[c-nsp] Tapping a PPPoVPDN and/or PPPoE subscriber session the ASR1000
Mike
mike-cisconsplist at tiedyenetworks.com
Wed Sep 10 16:28:52 EDT 2014
On 09/09/2014 06:46 AM, Christian Schmit wrote:
> Hi,
>
> Legal authorities require that upon request we provide them with pcap
> files of a PPPoVPDN or PPPoE subscriber session we terminate on ASR1000
> devices.
>
> I need to limit the captured data to a specific subscriber/IP address.
>
> So far I looked into:
>
> - SPAN: on the ASR1000 SPAN does not seem to offer the possibility to
> apply an IP access list to the SPAN session
> - EPC: EPC can only collect data until the buffer is full which is by far
> to small if a session needs to be captured/monitored over weeks
> - LI feature: For using the lawful intercept (LI) feature of the ASR a
> mediation device is required which we do not have
>
> Any hints will be appreciated.
>
> thanks,
> Christian
>
>
We implemented a solution for this.
In house we have a tool that is able to grok subscribers by name/dsl or
dhcp circuit id/ip address, and determine their mac address. This mac
address then is simply used in a tcpdump on a span port and picks out
exactly and only that subscriber's traffic. The typical case is you only
really need to know the single mac address because most subscribers are
using either a single PC or router to which all of their traffic winds
up. Typically we are using it to assist customers with setup or
configuration issues (no substitute for packets!) and it's quite effective.
Mike
More information about the cisco-nsp
mailing list