Cisco IOS Security Configuration Guide: Securing User Services Release 15.0 Americas Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system All rights reserved Copyright © 1981, Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc and/or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0908R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers Any examples, command display output, and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental Cisco IOS Security Configuration Guide: Securing User Services © 2009 Cisco Systems, Inc All rights reserved About Cisco IOS Software Documentation Last Updated: October 14, 2009 This document describes the objectives, audience, conventions, and organization used in Cisco IOS software documentation Also included are resources for obtaining technical assistance, additional documentation, and other information from Cisco This document is organized into the following sections: • Documentation Objectives, page i • Audience, page i • Documentation Conventions, page i • Documentation Organization, page iii • Additional Resources and Documentation Feedback, page xii Documentation Objectives Cisco IOS documentation describes the tasks and commands available to configure and maintain Cisco networking devices Audience The Cisco IOS documentation set is intended for users who configure and maintain Cisco networking devices (such as routers and switches) but who may not be familiar with the configuration and maintenance tasks, the relationship among tasks, or the Cisco IOS commands necessary to perform particular tasks The Cisco IOS documentation set is also intended for those users experienced with Cisco IOS software who need to know about new features, new configuration options, and new software characteristics in the current Cisco IOS release Documentation Conventions In Cisco IOS documentation, the term router may be used to refer to various Cisco products; for example, routers, access servers, and switches These and other networking devices that support Cisco IOS software are shown interchangeably in examples and are used only for illustrative purposes An example that shows one product does not necessarily mean that other products are not supported i About Cisco IOS Software Documentation Documentation Conventions This section contains the following topics: • Typographic Conventions, page ii • Command Syntax Conventions, page ii • Software Conventions, page iii • Reader Alert Conventions, page iii Typographic Conventions Cisco IOS documentation uses the following typographic conventions: Convention Description ^ or Ctrl Both the ^ symbol and Ctrl represent the Control (Ctrl) key on a keyboard For example, the key combination ^D or Ctrl-D means that you hold down the Control key while you press the D key (Keys are indicated in capital letters but are not case sensitive.) string A string is a nonquoted set of characters shown in italics For example, when setting a Simple Network Management Protocol (SNMP) community string to public, not use quotation marks around the string; otherwise, the string will include the quotation marks Command Syntax Conventions Cisco IOS documentation uses the following command syntax conventions: ii Convention Description bold Bold text indicates commands and keywords that you enter as shown italic Italic text indicates arguments for which you supply values [x] Square brackets enclose an optional keyword or argument An ellipsis (three consecutive nonbolded periods without spaces) after a syntax element indicates that the element can be repeated | A vertical line, called a pipe, that is enclosed within braces or square brackets indicates a choice within a set of keywords or arguments [x | y] Square brackets enclosing keywords or arguments separated by a pipe indicate an optional choice {x | y} Braces enclosing keywords or arguments separated by a pipe indicate a required choice [x {y | z}] Braces and a pipe within square brackets indicate a required choice within an optional element About Cisco IOS Software Documentation Documentation Organization Software Conventions Cisco IOS software uses the following program code conventions: Convention Description Courier font Courier font is used for information that is displayed on a PC or terminal screen Bold Courier font Bold Courier font indicates text that the user must enter < > ! [ Angle brackets enclose text that is not displayed, such as a password Angle brackets also are used in contexts in which the italic font style is not supported; for example, ASCII text An exclamation point at the beginning of a line indicates that the text that follows is a comment, not a line of code An exclamation point is also displayed by Cisco IOS software for certain processes ] Square brackets enclose default responses to system prompts Reader Alert Conventions Cisco IOS documentation uses the following conventions for reader alerts: Caution Note Timesaver Means reader be careful In this situation, you might something that could result in equipment damage or loss of data Means reader take note Notes contain helpful suggestions or references to material not covered in the manual Means the described action saves time You can save time by performing the action described in the paragraph Documentation Organization This section describes the Cisco IOS documentation set, how it is organized, and how to access it on Cisco.com It also lists the configuration guides, command references, and supplementary references and resources that comprise the documentation set It contains the following topics: • Cisco IOS Documentation Set, page iv • Cisco IOS Documentation on Cisco.com, page iv • Configuration Guides, Command