li command reference

li hierarchy descriptions

This section provides the following Lawful Interception hierarchy descriptions:

configure li command hierarchy


    configure
      — li
          — mobile-gateway
              — 3gpp-5g-release
              — 3gpp-release
              — allow-duplicate-msisdn-or-imei
              — client-tls-profile
              — custom-correlation-id-format
              — df-peer
              — fan-out
              — include-rai
              — iri
                  — gw-function-iri-mode
                  — iri-per-mb-request
                  — te-id
                  — x2-iri-ice-type
              — li-x1
                  — admf-peer
                  — alpn
                  — li-x1-keep-alive-time-p2
                  — li-x1-local-interface
                  — sni
              — li-x2
                  — li-x2-keep-alive-time-p1
                  — li-x2-keep-alive-time-p2
              — local-interface
              — nf-id-value
              — num-conn-retries
              — operator-id
              — per-bearer-seq-num
              — server-tls-profile
              — target
              — tls
              — x2-iri-cache-size
              — x2-iri-qos
              — x2-keep-alive-time
          — pfcp-li-shared-key
          — target
              — description
              — source

show li command hierarchy


    show
      — li
          — mobile-gateway
              — df-peer
              — summary

li command descriptions

This section provides the following Lawful Interception command descriptions:

configure li command descriptions

mobile-gateway

Syntax

mobile-gateway

Context

[Tree] configure li mobile-gateway

Description

Commands in this context configure lawful intercept (LI) functionality for the MAG-c.

3gpp-5g-release

Syntax

3gpp-5g-release release

Context

[Tree] configure li mobile-gateway 3gpp-5g-release

Description

This command configures the 3GPP release option used for the 5G LI interfaces.

The no form of this command reverts to the default (base release).

Parameters

release: Specifies the 3GPP release.; Values: rel-base | rel-16; Default: rel-base (Release 15)

3gpp-release

Syntax

3gpp-release release

Context

[Tree] configure li mobile-gateway 3gpp-release

Description

This command configures the 3GPP release option used for LI interfaces.

The no form of this command reverts to the default (base release).

Parameters

release: Specifies the 3GPP release.; Values: rel-base | rel-13; Default: rel-base (Release 11)

allow-duplicate-msisdn-or-imei

Syntax

[no] allow-duplicate-msisdn-or-imei

Context

[Tree] configure li mobile-gateway allow-duplicate-msisdn-or-imei

Description

This command enables LI support for duplicate MSISDN or IMEI.

The no form of this command disables LI support for duplicate MSISDN or IMEI.

client-tls-profile

Syntax

client-tls-profile tls-profile-name
no client-tls-profile

Context

[Tree] configure li mobile-gateway client-tls-profile

Description

This command configures a default client TLS profile on the MAG-c. When the TLS profile is configured, the MAG-c tries to establish a TCP connection with the lawful intercept gateway (LIG) over TLS for the 5G LI X2 interface. The MAG-c supports strict TLS-only mode for the 5G LI X2 interface. Both the MAG-c and the LIG must support TLS.

The no form of this command removes the configuration.

Default

no client-tls-profile

Parameters

tls-profile-name: Specifies the TLS profile name, up to 32 characters.

custom-correlation-id-format

Syntax

custom-correlation-id-format {enable | disable}
no custom-correlation-id-format

Context

[Tree] configure li mobile-gateway custom-correlation-id-format

Description

This command facilitates sending the correlation ID with four octets charging ID (without including the gateway IP address). The correlation ID is included in IRI as well as in CC messages, so that the LIG can correlate IRI and CC messages.

The no form of this command reverts to default (disable).

Parameters

enable: Keyword to send the correlation ID with four octets charging identifier.

disable: Keyword to not send the correlation ID with four octets charging identifier.; Default: disable

df-peer

Syntax

df-peer df-peer-id df2-addr ip-address df2-port port [df2-tls-profile profile-name]
no df-peer df-peer-id

Context

[Tree] configure li mobile-gateway df-peer

Description

This command configures the DF peer of an LI gateway as DF2 (X2) only. It supports the following configuration options:

DF2 IP address and port
DF2 TLS profile

The no form of this command removes the DF peer information from the configuration.

