbo Boot to load the image for the downgrade process.

1. Ensure that the device has booted with the V1 image. Check the Package Installation Envelope (PIE) files that have been installed in V1.

2. Save all the PIE files that exist in V2 in the Trivial File Transfer Protocol (TFTP) server. Copy the contents of the PIE files from the TFTP server by using the install add command in the admin mode.

   RP/0/RSP0/CPU0:router(admin)# install add tar tftp://223.255.254.254/install/files/pies.tar

3. To activate all the PIE files in V2 at once, run the following commands based on the type of upgrade:

At any point during the upgrade or the downgrade process, you can check the progress by using the show install request or the show issu command.

Lawful Intercept is enabled by default on the Cisco ASR 9000 Series Router after installing and activating the asr9k-li-px.pie.

• To disable Lawful Intercept, enter the lawful-intercept disable command in global configuration mode.

• To re-enable it, use the no form of this command.

Disabling SNMP-based Lawful Intercept: Example

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# lawful-intercept disable

Note	The lawful-intercept disable command is available on the router, only after installing and activating the asr9k-li-px.pie. All SNMP-based taps are dropped when lawful intercept is disabled.

If MPP was not earlier configured to work with another protocol, then ensure that the MPP feature is also not configured to enable the SNMP server to communicate with the mediation device for lawful interception. In such cases, MPP must be configured specifically as an inband interface to allow SNMP commands to be accepted by the router, using a specified interface or all interfaces.

Note	Ensure this task is performed, even if you have recently migrated to Cisco IOS XR Software from Cisco IOS, and you had MPP configured for a given protocol.

For lawful intercept, a loopback interface is often the choice for SNMP messages. If you choose this interface type, you must include it in your inband management configuration.

For a more detailed discussion of the inband management interface, see the Inband Management Interface.