References, and Supplementary Resources, page v iii About Cisco IOS Software Documentation Documentation Organization Cisco IOS Documentation Set The Cisco IOS documentation set consists of the following: • Release notes and caveats provide information about platform, technology, and feature support for a release and describe severity (catastrophic), severity (severe), and select severity (moderate) defects in released Cisco IOS software Review release notes before other documents to learn whether updates have been made to a feature • Sets of configuration guides and command references organized by technology and published for each standard Cisco IOS release – Configuration guides—Compilations of documents that provide conceptual and task-oriented descriptions of Cisco IOS features – Command references—Compilations of command pages in alphabetical order that provide detailed information about the commands used in the Cisco IOS features and the processes that comprise the related configuration guides For each technology, there is a single command reference that supports all Cisco IOS releases and that is updated at each standard release • Lists of all the commands in a specific release and all commands that are new, modified, removed, or replaced in the release • Command reference book for debug commands Command pages are listed in alphabetical order • Reference book for system messages for all Cisco IOS releases Cisco IOS Documentation on Cisco.com The following sections describe the organization of the Cisco IOS documentation set and how to access various document types Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn An account on Cisco.com is not required New Features List The New Features List for each release provides a list of all features in the release with hyperlinks to the feature guides in which they are documented Feature Guides Cisco IOS features are documented in feature guides Feature guides describe one feature or a group of related features that are supported on many different software releases and platforms Your Cisco IOS software release or platform may not support all the features documented in a feature guide See the Feature Information table at the end of the feature guide for information about which features in that guide are supported in your software release Configuration Guides Configuration guides are provided by technology and release and comprise a set of individual feature guides relevant to the release and technology iv About Cisco IOS Software Documentation Documentation Organization Command References Command reference books contain descriptions of Cisco IOS commands that are supported in many different software releases and on many different platforms The books are organized by technology For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or the Cisco IOS Master Command List, All Releases, at http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html Cisco IOS Supplementary Documents and Resources Supplementary documents and resources are listed in Table on page xi Configuration Guides, Command References, and Supplementary Resources Table lists, in alphabetical order, Cisco IOS software configuration guides and command references, including brief descriptions of the contents of the documents The Cisco IOS command references contain commands for Cisco IOS software for all releases The configuration guides and command references support many different software releases and platforms Your Cisco IOS software release or platform may not support all these technologies Table lists documents and resources that supplement the Cisco IOS software configuration guides and command references These supplementary resources include release notes and caveats; master command lists; new, modified, removed, and replaced command lists; system messages; and the debug command reference For additional information about configuring and operating specific networking devices, and to access Cisco IOS documentation, go to the Product/Technologies Support area of Cisco.com at the following location: http://www.cisco.com/go/techdocs Table Cisco IOS Configuration Guides and Command References Configuration Guide and Command Reference Titles • Cisco IOS AppleTalk Configuration Guide • Cisco IOS AppleTalk Command Reference • Cisco IOS Asynchronous Transfer Mode Configuration Guide • Cisco IOS Asynchronous Transfer Mode Command Reference Features/Protocols/Technologies AppleTalk protocol LAN ATM, multiprotocol over ATM (MPoA), and WAN ATM v About Cisco IOS Software Documentation Documentation Organization Table Cisco IOS Configuration Guides and Command References (continued) Configuration Guide and Command Reference Titles • Cisco IOS Bridging and IBM Networking Configuration Guide • Cisco IOS Bridging Command Reference • Cisco IOS IBM Networking Command Reference • Cisco IOS Broadband Access Aggregation and DSL Configuration Guide • Cisco IOS Broadband Access Aggregation and DSL Command Reference • Cisco IOS Carrier Ethernet Configuration Guide • Cisco IOS Carrier Ethernet Command Reference • Cisco IOS Configuration Fundamentals Configuration Guide • Cisco IOS Configuration Fundamentals Command Reference • Cisco IOS DECnet Configuration Guide • Cisco IOS DECnet Command Reference • Cisco IOS Dial Technologies Configuration Guide • Cisco IOS Dial Technologies Command Reference • Cisco IOS Flexible NetFlow Configuration Guide • Cisco IOS Flexible NetFlow Command Reference • Cisco IOS High Availability Configuration Guide • Cisco IOS High Availability Command Reference • Cisco IOS Integrated Session Border Controller Command Reference vi Features/Protocols/Technologies Transparent and