Parameters

def-peer-id: Specifies the DF peer ID.; Values: 1 to 254

ip-address

Specifies the DF peer IP address where the X2 is sent.

Values:

IPv4 address – a.b.c.d
IPv6 address – x:x:x:x:x:x:x:x (eight 16-bit pieces) or x:x:x:x:x:x:d.d.d.d
where
x – [0..FFFF]H
d – [0..255]D

port

Specifies the DF port number (TCP/UDP port) where the X2 is sent.

Values: 1 to 65535

Default: 0

profile-name

Specifies the DF profile name, up to 32 characters.

Note:

The DF peers can use the same or different TLS client profiles.
To use a TLS profile, the TLS protocol must be enabled (using the tls command).
The TLS client profiles must be in the administratively disabled (no shutdown) state.

fan-out

Syntax

[no] fan-out

Context

[Tree] configure li mobile-gateway fan-out

Description

This command enables IRI and IRI+CC fan-out functionality for LI on the mobile gateway. Each target activation must be uniquely identified by the lawful interception ID (LIID) specified using the target command. A maximum of 10 target activations are supported for a UE. There could be, for example, 5 activations using IMSI, 3 activations using MSISDN, and 2 activations using IMEI. A maximum of 7 activations are supported using the same target type (for example, IMSI). Each activation must be deactivated separately using the same LIID used at the time of activation.

The no form of this command reverts to the default.

Default

no fan-out

include-rai

Syntax

[no] include-rai

Context

[Tree] configure li mobile-gateway include-rai

Description

This command supports the inclusion of the Routing Area Identifier (RAI) from the message level along with the ULI received from the SGSN, within the Location of the Target Information Element that is sent in the IRI messages to the LIG.

The no form of this command reverts to the default.

Default

no include-rai

iri

Syntax

Context

[Tree] configure li mobile-gateway iri

Description

Commands in this context configure LI IRI settings.

gw-function-iri-mode

Syntax

[no] gw-function-iri-mode

Context

[Tree] configure li mobile-gateway iri gw-function-iri-mode

Description

This command controls the IRI mode of generating events for a combined 4G SGW/PGW session on the MAG-c. For a combined session, by default, only MAG-c IRI events are generated. When this command is enabled, separate events are generated for the combined session from both the SGW and the PGW function.

The no form of this command reverts to the default (only PGW events are generated for the combined SGW/PGW session).

Default

no gw-function-iri-mode

iri-per-mb-request

Syntax

[no] iri-per-mb-request

Context

[Tree] configure li mobile-gateway iri iri-per-mb-request

Description

This command enables the additional MBReq event on a MAG-c acting as the SGW.

The no form of this command reverts to the default.

Default

no iri-per-mb-request

te-id

Syntax

[no] te-id

Context

[Tree] configure li mobile-gateway iri te-id

Description

This command enables the population of the TEID (S5/S8-U PGW F-TEID: TEID+IP address) information element (IE) in a bearer activation IRI event from the SGW or PGW.

The no form of this command disables the population of the TEID IE in the bearer activation IRI event.

Default

no te-id

x2-iri-ice-type

Syntax

[no]x2-iri-ice-type

Context

[Tree] configure li mobile-gateway iri x2-iri-ice-type

Description

This command enables inclusion of the ICE-Type in GTP signaling-related IRI messages sent by the mobile gateway. Applicable gateway types include SGW, PGW, and combined SGW/PGW.

The no form of this command reverts to the default (ICE-Type is not included in GTP signaling

related IRI messages).

