In this section:

Related articles:


The SBC Core provides Lawful Intercept (LI) support using one of two methods:

  • Using ERE with provisioning support from EMA (license required).
  • Using centralized PSX with provisioning support from EMS (license required).

The SBC supports up to 500 simultaneous LI sessions. SBC works in coordination with an Intercept Server (IS) to provide call data and call content to law enforcement agencies for calls involving identified intercept subjects. When it receives matching LI criteria in a policy response from ERE (or external PSX in centralized PSX solution), the SBC routes the call as directed and additionally reports call events to the IS.

The SBC also sends an RTP copy of the call's voice streams (call content) to an IP address provided by the IS. LI is configured by EMA (or EMS in centralized PSX solution). The target number is uploaded to LI table of ERE (or PSX, with the help of EMS).

Note

You must use the default addressContext when configuring LI.

 

Refer to Lawful Intercept page for an in-depth explanation of LI functionality.

Note

The SBC 52x0 and SBC 7000 systems support creating IP Interface Groups containing sets of IP interfaces that are not "processor friendly" (i.e. carried on physical Ethernet ports served by separate processors). However, restrictions exist regarding the usage of such Interface Groups.

(This ability does not apply to the SBC 51x0 and SBC 5400 systems which have only two physical media ports. IP interfaces from the two physical ports may be configured within the same IP Interface Groups without restriction.)

For complete details, refer to Configuring IP Interface Groups and Interfaces.

Note

When configuring LI through EMA/ERE, you must be 'Calea' user. Refer to Managing SBC Core Users and Accounts for descriptions of users and permissions.

 

LI Commands

Command Syntax

As user 'Calea', use the following command syntax to configure LI.

% set addressContext <default> intercept 
   callDataChannel <callDataChannel> 
   nodeNumber <integer>

Command Parameters

Intercept Parameters

Parameter

Length/Range

Description

CallDataChannel

1-23

The user-configurable LI Call Data Control Channel name.

(See Call Data Channel Parameters table below for parameter details)

nodeNumber

0-9999999

The unique global node number to assign to the SBC which is used by the LI server for identification purposes.

 

Call Data Channel Commands

High Level Command Syntax

As user 'Calea', use the following CLI syntax to establish the LI call data channel configuration:

Note

Some parameters only display after others are configured as described in the Call Data Channel Parameters table below.

Call Data Channel High Level Syntax
% set addressContext <default> intercept callDataChannel <callDataChannel_name>
	dsrProtocolVersion <0 | 1>
    interceptStandard < etsi | packetcable | threeGpp>
	ipInterfaceGroupName <ipInterfaceGroup_Name> 
	kaTimer <0-65535 seconds>
	liPolDipForRegdOodMsgs <disabled | enabled>
	mediaIpInterfaceGroupName <IP interface group name>
	mediationServer <server name>
	priIpAddress <IPv4 address> 
	priMode <active | outofservice | standby> 
	priPort <0-65535> 
	priState <disabled | enabled> 
	retries <value>
	rtcpInterception <disabled | enabled>
	secIpAddress <IP_Address> 
	secMode <active | outofservice | standby> 
	secState <disabled | enabled>
	vendorId <none | groupTwoThousand | ss8 | utimaco | verint>

Call Data Channel (CDC) Parameters

Call Data Channel Parameters

Parameter

Length/Range

Description

dsrProtocolVersion


N/A Signifies the intercepted X2 signaling protocol version towards the mediation servers. The default value 0 maintains backward compatibility with SBC Core 8.0 or earlier
  • 0 (default)
  • 1

interceptStandard

N/A

The Intercept Standard to use for this Call Data Channel.

  • etsi
  • packetcable (default)
  • threeGpp

ipInterfaceGroupName

0-23

<IPIG name> – Name of the IP interface group used to stream to the LI server.

kaTimer

0-65535

<# seconds> (default = 5) – The keep-alive timer value, in seconds.

liPolDipForRegdOodMsgs N/A

 Use this flag to control the sending of the policy dip to PSX for registered user's Out-Of-Dialog messages.

  • disabled (default) – SBC does not send policy request to PSX for registered out-of-dialog requests (messages).
  • enabled – SBC sends policy request to PSX for registered out-of-dialog requests for interception.

NOTE: This parameter is only visible when interceptStandard is not set to the default packetcable.

mediaIpInterfaceGroupName1-23 charactersThe name of the IP interface group that is used to stream media packets to the LI server.
mediationServer0-23

<name> – Name of the Mediation Server. Up to eight Mediation Servers are configurable for each CDC. See Mediation Server Configurations below for parameter details.

