[c-nsp] Tapping a PPPoVPDN and/or PPPoE subscriber session the ASR1000

Mike mike-cisconsplist at tiedyenetworks.com
Wed Sep 10 16:28:52 EDT 2014

On 09/09/2014 06:46 AM, Christian Schmit wrote:
> Hi,
>   Legal authorities require that upon request we provide them with pcap
> files of a PPPoVPDN or PPPoE subscriber session we terminate on ASR1000
> devices.
>   I need to limit the captured data to a specific subscriber/IP address.
>   So far I looked into:
>   - SPAN: on the ASR1000 SPAN does not seem to offer the possibility to
> apply an IP access list to the SPAN session
>   - EPC: EPC can only collect data until the buffer is full which is by far
> to small if a session needs to be captured/monitored over weeks
>   - LI feature: For using the lawful intercept (LI) feature of the ASR a
> mediation device is required which we do not have
>   Any hints will be appreciated.
>   thanks,
>   Christian
We implemented a solution for this.

In house we have a tool that is able to grok subscribers by name/dsl or 
dhcp circuit id/ip address, and determine their mac address. This mac 
address then is simply used in a tcpdump on a span port and picks out 
exactly and only that subscriber's traffic. The typical case is you only 
really need to know the single mac address because most subscribers are 
using either a single PC or router to which all of their traffic winds 
up. Typically we are using it to assist customers with setup or 
configuration issues (no substitute for packets!) and it's quite effective.


More information about the cisco-nsp mailing list