Default

no x2-iri-ice-type

li-x1

Syntax

li-x1

Context

[Tree] configure li mobile-gateway li-x1

Description

Commands in this context configure LI_X1 interface settings.

admf-peer

Syntax

admf-peer df-peer-id admf-addr admf-peer-address [x1-port x1-port-num]

no admf-peer df-peer-id

Context

[Tree] configure li mobile-gateway li-x1 admf-peer

Description

This command configures the administration function (ADMF) peer IP address, and optionally a port if other than the default value of 443 is used.

The no form of this command removes the specified ADMF peer.

Parameters

df-peer-id

Specifies the peer ID.

Values: 1 to 254

admf-peer-address

Specifies the peer IP address.

Values:

IPv4 address – a.b.c.d
IPv6 address – x:x:x:x:x:x:x:x (eight 16-bit pieces) or x:x:x:x:x:x:d.d.d.d
where
x – [0..FFFF]H
d – [0..255]D

x1-port-num

Specifies the port number.

Values: 1 to 65535

Default: 443

alpn

Syntax

alpn {enable | disable}

Context

[Tree] configure li mobile-gateway li-x1 alpn

Description

This command enables or disables the Application Layer Protocol Negotiation (ALPN) extension handling for TLS over the LI_X1 interface.

Default

alpn enable

li-x1-keep-alive-time-p2

Syntax

li-x1-keep-alive-time-p2 x1-time-p2-value
no li-x1-keep-alive-time-p2

Context

[Tree] configure li mobile-gateway li-x1 li-x1-keep-alive-time-p2

Description

This command specifies the keep-alive time for the LI_X1 interface. If the timer is set to zero, the keep-alive mechanism is disabled.

The no form of this command reverts to the default.

Default

li-x1-keep-alive-time-p2 0

Parameters

x1-time-p2-value: Specifies the keep-alive time in seconds.; Values: 0 | 3600 to 86400; 0 disables the keep-alive mechanism.; Default: 0

li-x1-local-interface

Syntax

li-x1-local-interface ip-address [router router-instance] [local-port port-num]
no li-x1-local-interface

Context

[Tree] configure li mobile-gateway li-x1 li-x1-local-interface

Description

This command configures the IP address for the LI_X1 local end point.

Default

no li-x1-local-interface

Parameters

ip-address

Specifies the IP address.

Values:

IPv4 address – a.b.c.d
IPv6 address – x:x:x:x:x:x:x:x (eight 16-bit pieces) or x:x:x:x:x:x:d.d.d.d
where
x – [0..FFFF]H
d – [0..255]D

router-instance

Specifies the router instance, up to 32 characters.

Default: base

port-num

Specifies the port number.

Values: 1 to 65535

Default: 443

sni

Syntax

sni {enable | disable}

Context

[Tree] configure li mobile-gateway li-x1 sni

Description

This command enables or disables the Service Name Indication (SNI) extension handling for TLS over the LI_X1 interface.

The no form of this command reverts to default.

Default

sni enable

li-x2

Syntax

li-x2

Context

[Tree] configure li mobile-gateway li-x2

Description

Commands in this context configure LI_X2 interface settings.

li-x2-keep-alive-time-p1

Syntax

li-x2-keep-alive-time-p1 x2-time-p1-value
no li-x2-keep-alive-time-p1

Context

[Tree] configure li mobile-gateway li-x2 li-x2-keep-alive-time-p1

Description

This command specifies the keep-alive time for the LI_X2 interface on the MAG-c acting as the SMF. The POI sends a keepalive PDU at least everyx2-time-p1-value seconds (the default is 60 seconds). If the POI does not receive a keep-alive Acknowledgment PDU within the number of seconds specified for x2-time-p2-value, it disconnects the connection and attempts to reconnect to the MDF while reporting an error through the X1 interface as defined in ETSI TS 103 221-1. The default x2-time-p2-value is 180 seconds and it can be modified using the li-x2-keep-alive-time-p2 command.

The no form of this command reverts to the default. If the timer is set to 0 value, the keep-alive mechanism is disabled.

