Page tree
Skip to end of metadata
Go to start of metadata

To align CME Group regulatory compliance and business continuity planning strategies, CME Group provides a redundant, Out of Region Disaster Recovery (DR) facility for production failover in the event of a large-scale disruption to CME Group Production and DR data centers.

In the event that connectivity to both Chicago area datacenters is lost due to a catastrophic event, customers who subscribe to CME NYDR VPN, can access CME Globex via a CME NYDR VPN connection.

CME NYDR VPN is implemented using a virtual private network (VPN) connection. A VPN is a secure, point-to-point connection between a client and the CME Group out of Region data center. Unlike a direct Wide Area Network (WAN) connection over a costly, leased facility, VPN traffic is carried over the Internet using tunneling technology.  A single router is used to establish connectivity between the client-managed router and the CME Group out of Region Data Center.

Technical Overview
Requirements

Please review the prerequisites below to determine any services, addressing tasks, software, or hardware that customers must have available or complete prior to enabling connectivity for CME NYDR VPN access to the CME production environment.

CME Group does not require customers to use specific consultant vendors. If internal resources are not available, customers are responsible for engaging resources to establish and support connectivity to CME Group.
Internet Requirements

Customers must provide a high-speed connection to the Internet. The connection must meet the following requirements:

  • Internet connection with static public IP address routable on the internet
  • Internet service provider that supports VPN protocols
Software Requirements

The VPN software on your device or service must support the following encryption requirements:

  • PSK for Internet Security Association and Key Management Protocol (ISAKMP)/IKE
  • 3DES/SHA1 encryption or stronger for phase 1
  • AES256/SHA1 encryption or stronger phase 2
Device Requirements

The device prerequisites vary slightly depending on whether existing devices will be leveraged. The following sections describe the three tunneling configuration options that can be used to create the VPN. 

  • Option 1 uses separate units for VPN and GRE tunneling
  • Option 2 uses a single unit for VPN and GRE tunneling
  • Option 3 uses a single unit for VPN tunneling
Option 1: Separate Units for VPN IPSEC and GRE Tunneling

Customers wishing to subscribe to market data that choose to utilize a device or service that does not support GRE tunnel encapsulation, will have to separate the IPsec and GRE termination between 2 endpoints.

Option 2: Combined Units for VPN IPSEC and GRE Tunneling

Customers wishing to subscribe to market data may choose to combine IPSEC and GRE termination into a single device or service.

Option 3: Single Unit for VPN IPSEC only

Customers not wishing to subscribe to market data do not require GRE capability.


CME NYDR VPN Connectivity Procedures

For CME NYDR VPN connectivity, a Cisco IOS configuration is presented as a guide only and must be adapted to other situations as required. There are two options available: With Market Data and Without Market Data.

Customer NYDR Configuration Template
Configuration with Market Data
crypto isakmp policy 1

 encr aes

 authentication pre-share

 

crypto ipsec transform-set cmevpn esp-aes esp-sha-hmac

 

crypto isakmp key <CME Assigned PSK> address x.x.x.x

crypto isakmp keepalive 60

 

crypto map cmevpn 1 ipsec-isakmp

 set peer x.x.x.x

 set transform-set cmevpn

 match address xxx

 

< MD ONLY> interface Loopback100

 ip address <CME Assigned Loopback ADC> 255.255.255.255

 

<MD ONLY> interface Tunnel100

 description NYDR

 ip address x.x.x.x y.y.y.y

 ip pim sparse-mode

 tunnel source x.x.x.x

 tunnel destination x.x.x.x

 

 

interface FastEthernet0/0

Desc LAN Interface

 ip address <CME Assigned LAN Address/mask>

 <MD ONLY> ip pim sparse-mode

 

 

interface FastEthernetx/x

 description to Internet

 ip address <Customer Public IP Address ADC>

 crypto map cmevpn

 

 

<MD ONLY> ip pim rp-address x.x.x.x NYDR_WAN override

 

 

ip route 0.0.0.0 0.0.0.0 (Next Hop To Internet)

 

 

<MD ONLY> ip route x.x.x.x y.y.y.y Tunnel100

<MD ONLY> ip mroute x.x.x.x y.y.y.y Tunnel100

 

 

<B-Feed MD ONLY> ip access-list standard NYDR_WAN

permit 233.119.160.64 0.0.0.63

permit 233.72.75.64 0.0.0.63


permit 224.0.27.0 0.0.0.255

permit 224.0.32.0 0.0.0.255

permit 224.0.34.0 0.0.0.255

deny   any

 

 

ip access-list extended 100

 permit ip <CME Assigned LAN Network Address/Mask>  <CME NETWORK/Mask>

 permit ip <CME Assigned LAN Network Address/Mask>  <CME NETWORK/Mask>

 permit ip <CME Assigned LAN Network Address/Mask>  <CME NETWORK/Mask>

 permit ip <CME Assigned LAN Network Address/Mask>  <CME NETWORK/Mask>

 permit icmp <Customer Assigned LAN Address/Mask> host x.x.x.x ßVPN Test Ping

<MD ONLY> permit gre host x.x.x.x host x.x.x.x
Configuration without Market Data
crypto isakmp policy 1

 encr aes

 authentication pre-share

 

crypto ipsec transform-set cmevpn esp-aes esp-sha-hmac

 

crypto isakmp key <CME Assigned PSK> address x.x.x.x

crypto isakmp keepalive 60

 

crypto map cmevpn 1 ipsec-isakmp

 set peer x.x.x.x

 set transform-set cmevpn

 match address xxx

 

interface FastEthernet0/0

Desc LAN Interface

 ip address <CME Assigned LAN Address/mask>

 

interface FastEthernetx/x

 description to Internet

 ip address <Customer Public IP Address ADC>

 crypto map cmevpn

 

ip route 0.0.0.0 0.0.0.0 (Next Hop To Internet)

 

ip access-list extended 100

 permit ip <CME Assigned LAN Network Address/Mask>  <CME NETWORK/Mask>

 permit ip <CME Assigned LAN Network Address/Mask>  <CME NETWORK/Mask>

 permit ip <CME Assigned LAN Network Address/Mask>  <CME NETWORK/Mask>

 permit ip <CME Assigned LAN Network Address/Mask>  <CME NETWORK/Mask>

 permit icmp <Customer Assigned LAN Address/Mask> host x.x.x.x
Testing CME NYDR VPN

Customers will be provided an address to ping in order to verify and validate the health of their VPN IPSEC connectivity when CME Group is not in a DR scenario.