L2-Aware NAT

When Layer 3 encapsulation is configured as the mirror destination for an L2-Aware NAT subscriber, the mirror destination must be of type ip-only and the encapsulation must be of type ip-udp-shim. For L2-Aware NAT, it is possible to assign the same inside IPv4 private IP address to all subscribers. It is preferable to intercept the L2-Aware NAT subscriber using the outside IP address instead. This can be accomplished from both RADIUS and CLI as described in the following table.

Table: Use of inside and outside IPs for LI
	Lawful Intercept to use host inside IP address	Lawful Intercept to use host outside IP address
CLI access	Configure the subscriber ID under config>li>li-source>nat>l2-aware-sub. Configure the LI IP filter through the subscriber SLA profile. The command config>li>use-outside-ip-address does not apply to CLI configured LI targets.	Configure the subscriber ID under config>li>li-source>nat>l2-aware-sub. The command config>li>use-outside-ip-address does not apply to CLI configured LI targets.
RADIUS access	Ensure config>li>use-outside-ip-address is disabled. Use RADIUS Acct-Session-Id, subscriber-id, and so on, to enable the LI session. If config>li>use-outside-ip-address is enabled, when enabling LI via RADIUS, the VSA ‟Alc-LI-Use-Outside-IP = false” must be included.	Ensure config>li>use-outside-ip-address is enabled. Use RADIUS Acct-Session-Id, subscriber-id, and so on, to enable the LI session. If config>li>use-outside-ip-address is disabled, when enabling LI via RADIUS, the VSA ‟Alc-LI-Use-Outside-IP = true” must be included.

When the RADIUS VSA Alc-LI-Use-Outside-IP is used, the configuration config>li>use-outside-ip-address is ignored.

Alc-Use-Outside-IP is only supported when the mirror destination service is configured with Layer 3 encapsulation.

L2-Aware subscribers do not support the LI RADIUS VSAs Alc-LI-FC and Alc-LI-Direction. When an L2-Aware subscriber is subjected to LI via CLI or RADIUS, dual stack traffic is mirrored.