source-route transparent (SRT) bridging, source-route bridging (SRB), Token Ring Inter-Switch Link (TRISL), and token ring route switch module (TRRSM) Data-link switching plus (DLSw+), serial tunnel (STUN), block serial tunnel (BSTUN); logical link control, type (LLC2), synchronous data link control (SDLC); IBM Network Media Translation, including Synchronous Data Logical Link Control (SDLLC) and qualified LLC (QLLC); downstream physical unit (DSPU), Systems Network Architecture (SNA) service point, SNA frame relay access, advanced peer-to-peer networking (APPN), native client interface architecture (NCIA) client/server topologies, and IBM Channel Attach PPP over ATM (PPPoA) and PPP over Ethernet (PPPoE) Connectivity fault management (CFM), Ethernet Local Management Interface (ELMI), IEEE 802.3ad link bundling, Link Layer Discovery Protocol (LLDP), media endpoint discovery (MED), and Operation, Administration, and Maintenance (OAM) Autoinstall, Setup, Cisco IOS command-line interface (CLI), Cisco IOS file system (IFS), Cisco IOS web browser user interface (UI), basic file transfer services, and file management DECnet protocol Asynchronous communications, dial backup, dialer technology, dial-in terminal services and AppleTalk remote access (ARA), dial-on-demand routing, dial-out, ISDN, large scale dial-out, modem and resource pooling, Multilink PPP (MLP), PPP, and virtual private dialup network (VPDN) Flexible NetFlow A variety of high availability (HA) features and technologies that are available for different network segments (from enterprise access to service provider core) to facilitate creation of end-to-end highly available networks Cisco IOS HA features and technologies can be categorized in three key areas: system-level resiliency, network-level resiliency, and embedded management for resiliency A VoIP-enabled device that is deployed at the edge of networks An SBC is a toolkit of functions, such as signaling interworking, network hiding, security, and quality of service (QoS) About Cisco IOS Software Documentation Documentation Organization Table Cisco IOS Configuration Guides and Command References (continued) Configuration Guide and Command Reference Titles Features/Protocols/Technologies • Cisco IOS Intelligent Services Gateway Configuration Guide • Cisco IOS Intelligent Services Gateway Command Reference Subscriber identification, service and policy determination, session creation, session policy enforcement, session life-cycle management, accounting for access and service usage, and session state monitoring • Cisco IOS Interface and Hardware Component Configuration Guide LAN interfaces, logical interfaces, serial interfaces, virtual interfaces, and interface configuration • Cisco IOS Interface and Hardware Component Command Reference • Cisco IOS IP Addressing Services Configuration Guide • Cisco IOS IP Addressing Services Command Reference • Cisco IOS IP Application Services Configuration Guide • Cisco IOS IP Application Services Command Reference • Cisco IOS IP Mobility Configuration Guide • Cisco IOS IP Mobility Command Reference • Cisco IOS IP Multicast Configuration Guide • Cisco IOS IP Multicast Command Reference • Cisco IOS IP Routing Protocols Configuration Guide • Cisco IOS IP Routing Protocols Command Reference • Cisco IOS IP Routing: BFD Configuration Guide Bidirectional forwarding detection (BFD) • Cisco IOS IP Routing: BGP Configuration Guide • Cisco IOS IP Routing: BGP Command Reference Border Gateway Protocol (BGP), multiprotocol BGP, multiprotocol BGP extensions for IP multicast • Cisco IOS IP Routing: EIGRP Configuration Guide Enhanced Interior Gateway Routing Protocol (EIGRP) • Cisco IOS IP Routing: EIGRP Command Reference • Cisco IOS IP Routing: ISIS Configuration Guide • Cisco IOS IP Routing: ISIS Command Reference • Cisco IOS IP Routing: ODR Configuration Guide • Cisco IOS IP Routing: ODR Command Reference Address Resolution Protocol (ARP), Network Address Translation (NAT), Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and Next Hop Address Resolution Protocol (NHRP) Enhanced Object Tracking (EOT), Gateway Load Balancing Protocol (GLBP), Hot Standby Router Protocol (HSRP), IP Services, Server Load Balancing (SLB), Stream Control Transmission Protocol (SCTP), TCP, Web Cache Communication Protocol (WCCP), User Datagram Protocol (UDP), and Virtual Router Redundancy Protocol (VRRP) Mobile ad hoc networks (MANet) and Cisco mobile networks Protocol Independent Multicast (PIM) sparse mode (PIM-SM), bidirectional PIM (bidir-PIM), Source Specific Multicast (SSM), Multicast Source Discovery Protocol (MSDP), Internet Group Management Protocol (IGMP), and Multicast VPN (MVPN) Border Gateway Protocol (BGP), multiprotocol BGP, multiprotocol BGP extensions for IP multicast, bidirectional forwarding detection (BFD), Enhanced Interior Gateway Routing Protocol (EIGRP), Interior Gateway Routing Protocol (IGRP), Intermediate System-to-Intermediate System (IS-IS), On-Demand Routing (ODR), Open Shortest Path First (OSPF), and Routing Information Protocol (RIP) Intermediate System-to-Intermediate System (IS-IS) On-Demand Routing (ODR) vii About Cisco IOS Software Documentation Documentation Organization Table Cisco IOS Configuration Guides and Command References (continued) Configuration Guide and Command Reference Titles Features/Protocols/Technologies • Cisco IOS IP Routing: OSPF Configuration Guide • Cisco IOS IP Routing: OSPF Command Reference • Cisco IOS IP Routing: Protocol-Independent Configuration Guide • Cisco IOS IP Routing: Protocol-Independent Command Reference • Cisco IOS IP Routing: RIP Configuration Guide • Cisco IOS IP Routing: RIP Command Reference • Cisco IOS IP SLAs