Lawful intercept

This chapter provides an overview of the Lawful Intercept (LI) functionality for BNG CUPS.

Overview of the LI implementation on the BNG-UP

To perform LI for BNG CUPS, configurations are required on both the MAG-c and BNG-UP:

  • The MAG-c supports reporting of subscriber and LI events; see the MAG-c Control Plane Function Guide and the MAG-c CLI Reference Guide for more information about MAG-c configuration.

  • The BNG-UP supports the provisioning of LI targets and mirroring of LI packets.

After the LI mediation gateway identifies an LI subscriber through the MAG-c-reported events, the provisioning of the LI subscriber can be performed directly on the BNG-UP, using the configure li li-source commands as described in the 7450 ESS, 7750 SR, 7950 XRS, and VSR OAM and Diagnostics Guide. Provisioning can be performed using CLI or SNMPv3, however, SNMPv3 is the preferred platform.

Note: In CUPS architecture, the BNG-UP creates a new subscriber ID every time the subscriber or LI subscriber logs in. For this reason, it is highly recommended to use a mediation device to automate the LI configuration. It is not recommended to perform LI configuration through CLI on the BNG-UP.

When the MAG-c is configured, it notifies the LI mediation device about the UP subscriber IDs and IP addresses. The LI mediation device sends an SNMPv3 command directly to the BNG-UP IP address to set up an LI target. Li targets typically include the following parameters:

  • mirror destination service; can be a layer 3 encapsulation or a SAP

  • subscriber ID; for example, " _cups_549"

    Note: The BNG-UP automatically appends " _cups_" to the auto-generated subscriber ID.

  • ingress and egress direction

  • session ID and intercept ID, which allow the LI mediation device to correlate subscriber events and mirrored packets (optional); see the 7450 ESS, 7750 SR, 7950 XRS, and VSR OAM and Diagnostics Guide, section "Lawful Intercept" for information about additional parameters

When the subscriber logs out, the LI mediation device removes the subscriber from the LI source through SNMPv3. When the same subscriber logs in again, the system auto-generates a new BNG-UP subscriber ID.

For the procedure to configure SNMPv3 and BNG CUPS, see Provisioning SNMPv3 and LI subscribers for the BNG-UP

Provisioning SNMPv3 and LI subscribers for the BNG-UP

Before you begin, review Overview of the LI implementation on the BNG-UP.

To provision SNMPv3 and LI subscribers for the BNG-UP, perform the following steps:

  1. Create the SNMPv3 group for LI.
  2. Provision an LI administrator for the BNG-UP with both LI access and SNMP access.
  3. Associate the SNMPv3 group created in step 1 with the LI administrator.

    See the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide, for more information about LI users and SNMPv3 setup.

  4. Provision the LI subscriber directly on the BNG-UP, using the configure li li-source commands.

    See the 7450 ESS, 7750 SR, 7950 XRS, and VSR OAM and Diagnostics Guide for information about user plane LI management and procedures.

    See the MAG-c Control Plane Function Guide and the MAG-c CLI Reference Guide for information about the related MAG-c configuration.