Filter configuration is accessible to both the LI operator and regular system administrators. If the content of a filter list that is subject to an LI operation and if a filter (included in the filter list) is used by an LI operator, its contents cannot be modified unless the li-filter-lock-state is unlocked, see Configurable filter lock for Lawful Intercept. If an attempt is made, then an LI event is generated. An LI source can contain many LI filter entries. In general, an LI source can only associate with one mirror destination service. A mirror destination can be associated with one source: debug mirror source, config mirror source, or LI mirror source. When a mirror destination is referenced by a source, the mirror destination cannot be referenced again.
In the configuration, when an LI operator specifies that an entry must be used as an LI entry then this fact is hidden from all non-LI operators. Modification of a filter entry is not allowed if it is used by LI, see Configurable filter lock for Lawful Intercept. However, an event is generated, directed to the LI operator, indicating that the filter has been compromised.
Debug mirroring source has the lowest priority compared to both config mirror source and li source, for example, when a SAP is referenced in a debug mirror source. It is possible for the config mirror source or li source to reference the same SAP. The debug mirror source SAP is silently deleted.
The following order applies for both ingress and egress traffic:
port mirroring (debug only)
SAP mirroring (debug or LI)
subscriber mirroring (debug or LI) for the 7450 ESS and 7750 SR
filter mirroring (debug or LI)
For frames from network ports:
port mirroring (debug only)
label mirroring (debug only, ingress only)
filter mirroring (debug or LI)
Filters can be created by all users that have access to the relevant CLI branches.
When an LI mirror source using a specific service ID is created and is in the no shutdown state, the corresponding mirror destination on the node cannot be modified (including shutdown/no shutdown commands) or deleted.
In the separate mode, the anonymity of the source is protected. After source criterion is attached to the LI source, the following applies:
In SAP configurations, only modifications that stop the flow of LI data while the customer receives data is blocked unless the li-filter-lock-state is unlocked, see Configurable filter lock for Lawful Intercept.
In filter configurations, if a filter entry is attached to the LI source, modification and deletion of both the filter and the filter entry are blocked.