Lawful intercept

This chapter provides an overview of the Lawful Intercept (LI) functionality for BNG CUPS.

Overview of the LI implementation on the BNG UPF

To perform LI for BNG CUPS, configurations are required on both the BNG CUPS CPF and UPF:

  • The CPF supports reporting of subscriber and LI events; see the CMG BNG CUPS Control Plane Function Guide and the 7750 SR MG and CMG CLI Reference Guide for more information about BNG CUPS CPF configuration.

  • The UPF supports the provisioning of LI targets and mirroring of LI packets.

After the LI mediation gateway identifies an LI subscriber through the CPF-reported events, the provisioning of the LI subscriber can be performed directly on the UPF, using the configure li li-source commands as described in the 7450 ESS, 7750 SR, 7950 XRS, and VSR OAM and Diagnostics Guide. Provisioning can be performed using CLI or SNMPv3, however, SNMPv3 is the preferred platform.

Note: In CUPS architecture, the UPF creates a new subscriber ID every time the subscriber or LI subscriber logs in. For this reason, it is highly recommended to use a mediation device to automate the LI configuration. It is not recommended to perform LI configuration through CLI on the UPF.

When the BNG CUPS CPF is configured, it notifies the LI mediation device about the UP subscriber IDs and IP addresses. The LI mediation device sends an SNMPv3 command directly to the UPF IP address to set up an LI target. Li targets typically include the following parameters:

  • mirror destination service; can be a layer 3 encapsulation or a SAP

  • subscriber ID; for example, " _cups_549"

    Note: The UPF automatically appends " _cups_" to the auto-generated subscriber ID.

  • ingress and egress direction

  • session ID and intercept ID, which allow the LI mediation device to correlate subscriber events and mirrored packets (optional); see the 7450 ESS, 7750 SR, 7950 XRS, and VSR OAM and Diagnostics Guide, section "Lawful Intercept" for information about additional parameters

When the subscriber logs out, the LI mediation device removes the subscriber from the LI source through SNMPv3. When the same subscriber logs in again, the system auto-generates a new UPF subscriber ID.

For the procedure to configure SNMPv3 and BNG CUPS, see Provisioning SNMPv3 and LI subscribers for the BNG CUPS UPF.

Provisioning SNMPv3 and LI subscribers for the BNG CUPS UPF

Before you begin, review Overview of the LI implementation on the BNG UPF.

To provision SNMPv3 and LI subscribers for the BNG CUPS UPF, perform the following steps:

  1. Create the SNMPv3 group for LI.
  2. Provision an LI administrator for the UPF with both LI access and SNMP access.
  3. Associate the SNMPv3 group created in step 1 with the LI administrator.

    See the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide, for more information about LI users and SNMPv3 setup.

  4. Provision the LI subscriber directly on the UPF, using the configure li li-source commands.

    See the 7450 ESS, 7750 SR, 7950 XRS, and VSR OAM and Diagnostics Guide for information about user plane LI management and procedures.

    See the CMG BNG CUPS Control Plane Function Guide and the 7750 SR MG and CMG CLI Reference Guide for information about the related BNG CUPS CPF configuration.