Configuration Guide • Cisco IOS IP SLAs Command Reference • Cisco IOS IP Switching Configuration Guide • Cisco IOS IP Switching Command Reference • Cisco IOS IPv6 Configuration Guide • Cisco IOS IPv6 Command Reference For IPv6 features, protocols, and technologies, go to the IPv6 “Start Here” document • Cisco IOS ISO CLNS Configuration Guide ISO Connectionless Network Service (CLNS) • Cisco IOS ISO CLNS Command Reference • Cisco IOS LAN Switching Configuration Guide • Cisco IOS LAN Switching Command Reference • Cisco IOS Mobile Wireless Gateway GPRS Support Node Configuration Guide • Cisco IOS Mobile Wireless Gateway GPRS Support Node Command Reference • Cisco IOS Mobile Wireless Home Agent Configuration Guide • Cisco IOS Mobile Wireless Home Agent Command Reference Open Shortest Path First (OSPF) IP routing protocol-independent features and commands Generic policy-based routing (PBR) features and commands are included Routing Information Protocol (RIP) Cisco IOS IP Service Level Agreements (IP SLAs) Cisco Express Forwarding, fast switching, and Multicast Distributed Switching (MDS) VLANs, Inter-Switch Link (ISL) encapsulation, IEEE 802.10 encapsulation, IEEE 802.1Q encapsulation, and multilayer switching (MLS) Cisco IOS Gateway GPRS Support Node (GGSN) in a 2.5-generation general packet radio service (GPRS) and 3-generation universal mobile telecommunication system (UMTS) network Cisco Mobile Wireless Home Agent, an anchor point for mobile terminals for which mobile IP or proxy mobile IP services are provided Cisco IOS Mobile Wireless Packet Data Serving Node Cisco Packet Data Serving Node (PDSN), a wireless gateway that is between the mobile infrastructure and standard IP networks and Configuration Guide that enables packet data services in a code division multiple access • Cisco IOS Mobile Wireless Packet Data Serving Node (CDMA) environment Command Reference • • Cisco IOS Mobile Wireless Radio Access Networking Configuration Guide • Cisco IOS Mobile Wireless Radio Access Networking Command Reference • Cisco IOS Multiprotocol Label Switching Configuration Guide • Cisco IOS Multiprotocol Label Switching Command Reference viii Cisco IOS radio access network products MPLS Label Distribution Protocol (LDP), MPLS Layer VPNs, MPLS Layer VPNs, MPLS traffic engineering (TE), and MPLS Embedded Management (EM) and MIBs Lawful Intercept Architecture Information About Lawful Intercept PacketCable Lawful Intercept Architecture The PacketCable Lawful Intercept Architecture for BTS Version 5.0 document describes the implementation of LI for VoIP using Cisco BTS 10200 Softswitch call agent, version 5.0, in a PacketCable network that conforms to PacketCable Event Messages Specification version 1.5-I01 The PacketCable Lawful Intercept Architecture for BTS Versions 4.4 and 4.5 document describes the implementation of LI for VoIP using Cisco BTS 10200 Softswitch call agent, versions 4.4 and 4.5, in a PacketCable network that conforms to PacketCable Event Messages Specification version I08 The PacketCable Lawful Intercept Architecture for BTS Versions 3.5 and 4.1 document describes the implementation of LI for VoIP using Cisco BTS 10200 Softswitch call agent, versions 3.5 and 4.1, in a PacketCable network that conforms to PacketCable Event Message Specification version I03 The PacketCable Control Point Discovery Interface Specification document defines an IP-based protocol that can be used to discover a control point for a given IP address The control point is the place where Quality of Service (QoS) operations, LI content tapping operations, or other operations may be performed CISCO ASR 1000 Series Routers The Cisco ASR 1000 series routers support two types of LI: regular and broadband (per-subscriber) Broadband wiretaps are executed on access subinterfaces Regular wiretaps are executed on access subinterfaces and physical interfaces Wiretaps are not required, and are not executed, on internal interfaces The router determines which type of wiretap to execute based on the interface that the target’s traffic is using LI on the Cisco ASR 1000 series routers can intercept traffic based on a combination of one or more of the following fields: • Destination IP address and mask (IPv4 or IPv6 address) • Destination port or destination port range • Source IP address and mask (IPv4 or IPv6 address) • Source port or source port range • Protocol ID • Type of Service (TOS) • Virtual routing and forwarding (VRF) name, which is translated to a vrf-tableid value within the router • Subscriber (user) connection ID The LI implementation on the Cisco ASR 1000 series routers is provisioned using SNMP3 and supports the following functionality: • Interception of communication content The router duplicates each intercepted packet and then places the copy of the packet within a UDP-header encapsulated packet (with a configured CCCid) The router sends the encapsulated packet to the LI mediation device Even if multiple lawful intercepts are configured on the same data flow, only one copy of the packet is sent to the mediation device If necessary, the mediation device can duplicate the packet for each LEA • Interception of IPv4 and IPv6 flows • Interception of IPv4 and IPv6 multicast flows, where the target is the source of the multicast traffic Lawful Intercept Architecture Information About Lawful Intercept VRF Aware LI VRF Aware LI is the ability to provision a LI wiretap on IPv4 data in a particular Virtual Private Network (VPN) This feature allows a LEA to lawfully intercept targeted data within that VPN Only IPv4 data within that VPN is subject to the VRF-based LI tap VRF Aware LI is available for the following types of traffic: • ip2ip • ip2tag (IP to MPLS) • tag2ip (MPLS to IP) To provision a VPN-based IPv4 tap, the LI administrative function (running on the mediation device) uses the CISCO-IP-TAP-MIB to identify the name of the VRF table that the targeted VPN uses The VRF name is used to select the VPN interfaces on which to enable LI in order to execute the tap The router determines which traffic to intercept and which mediation device to send the intercepted packets based on the VRF name (along with the source and destination address, source and destination port, and protocol) Note When using the Cisco-IP-TAP-MIB, if the VRF name is not specified in the stream entry, the global IP routing table is used by default LI of IP Packets on ATM Interfaces The Lawful Intercept feature enables you to configure the system so that IP packets that are sent and received on ATM interfaces are intercepted based on the PVC information, such as the Virtual Path Identifier (VPI) or Virtual Channel Identifier (VCI) If you specify an interface when configuring the system, then all IP traffic on the given interface corresponding to the VPI or VCI on the ATM PVC is intercepted If you not specify an interface when configuring the system, then IP traffic corresponding to the ATM PVC on all interfaces is intercepted LI of IP traffic on ATM interfaces is available for the following interfaces and encapsulation types: • ATM interface • ATM multipoint interface • ATM subinterface point-to-point • PPP over ATM (PPPoA) encapsulation • PPP over Ethernet over ATM (PPPoEoA) encapsulation To provision an IP traffic tap on an ATM interface, the LI administrative function (running on the mediation device) uses the CISCO-IP-TAP-MIB to specify the VPI and VCI information for ATM PVCs This information is used to select the interfaces on which to enable LI in order to execute the tap The router determines which traffic to intercept and to which mediation device to send the intercepted packets based on the VPI and VCI information When an ATM interface tap is provisioned, the system creates an IP_STREAM entry type, that stores all tap information (such as the PVC information and interface) The LI feature intercepts packets at the IP layer If the interface is an ATM interface, LI extracts the PVC information from the packet and matches it against the provisioned streams If an interface is specified when configuring the system, LI also matches the packet information against the interface For each matching stream, the LI module sends a copy of the packet to the corresponding mediation device Lawful Intercept Architecture Information About Lawful Intercept IPv6 Based Lawful Intercepts To configure IPv6 based lawful intercepts, the system identifies either the source or destination address as the target address and then determines if a less specific route to the target address exists If a less specific route to the target address exists, the system identifies the list of interfaces that can used to reach the target address and applies the intercepts to those interfaces only The system automatically detects route changes and reapplies intercepts on any changed routes The system uses the IPv6 stream details specified by the snmp set command to identify the target address, using the following criteria: • If the source address prefix length is 0, the destination address is chosen as the target address Likewise, if the destination address prefix length is 0, the source address is chosen as the target address • If neither the source address nor destination address prefix length is 0, the address with the longer prefix length is chosen as the target address • If the prefix lengths of the source address and destination address are equal, then the system determines which network is close to the Content IAP (CIAP) by doing a longest match lookup on the prefix in the IPv6 routing table The system chooses the location (source or destination) with the longer prefix as the target Lawful Intercept MIBs Due to its sensitive nature, the Cisco LI MIBs are only available in software images that support the LI feature These MIBs are not accessible through the Network Management Software MIBs Support page (http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml) Restricting Access to the Lawful Intercept MIBs Only the mediation device and users who need to know about lawful intercepts should be allowed to access the LI MIBs To restrict access to these MIBs, you must: Create a view that includes the Cisco LI MIBs Create an SNMP user group that has read-and-write access to the view Only users assigned to this user group can access information in the MIBs Add users to the Cisco LI user groups to define who can access the MIBs and any information related to lawful intercepts Be sure to add the mediation device as a user in this group; otherwise, the router cannot perform lawful intercepts For more information, see the “Creating a Restricted SNMP View of Lawful Intercept MIBs” section on page Note Access to the Cisco LI MIB view should be restricted to the mediation device and to system administrators who need to be aware of lawful intercepts on the router To access the MIB, users must have level-15 access rights on the router Lawful Intercept Architecture How to Configure Lawful Intercept How to Configure Lawful Intercept Although there are no direct user commands to provision lawful intercept on the router, you need to perform some configuration tasks, such as providing access to LI MIBs, setting up SNMP notifications, and enabling the LI RADIUS session feature This section describes how to perform the following tasks: • Creating a Restricted SNMP View of Lawful Intercept MIBs, page • Enabling