Parameters

x2-time-p1-value: Specifies the keep-alive time, in seconds.; Values: 0 to 300; Default: 60

li-x2-keep-alive-time-p2

Syntax

li-x2-keep-alive-time-p2 x2-time-p2-value
no li-x2-keep-alive-time-p2

Context

[Tree] configure li mobile-gateway li-x2 li-x2-keep-alive-time-p2

Description

This command specifies the keep-alive time for the LI_X2 interface on the SMF. If the POI does not receive a keep-alive Acknowledgment PDU within the number of seconds specified for x2-time-p2-value (the default is 180 seconds), it disconnects the connection and attempts to reconnect to the MDF while reporting an error through the X1 interface as defined in ETSI TS 103 221-1.

The no form of this command reverts to the default. If the timer is set to 0 value, the keep-alive mechanism is disabled.

Parameters

x2-time-p2-value: Specifies the keep-alive time, in seconds.; Values: 0 to 1800; Default: 180

local-interface

Syntax

local-interface ip-address [router router-instance] [override-x2-interface x2-ip-address [x2-router x2-router-instance]]
no local-interface

Context

[Tree] configure li mobile-gateway local-interface

Description

This command configures the source IP address used by the xGW/GGSN for the LI interface. Specifying the override-x2-interface option enables each X2 interface to use a different VPRN context. When the override-x2-interface option is not specified, the X2 interfaces use the same IP address and VPRN context.

The no form of this command reverts to the default.

Default

no local-interface

Parameters

ip-address

Specifies the source IP address.

Values:

IPv4 address – a.b.c.d
IPv6 address – x:x:x:x:x:x:x:x (eight 16-bit pieces) or x:x:x:x:x:x:d.d.d.d
where
x – [0..FFFF]H
d – [0..255]D

router-instance

Specifies the router instance, up to 32 characters.

x2-ip-address

Specifies the source X2 IP address.

Values:

IPv4 address – a.b.c.d
IPv6 address – x:x:x:x:x:x:x:x (eight 16-bit pieces) or x:x:x:x:x:x:d.d.d.d
where
x – [0..FFFF]H
d – [0..255]D

x2-router-instance

Specifies the X2 router instance, up to 32 characters.

nf-id-value

Syntax

nf-id-value {uuid | ip-addr | ip-addr-hex-string}
no nf-id-value

Context

[Tree] configure li mobile-gateway nf-id-value

Description

This command specifies the NF identifier choice of uuid or ip-addr to use for IRI and CC messages over the LI_X1, LI_X2 and LI_X3 interfaces. The ip-addr option specifies to use the configured local source IP address for the LI_X1, LI_X2 and LI_X3 interfaces as the NF identifier in IRI and CC messages respectively.

The no form of this command reverts to the default (uuid).

Default

no nf-id-value

Parameters

uuid: Keyword to use the UUID as the NF identifier in IRI and CC messages.

ip-addr: Keyword to use the local source IP address configured for the LI_X1, LI_X2 and the LI_X3 interfaces as the NF identifiers in the IRI and CC messages respectively.; Default: disable

ip-addr-hex-string: Keyword to use the local source IP address for the LI_X1, LI_X2 and the LI_X3 interfaces, encoded as a hex string (individual digits and the character '.' are converted to the hex form) as the NF identifiers for the IRI and CC messages respectively.; Default: uuid

num-conn-retries

Syntax

num-conn-retries num-of-retries
no num-conn-retries

Context

[Tree] configure li mobile-gateway num-conn-retries

Description

This command is used to specify the number of (TCP) connection retries to the LIG server, before it is deemed to be down.

The no form of this command reverts to the default.

Default

num-conn-retries 3

Parameters

num-of-retries: Specifies the number of retries.; Values: 1 to 10; Default: 3

operator-id

Syntax

operator-id id-string
no operator-id

Context

[Tree] configure li mobile-gateway operator-id

Description

This command configures the operator ID.