NOTE: The mediationServer parameter is only visible when interceptStandard and vendorId are configured for IMS LI (See table Configuration Options When Configuring SBC for Different LI Flavors).

priIpAddress

N/A

<IPv4 address> – The primary LI server's IPv4 address where Call Data Channel messages are sent. (default = 0.0.0.0)

priMode

N/A

Mode of the primary server. Options are:

  • active (default)
  • outOfService
  • standby

priPort

0-65535

<port number> – The primary LI server's UDP port where Call Data Channel messages are sent. (default = 0)

pristate

N/A

Use this flag to enable/disable communication to the primary LI server.

  • enabled (default)
  • disabled

retries

N/A

Number of retries before the LI Call Data Channel is considered as failed. (default = 3)

rtcpInterception

N/A

Enable this flag to intercept RTCP information for IMS LI.

  • disabled (default)
  • enabled

NOTE: The rtcpInterception parameter is only visible when interceptStandard and vendorId are configured as IMS LI (See table Configuration Options When Configuring SBC for Different LI Flavors).

secIpAddress

N/A

Secondary LI server's IPv4 address where Call Data Channel messages are sent. (default = 0.0.0.0)

secMode

N/A

Mode of the secondary server. Options are:

  • active
  • outOfService (default)
  • standby

secState

N/A

Use this flag to enable/disable communication to secondary LI server.

  • enabled (default)
  • disabled

vendorId

N/A

The vendor name of the LI server.

  • none (default)
  • groupTwoThousand
  • ss8
  • utimaco
  • verint

 

Mediation Server Configurations

The SBC allows configuration of a maximum of 16 mediation servers for IMS LI in the Call Data Channel (CDC). When a call is tapped, the SBC selects among the Delivery Function 2 (DF2) servers in a round-robin manner, and establishes persistent TCP connections with all configured mediation servers. Prior to the enhancement, only one mediation server was supported.

Each mediation server object contains the Signaling(X2) and Media (X3) IP addresses. The SBC allows configuration of multiple mediation servers with the same X2 IP address but a different X3 IP address.

For IMS LI, the SBC does not support any Active-Standby configuration for the X2 servers. It assumes that the DF2 servers are running in Active-Active mode, and in case of a failure, moves the IP address of the active DF2 server to the standby DF2 server.

The X2 and X3 servers operate independently. Even if the X2 servers are not reachable, the SBC sends X3 media if DF3 servers are available, and vice versa.


Mediation Server for Media Interception over TCP

The SBC supports TCP to transport mediation server details.

Command Syntax

% set addressContext <addressContext name> intercept callDataChannel <CDC name> mediationServer <mediationServer name> media tcp
	dscpValue <0-63>
	ipAddress <IPv4/IPv6 address>
	kaInterval <5-60 seconds>
	kaProbe <4-8 seconds>
	kaTime <60-7200 seconds>
	mode <inService | outOfService>
	portNumber <0-65535>
	state <disabled | enabled>

Command Parameters

Mediation Server: Media over TCP Parameters

ParameterLength/RangeDescriptions
dscpValue0-63The DSCP value for intercepted media packets sent on TCP port. (Default = 16) 
ipAddressIPv4/IPv6 formatThe IPv4/IPv6 Address of the mediation server for media interception over TCP. 

kaInterval

5-60The duration between two successive keep alive retransmissions, if acknowledgement to the previous keep alive transmission is not received. (Default = 30 seconds)

kaProbe

4-8The number of retransmissions to be carried out before declaring that the remote end is not available. (Default = 4)

kaTime

60 to 7200The duration, in seconds, between the two keep alive transmissions in the idle condition. (Default = 180 seconds)
modeN/A

The operational mode of the signaling/media connection towards the mediation server.

  • inService
  • outOfService (default) 
portNumber0-65535The TCP port number of the mediation server for media interception over TCP. (Default = 0) 
stateN/A

The administrative state of the TCP connection towards the mediation server.

  • disabled (default)
  • enabled

 

Mediation Server for Media Interception over UDP

 The SBC supports UDP to transport mediation server details.

Command Syntax

% set addressContext <addressContext name> intercept callDataChannel <CDC name> mediationServer <mediationServer name> media udp
	dscpValue <0-63>
	ipAddress <IPv4/IPv6 address>
	mode <inService | outOfService>
	portNumber <0-65535>
	state <disabled | enabled>

Command Parameters

Mediation Server: Media over UDP Parameters

ParameterLength/RangeDescriptions
dscpValue 0-63 The DSCP value for intercepted media packets sent on UDP port. (Default = 16)
ipAddressIPv4/IPv6 format The IPv4/IPv6 Address of the mediation server for media interception over UDP. 
mode N/A The operational mode of the signaling/media connection towards the mediation server.
  • inService
  • outOfService (default)
portNumber 0-65535The UDP port number of the mediation server for media interception over UDP. (Default = 0)

state 

N/A 

The administrative state of the UDP connection towards the mediation server.