SNMP Notifications for Lawful Intercept, page • Disabling SNMP Notifications, page 10 • Enabling RADIUS Session Intercepts, page 11 Creating a Restricted SNMP View of Lawful Intercept MIBs To create and assign users to an SNMP view that includes the Cisco lawful intercept MIBs, perform the steps in this section Prerequisites • You must issue the commands in global configuration mode with level-15 access rights • SNMPv3 must be configured on the router enable configure terminal snmp-server view view-name MIB-name included snmp-server view view-name MIB-name included snmp-server view view-name MIB-name included snmp-server view view-name MIB-name included snmp-server view view-name MIB-name included snmp-server group group-name v3 auth read view-name write view-name snmp-server user user-name group-name v3 auth md5 auth-password SUMMARY STEPS 10 end Lawful Intercept Architecture How to Configure Lawful Intercept DETAILED STEPS Step Command or Action Purpose enable Enables privileged EXEC mode • Enter your password if prompted Example: Router> enable Step configure terminal Enters global configuration mode Example: Router# configure terminal Step snmp-server view view-name MIB-name included Example: Router(config)# snmp-server view exampleView ciscoTap2MIB included Step snmp-server view view-name MIB-name included Creates an SNMP view that includes the CISCO-TAP2-MIB (where exampleView is the name of the view to create for the MIB) • This MIB is required for both regular and broadband lawful intercept Adds the CISCO-IP-TAP-MIB to the SNMP view Example: Router(config)# snmp-server view exampleView ciscoIpTapMIB included Step snmp-server view view-name MIB-name included Adds the CISCO-802-TAP-MIB to the SNMP view Example: Router(config)# snmp-server view exampleView cisco802TapMIB included Step snmp-server view view-name MIB-name included Adds the CISCO-USER-CONNECTION-TAP-MIB to the SNMP view Example: Router(config)# snmp-server view exampleView ciscoUserConnectionTapMIB included Step snmp-server view view-name MIB-name included Adds the CISCO-MOBILITY-TAP-MIB to the SNMP view Example: Router(config)# snmp-server view exampleView ciscoMobilityTapMIB included Step snmp-server group group-name v3 auth read view-name write view-name Example: Router(config)# snmp-server group exampleGroup v3 auth read exampleView write exampleView Creates an SNMP user group that has access to the LI MIB view and defines the group’s access rights to the view Lawful Intercept Architecture How to Configure Lawful Intercept Step Command or Action Purpose snmp-server user user-name group-name v3 auth md5 auth-password Adds users to the specified user group Example: Router(config)# snmp-server user exampleUser exampleGroup v3 auth md5 examplePassword Step 10 Exits the current configuration mode and returns to privileged EXEC mode end Example: Router(config)# end Where to Go Next The mediation device can now access the lawful intercept MIBs and issue SNMP set and get requests to configure and run lawful intercepts on the router To configure the router to send SNMP notification to the mediation device, see the “Enabling SNMP Notifications for Lawful Intercept” section on page Enabling SNMP Notifications for Lawful Intercept SNMP automatically generates notifications for lawful intercept events To configure the router to send lawful intercept notifications to the mediation device, perform the steps in this section Prerequisites • You must issue the commands in global configuration mode with level-15 access rights • SNMPv3 must be configured on the router enable configure terminal snmp-server host ip-address community-string udp-port port notification-type snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart end SUMMARY STEPS Lawful Intercept Architecture How to Configure Lawful Intercept DETAILED STEPS Step Command or Action Purpose enable Enables privileged EXEC mode • Enter your password if prompted Example: Router> enable Step configure terminal Enters global configuration mode Example: Router# configure terminal Step snmp-server host ip-address community-string udp-port port notification-type Example: Specifies the IP address of the mediation device and the password-like community-string that is sent with a notification request • Router(config)# snmp-server host 10.2.2.1 community-string udp-port 161 udp Step snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart Configures the router to send RFC 1157 notifications to the mediation device • Example: For lawful intercept, the udp-port must be 161 and not 162 (the SNMP default) These notifications indicate authentication failures, link status (up or down), and router restarts Router(config)# snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart Step Exits the current configuration mode and returns to privileged EXEC mode end Example: Router(config)# end Disabling SNMP Notifications To disable SNMP notifications on the router, perform the steps in this section Note To disable lawful intercept notifications, use SNMPv3 to set the CISCO-TAP2-MIB object cTap2MediationNotificationEnable to false(2) To reenable lawful intercept notifications through SNMPv3, reset the object to true(1) SUMMARY STEPS 10 enable configure terminal no snmp-server enable traps end Lawful Intercept Architecture How to Configure Lawful Intercept DETAILED STEPS Step Command or Action Purpose enable Enables privileged EXEC mode • Enter your password if prompted Example: Router> enable Step configure terminal Enters global configuration mode Example: Router# configure terminal Step no snmp-server enable traps Disables all SNMP notification types that are available on your system Example: Router(config)# no