Default

operator-id oprId

Parameters

id-string: Specifies the operator ID, up to 5 characters.; Default: oprId

per-bearer-seq-num

Syntax

[no] per-bearer-seq-num

Context

[Tree] configure li mobile-gateway per-bearer-seq-num

Description

This command generates a new sequence number (correlation number) for every new bearer.

The no form of the command disables generation of the sequence number.

Default

no per-bearer-seq-num

server-tls-profile

Syntax

server-tls-profile tls-profile-name
no server-tls-profile

Context

[Tree] configure li mobile-gateway server-tls-profile

Description

This command configures the default server TLS profile for the MAG-c lawful intercept X1 interface.

The no form of this command removes the server TLS profile configuration.

Default

no server-tls-profile

Parameters

tls-profile-name: Specifies the TLS profile name, up to 32 characters.

target

Syntax

target target-type id target-value intercept intercept peer df-peer-id [liid liid-string]
no target target-type id target-value [liid liid-string]

Context

[Tree] configure li mobile-gateway target

Description

This command configures the LI target peer.

The no form of this command removes the specified LI target peer.

Parameters

target-type

Specifies the LI target type.

Values: imsi| imei | msisdn | mac | nai

target-value

Specifies the LI target value.

Values:

imsi | imei | msisdn – up to 16 digits
mac – xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx
nai – username@realm, up to 253 characters

intercept

Specifies that the interception is for IRI only.

Values: iri

df-peer-id

Specifies the peer ID.

Values: 1 to 255

liid-string

Specifies the lawful intercept ID (LIID), up to 25 characters.

tls

Syntax

[no] tls

Context

[Tree] configure li mobile-gateway tls

Description

This command enables the TLS protocol in the LI X2 and X3 interfaces. To enable the TLS protocol, make sure that following conditions apply:

a valid client TLS profile is configured and administratively enabled (not shutdown) in all DF peers
the X3 interface is using TCP as the transport option

The no form of this command reverts to the default.

Default

no tls

x2-iri-cache-size

Syntax

x2-iri-cache-size cache-size
no x2-iri-cache-size

Context

[Tree] configure li mobile-gateway x2-iri-cache-size

Description

This command is used to specify the size of the IRI buffer cache. (IRI messages buffered when connectivity to the LIG is down). Setting the cache size to a value of 0 disables buffering.

The no form of this command reverts to the default.

x2-iri-qos

Syntax

x2-iri-qos dscp {dscp-value | dscp-name}
no x2-iri-qos

Context

[Tree] configure li mobile-gateway x2-iri-qos

Description

This command specifies the DSCP to be set for interception related information (IRI) messages sent to a lawful interception gateway (LIG).

The no form of this command reverts to the default.

Parameters

dscp-value: Specifies the value of the DSCP to be set for IRI.; Values: 0 to 63
dscp-name: Specifies the name of the DSCP to be set for IRI.; Values: none | be | ef | cp1 | cp2 | cp3 | cp4 | cp5 | cp6 | cp7 | cp9 | cs1 | cs2 | cs3 | cs4 | cs5 | nc1 | nc2 | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cp11 | cp13 | cp15 | cp17 | cp19 | cp21 | cp23 | cp25 | cp27 | cp29 | cp31 | cp33 | cp35 | cp37 | cp39 | cp41 | cp42 | cp43 | cp44 | cp45 | cp47 | cp49 | cp50 | cp51 | cp52 | cp53 | cp54 | cp55 | cp57 | cp58 | cp59 | cp60 | cp61 | cp62 | cp63; Default: af41

x2-keep-alive-time

Syntax

x2-keep-alive-time keep-alive-time
no x2-keep-alive-time

Context

[Tree] configure li mobile-gateway x2-keep-alive-time

Description

This command configures the keep-alive time for the X2 interface. An LI message including a keep-alive parameter is sent to the LIG when no LI message has been sent for the configured amount of time (for example, five minutes), indicating to the LIG that the LI connection is still up.

