Lawful Intercept

An important carrier class feature that is being introduced on the vSZ-D/SZ100-D is to support Lawful Intercept requirements.

These are slowly becoming mandatory and stringent on SP-WiFi deployments where Service Providers need to meet the CALEA standard requirements.

RUCKUS vSZ-D/SZ100-D now supports the ability to identify a device that has a LI warrant issued against it and mirror the client data traffic to a LIG (Lawful Intercept Gateway) that is hosted in the SP’s data center over L2oGRE.

The figure below illustrates the high level architecture that is supported for Lawful Intercept capabilities. It aslo depicts an architecture where smaller sites (with lesser number of APs) that do not need data tunneling to vSZ-D/SZ100-D (depicted as Multi-AP and Single AP sites) but need Lawful Intercept. On the other side is a large enterprise site with large number of APs and need tunneling (depicted as Enterprise site with vSZ-D/SZ100-D on premise) with Lawful intercept.

Note: As mentioned in this document, the flexibility of the RUCKUS vSZ/vSZ-D architecture is that WiFi service providers can deploy the vSZ-D/SZ100-D only on premises where there is a need (typically larger venues) for tunneling.

The RUCKUS architecture simply involves spinning up a vSZ-D/SZ100-D instance at the central data center and designate that vSZ-D/SZ100-D instance as a CALEA mirroring agent. All of this configuration is centrally managed through the vSZ. Once the network is setup appropriately, when a client device with a matching MAC address that has a warrant is detected on any of the access sites, the APs (or the vSZ-D/SZ100-D) will mirror the packets to the vSZ-D (CALEA Mirroring agent) in the DC which will then forward the traffic to the LIG (Lawful Intercept Gateway) either in the DC or SP DC.

Figure 1. Usage of Lawful Intercept