snmp-server enable traps Step Exits the current configuration mode and returns to privileged EXEC mode end Example: Router(config)# end Enabling RADIUS Session Intercepts There are no user CLI commands available to provision the mediation device or taps However, to enable the intercepts through the CISCO-TAP-MIB you must configure the system to make the account-session-id value available to the mediation device To enable RADIUS session intercepts on the router, perform the steps in this section SUMMARY STEPS enable configure terminal aaa intercept aaa authentication ppp default group radius aaa accounting delay-start all aaa accounting send stop-record authentication failure aaa accounting network default start-stop group radius radius-server attribute 44 include-in-access-req radius-server host host-name 10 aaa server radius dynamic-author 11 client ip-address 12 server-key keyword 13 port port-number 11 Lawful Intercept Architecture How to Configure Lawful Intercept 14 exit 15 end DETAILED STEPS Step Command or Action Purpose enable Enables privileged EXEC mode • Enter your password if prompted Example: Router> enable Step configure terminal Enters global configuration mode Example: Router# configure terminal Step aaa intercept Enables lawful intercept on the router • Example: Router(config)# aaa intercept Step aaa authentication ppp default group radius Specifies the authentication method to use on the serial interfaces that are running Point-to-Point protocol (PPP) Example: Note Router(config)# aaa authentication ppp default group radius Step aaa accounting delay-start all Example: Router(config)# aaa accounting delay-start all (Optional) Generates accounting stop records for users who fail to authenticate while logging into or during session negotiation Example: Note aaa accounting network default start-stop group radius Router(config)# aaa accounting network default start-stop group radius If a lawful intercept action of does not start the tap, the stop record contains Acct-Termination-Cause, attribute 49, set to 15 (Service Unavailable) (Optional) Enables accounting for all network-related service requests Note Example: 12 This command is required so that the mediation device can see the IP address assigned to the target aaa accounting send stop-record authentication failure Router(config)# aaa accounting send stop-record authentication failure Step This command is required because tap information resides only on the RADIUS server You can authenticate with locally configured information, but you cannot specify a tap with locally configured information Delays the generation of accounting start records until the user IP address is established Specifying the all keyword ensures that the delay applies to all VRF and non-VRF users Note Step Associate this command with a high administrative security to ensure that unauthorized users cannot stop intercepts if this command is removed This command is required only to determine the reason why a tap did not start Lawful Intercept Architecture How to Configure Lawful Intercept Step Command or Action Purpose radius-server attribute 44 include-in-access-req (Optional) Sends RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication) Example: Note Router(config)# radius-server attribute 44 include-in-access-req Step radius-server host host-name Enter this command to obtain attribute 44 from the Access-Request packet Otherwise you will have to wait for the accounting packets to be received before you can determine the value of attribute 44 (Optional) Specifies the RADIUS server host Example: Router(config)# radius-server host host1 Step 10 aaa server radius dynamic-author Example: Router(config)# aaa server radius dynamic-author Step 11 client ip-address Configures a device as an Authentication, Authorization, and Accounting (AAA) server to facilitate interaction with an external policy server and enters dynamic authorization local server configuration mode Note This is an optional command if taps are always started with a session starts The command is required if CoA-Requests are used to start and stop taps in existing sessions (Optional) Specifies a RADIUS client from which the device will accept CoA-Request packets Example: Router(config-locsvr-da-radius)# client 10.0.0.2 Step 12 server-key word (Optional) Configures the RADIUS key to be shared between a device and RADIUS clients Example: Router(config-locsvr-da-radius)# server-key samplekey Step 13 port port-number (Optional) Specifies a RADIUS client from which the device will accept CoA-Request packets Example: Router(config-locsvr-da-radius)# port 1600 Step 14 exit Exits dynamic authorization local server configuration mode and returns to global configuration mode Example: Router(config-locsvr-da-radius)# exit Step 15 end Exits the current configuration mode and returns to privileged EXEC mode Example: Router(config)# end 13 Lawful Intercept Architecture Configuration Examples for Lawful Intercept Configuration Examples for Lawful Intercept The following examples are provided to show how to configure lawful intercept: • Enabling Mediation Device Access Lawful Intercept MIBs: Example, page 14 • Enabling RADIUS Session Lawful Intercept: Example, page 14 Enabling Mediation Device Access Lawful Intercept MIBs: Example The following example shows how to enable the mediation device to access the lawful intercept MIBs It creates an SNMP view (tapV) that includes three LI MIBs (CISCO-TAP2-MIB, CISCO-IP-TAP-MIB, CISCO-802-TAP-MIB) It also creates a user group that has read, write, and notify access to MIBs in the tapV view snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server view tapV