  • disabled (default)
  • enabled

 

Mediation Server for signaling interception

Command Syntax

Mediation Server Syntax
% set addressContext <addressContext name> intercept callDataChannel <CDC name> mediationServer <mediationServer name> signaling
	dscpValue <0-63>
	ipAddress <IPv4/IPv6 address>
	mode <inService | outOfService>
	portNumber <0-65535>
	protocolType <tcp | udp>
	state <disabled | enabled>

Command Parameters

Mediation Server: Signaling Parameters

ParameterDescriptions

signaling

Mediation server signaling interception settings.

  • dscpValue – The DSCP value for intercepted signaling packets sent on this port. (range: 0-63 / default = 16)
  • ipAddress – The IPv4/IPv6 Address of the mediation server for signaling interception.
  • mode – The operational mode of the signaling/media connection towards the mediation server.
    • inService
    • outOfService (default)
  • portNumber – The UDP/TCP port number of the mediation server for signaling interception. (range: 0-65536 / default = 0)
  • protocolType – The protocol used by the mediation server for signaling interception (TCP/UDP).
    • tcp (default)
    • udp
  • state – The administrative state of the signaling/media connection towards the mediation server.
    • disabled (default)
    • enabled
Note

The protocolType "udp" command is not supported for Signaling interception in this release.

To retrieve the LI statistics, use the command:

> show status addressContext <addressContext name> intercept

 

Configuration Options When Configuring SBC for Different LI Flavors

The following table depicts the interceptStandard and verndorId configuration options to configure SBC for the the various LI flavors.

Configuration Options When Configuring SBC for Different LI Flavors

Configuration Settings

 

LI Flavor

interceptStandardvendorId
packetcablenone/utimaco/verint/groupTwoThousandLegacy LI (default)
packetcabless8SS8 LI
threeGpp/etsinone/utimaco/verint/groupTwoThousandIMS LI

 

Command Examples

To configure the name of the IP interface group used to stream to the LI server, use the commands:

% set addressContext default intercept callDataChannel CDC ipInterfaceGroupName LIG1
% commit
Note

The mediation server’s ipInterfaceGroup must be different from other signaling ipInterface groups to ensure that LI does not use the signaling ipAddress to send intercepted traffic (media/signaling) towards the mediation server. 

 

To configure intercept standard, use the commands:

% set addressContext default intercept callDataChannel CDC interceptStandard etsi
% commit

 

To configure the vendor ID, use the commands:

% set addressContext default intercept callDataChannel CDC interceptStandard etsi vendorId verint
% commit

 

To configure mediation server for media interception, use the commands:

Note

Mediation server’s ipInterfaceGroup must be different from other signaling ipInterface groups. This ensures that LI doesn't use signaling ipAddress to send intercepted traffic (media/signaling) towards Mediation Server.

% set addressContext default intercept callDataChannel CDC interceptStandard etsi vendorId verint mediationServer ms1
% commit

 

To configure mediation server for media interception over TCP, use the commands:

% set addressContext default intercept callDataChannel CDC mediationServer ms1 media tcp dscpValue 0 ipAddress 10.54.66.67 portNumber 7870
% commit
% set addressContext default intercept callDataChannel CDC mediationServer ms1 media tcp mode inService state enabled 
% commit

 

To configure mediation server for media interception over UDP, use the commands:

% set addressContext default intercept callDataChannel CDC mediationServer ms1 media udp dscpValue 0 ipAddress 10.54.66.57 portNumber 7881
% commit
% set addressContext default intercept callDataChannel CDC mediationServer ms1 media udp mode inService state enabled 
% commit

 

To configure mediation server for signaling interception, use the commands:

% set addressContext default intercept callDataChannel CDC mediationServer ms1 signaling dscpValue 0 ipAddress 10.54.64.80 portNumber 7880 protocolType tcp
% commit
% set addressContext default intercept callDataChannel CDC mediationServer ms1 signaling mode inService state enabled
% commit

 

To configure RTCP interception, use the commands:

% set addressContext default intercept callDataChannel CDC rtcpInterception enabled
% commit

 

To enable the sending of the policy dip to PSX for registered user's Out-Of-Dialog messages, use the commands:

% set addressContext default intercept callDataChannel CDC liPolDipForRegdOodMsgs enabled
% commit