The no form of this command reverts to the default. A value of 0 disables the keep-alive mechanism.

Parameters

keep-alive-time: Specifies the keep-alive time in minutes.; Values: 0 to 5; Default: 0

pfcp-li-shared-key

Syntax

pfcp-li-shared-key key-value
pfcp-li-shared-key key-value hash2
no pfcp-li-shared-key

Context

[Tree] configure li pfcp-li-shared-key

Description

This command configures the shared key used between the MAG-c and the UP over the Sx/N4 interface. The PFCP IEs are sent from the MAG-c to the SR OS UPs. This is used to encrypt the LI container IE at the MAG-c, and decrypt the LI container IE at the UP.

The no form of this command reverts to the default.

Default

no pfcp-li-shared-key

Parameters

key-value: Specifies the value of the shared key for the Sx/N4 interface, up to 128 characters.

hash2: Keyword to specify hash2.

target

Syntax

target name
no target

Context

[Tree] configure li target

Description

This command configures an LI target name. This name only serves as an alias for the LI target.

The no form of this command removes the LI target configuration.

Parameters

name: Specifies the target name, up to 32 characters.

description

Syntax

description description-string

Context

[Tree] configure li target description

Description

This command configures a description for the LI target.

Parameters

description-string: Specifies the target description, up to 80 characters.

source

Syntax

no source id
source id imsi imsi-number [ingress] [egress] [fc fc-name [fc-name… (up to 8 max)]] intercept-id intercept-id session-id session-id [iri-peer df-peer-id] [mirror-destination service-name]
source id subscriber name [ingress] [egress] [fc fc-name [fc-name...(up to 8 max)]] intercept-id intercept-id session-id session-id mirror-destination service-name

Context

[Tree] configure li target source

Description

This command configures activation and deactivation of subscriber LI. The MAG-c supports 4G, 5G, and BNG subscriber LI.

The no form of this command removes the configuration of the source ID.

Parameters

id: Specifies a target source ID, or a name up to 64 characters; for example, if the target has 4 IMSIs. The imsi-number and the id parameters are mutually exclusive. If you are performing LI on a wireline (BNG) subscriber, use the subscriber keyword.; Value: 1 to 4

imsi-number: Specifies an IMSI value, in 10 to 15 digits. The imsi-number and the id parameters are mutually exclusive. If you are performing LI on a 4G or 5G wireless subscriber use the imsi keyword.

name: Specifies the subscriber name, up to 64 characters.

ingress: Keyword to specify the ingress source.

egress: Keyword to specify the egress source.

fc-name: Specifies the FC type.; Values: be | l2 | af | l1 | h2 | ef | h1 | nc

intercept-id: Specifies the intercept ID.; Values: 1 to 1073741823

session-id: Specifies the session ID.; Values: 1 to 4294967295

df-peer-id: Specifies the DF peer ID.; Values: 1 to 254
Note: Although the IRI peer ID is configurable, it is not supported. Nokia highly recommends that you do not configure this option.

service-name: Specifies the service name, up to 64 characters.

show li command descriptions

mobile-gateway

Syntax

mobile-gateway

Context

[Tree] show li mobile-gateway

Description

Commands in this context display LI information.

df-peer

Syntax

df-peer ip-addr ip-address | ipv6-address
df-peer [df-peer-id]

Context

[Tree] show li mobile-gateway df-peer

Description

This command displays delivery function (DF) peer information.

Parameters

ip-address | ipv6-address

Specifies the DF peer IP address.

Values:

ip-address – a.b.c.d
ipv6-address – x:x:x:x:x:x:x:x (eight 16-bit pieces) or x:x:x:x:x:x:d.d.d.d
where
x – [0..FFFF]H
d – [0..255]D

df-peer-id

Specified the DF peer ID.

Values: 1 to 254

summary

Syntax

summary

Context

[Tree] show li mobile-gateway summary

Description

This command displays a summary of the LI information.