Basically, there are two ways to tap user traffic:
1. SNMP based LI – supports per session and per flow based tapping
2. RADIUS based LI – supports only per session based tapping
Pre-XE3.10 RADIUS based LI was supported only for PPPoE sessions. Now the same will be supported for all types of IP sessions as well.
RADIUS based LI can be initiated using two methods:
1. ACCESS ACCEPT (Session start) – The LI parameters will be sent in ACCESS ACCEPT during authorization.
2. CoA – LI parameters will be sent any time after the session is UP. Account session ID should be present in the CoA request to uniquely identify the session to be tapped along with other LI parameters
Below are the LI parameters that should be sent in a tapping request(ACCESS ACCEPT or CoA)
vsa cisco generic 1 string "md-port=1000" --> Mediation device port number on which the intercepted packets will be sent
vsa cisco generic 1 string "li-action=1" -->LI action.( 0 = Stop; 1 = Start; 2 = Dummy)
vsa cisco generic 1 string "md-ip-addr=14.14.14.14"
vsa cisco generic 1 string "intercept-id=11111191"
The LI parameters can be sent encrypted or unencrypted to the iSG. Usually, in the field, the LI parameters would be sent after encryption using RFC 2548. Below is the sample RSIM profile:
vsa cisco generic 36 string "md-port=1000" encrypt rfc2548
vsa cisco generic 36 string "li-action=1" encrypt rfc2548
vsa cisco generic 36 string "md-ip-addr=14.14.14.14" encrypt rfc2548
vsa cisco generic 36 string "intercept-id=77771201" encrypt rfc2548
In RADIUS based LI, the sessions’s accounting session ID is used as the key to uniquely identify the data associated with the session and tap the same.
Tapped user data is sent to the mediation device.
Below are the types of IP sessions for which RADIUS based LI is supported:
1. L2 connected Unlcassified MAC
2. L2 connected DHCP
3. L3 connected unclassified IP
4. L3 connected DHCP
5. L2 connected RP session -->Partial support(CoA only)
6. L3 connected RP session --> Partial support(CoA only)
No comments:
Post a Comment