ciscoTap2MIB included view tapV ciscoIpTapMIB included view tapV cisco802TapMIB included group tapGrp v3 auth read tapV write tapV notify tapV user ss8user tapGrp v3 auth md5 ss8passwd engineID local 1234 Enabling RADIUS Session Lawful Intercept: Example The following example shows the configuration of a RADIUS-Based Lawful Intercept solution on a router acting as a network access server (NAS) device employing a PPPoEoA link: aaa new-model ! aaa intercept ! aaa group server radius SG server 10.0.56.17 auth-port 1645 acct-port 1646 ! aaa authentication login LOGIN group SG aaa authentication ppp default group SG aaa authorization network default group SG aaa accounting send stop-record authentication failure aaa accounting network default start-stop group SG ! aaa server radius dynamic-author client 10.0.56.17 server-key cisco ! vpdn enable ! bba-group pppoe PPPoEoA-TERMINATE virtual-template ! interface Loopback0 ip address 10.1.1.2 255.255.255.0 ! interface GigabitEthernet4/1/0 description To RADIUS server ip address 10.0.56.20 255.255.255.0 duplex auto ! interface GigabitEthernet4/1/2 description To network ip address 10.1.1.1 255.255.255.0 14 Lawful Intercept Architecture Additional References duplex auto ! interface GigabitEthernet5/0/0 description To subscriber no ip address ! interface GigabitEthernet5/0/0.10 encapsulation dot1q 10 protocol pppoe group PPPoEoA-TERMINATE ! interface Virtual-Template1 ip unnumbered Loopback0 ppp authentication chap ! radius-server attribute 44 include-in-access-req radius-server attribute nas-port format d radius-server host 10.0.56.17 auth-port 1645 acct-port 1646 radius-server key cisco Additional References The following sections provide references related to the Lawful Intercept feature Related Documents Related Topic Document Title Configuring SNMP Support Configuring SNMP Support Security Commands Cisco IOS Security Command Reference Standards Standard Title PacketCable™ Control Point Discovery Interface Specification PacketCable™ Control Point Discovery Interface Specification (PKT-SP-CPD-I02-061013) MIBs MIB MIBs Link • CISCO-802-TAP-MIB • CISCO-IP-TAP-MIB • CISCO-MOBILITY-TAP-MIB • CISCO-TAP2-MIB • CISCO-USER-CONNECTION-TAP-MIB To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs 15 Lawful Intercept Architecture Additional References RFCs RFC Title RFC-2865 Remote Authentication Dial In User Service (RADIUS) RFC-3576 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) RFC-3924 Cisco Architecture for Lawful Intercept in IP Networks Technical Assistance Description Link The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies http://www.cisco.com/techsupport To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds Access to most tools on the Cisco Support website requires a Cisco.com user ID and password 16 Lawful Intercept Architecture Feature Information for Lawful Intercept Feature Information for Lawful Intercept Table lists the release history for this feature Not all commands may be available in your Cisco IOS software release For release information about a specific command, see the command reference documentation Use Cisco Feature Navigator to find information about platform support and software image support Cisco Feature Navigator enables you to determine which Cisco IOS, Catalyst OS, and Cisco IOS XE software images support a specific software release, feature set, or platform To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn An account on Cisco.com is not required Note Table Table lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature Feature Information for Lawful Intercept Feature Name Releases Feature Information Lawful Intercept 12.0(32)S 12.2(31)SB2 12.2(33)SRB 12.2(33)SXH 12.4(22)T Cisco IOS XE 2.4 15.0(1)M The Lawful Intercept (LI) feature supports service providers in meeting the requirements of law enforcement agencies to provide the ability to intercept VoIP or data traffic going through the edge routers In 12.0(32)S, this feature was introduced This feature was integrated into Cisco IOS Release 12.2(31)SB2 This feature was integrated into Cisco IOS Release 12.2(33)SRB This feature was integrated into Cisco IOS Release 12.2(33)SXH This feature was integrated into Cisco IOS Release 12.4(22)T This feature was implemented on the Cisco ASR 1000 series routers In Cisco IOS Release 15.0(1)M, support was added for intercepting IP packets on ATM interfaces and for IPv6 based Lawful Intercepts For more information, see • LI of IP Packets on ATM Interfaces, page • IPv6 Based Lawful Intercepts, page VRF Aware LI (Lawful Intercept) Cisco IOS XE 2.4 This feature was implemented on the Cisco ASR 1000 series routers RADIUS-based Lawful Intercept Cisco IOS XE 2.4 This feature was implemented on the Cisco ASR 1000 series routers 17 Lawful Intercept Architecture Feature Information for Lawful Intercept CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc and/or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0908R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental © 2005–2009 Cisco Systems, Inc All rights reserved 18 ... coincidental © 200 8– 200 9 Cisco Systems, Inc All rights reserved xii Securing User Services Overview First Published: June 5, 200 9 Last Updated: June 5, 200 9 The Securing User Services Overview... security (IPsec) encryption, and Cisco Secure VPN Client (VPN client) software Securing User Services Overview Security Server Protocols 802 .1x Authentication Services 802 .1x Authentication Services. .. Headquarters: Cisco Systems, Inc., 1 70 West Tasman Drive, San Jose, CA 95134-1 706 USA Securing User Services Overview AutoSecure • Security with Passwords, Privileges, and Login Usernames for CLI Sessions