Page tree
Skip to end of metadata
Go to start of metadata

The Client INTERNET Link offering is implemented using a virtual private network (VPN) connection. A VPN is a secure, point-to-point connection between a client and the CME Group data centers. VPN traffic is carried over the Internet using secure tunneling technology. Customers will be configured with a VPN to CME Group's production data center.

Client INTERNET Link - Aurora. Offering only provides access to F&O services.

  • F&O’s VPN equipment is separate from BrokerTec Client INTERNET Link services. 
  • Client INTERNET Link customers around the globe will utilize the internet to connect to F&O’s VPN equipment located in North America. 

Client INTERNET Link - Secaucus. Offering only provides access to BTEC US services.

  • BrokerTec US’ VPN equipment is separate from BrokerTec EU and F&O’s Client INTERNET Link services. 
  • BrokerTec US customers use the Internet to connect to BTEC’s US VPN equipment located in North America.

Client INTERNET Link - Slough. Offering only provides access to BTEC EU services.

  • BrokerTec EU’s VPN equipment is separate from BrokerTec US and F&O’s Client INTERNET Link services. 
  • Client INTERNET Link customers will use the Internet to connect to BTEC’s EU VPN equipment located in Europe.


A VPN connection is created using IPSec, the Internet standard protocol for tunneling, encryption, and authentication. It protects data traffic by addressing basic usage issues, including:

  • Access control
  • Connection integrity
  • Authentication of data origin
  • Protections against replays
  • Traffic flow confidentiality

The technique used to protect data being transmitted over the Internet is encryption. Data is scrambled (encrypted) when transmitted then it is unscrambled (decrypted) when it is received. An encryption algorithm determines how the data is encrypted and decrypted.

A key is the secret code that the encryption algorithm uses to create a unique version of encrypted data. Keys are rated by their cryptographic strength. The cryptographic strength of a key refers to the length of the key in bits.
The Internet Key Exchange (IKE) management protocol standard is used in conjunction with the IPSec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the Internet security association and key management protocol (ISAKMP) framework. IKE authenticates the IPSec peers, negotiates IPSec keys, and negotiates Security Associations (SAs).
For site-to-site VPN connections, peer devices must authenticate one another before IPSec communications can occur. CME Group uses a Pre-Shared Key (PSK) for device authentication. PSK is the most efficient IKE authentication mechanism.
A unique PSK is the most secure type of PSK since it is tied to a specific IP address. This is ideal for site-to-site VPNs where the identity of the peer device is always known. CME Group will generate and provide customers with a unique key.

Please review the prerequisites below to determine any services, addressing tasks, software, or hardware that your firm must have available or complete prior to enabling connectivity for Client INTERNET Link. All IP packets destined for CME Group must be sourced from CME Group-assigned private address space. CME Group will not accept traffic sourced from any customer’s public IP space. If internal resources are not available, customers are responsible for engaging resources to establish and support connectivity to CME Group.

Customers must provide a high-speed connection to the Internet. The connection must meet the following criteria:

  • The registered IP address must be static and publicly routable on the Internet.
  • Internet with bandwidth at least equal to the CIL subscriber rate
  • Your Internet service provider (ISP) must support VPN protocols.

The VPN software on your device or service must support the following encryption requirements:

  • PSK for Internet Security Association and Key Management Protocol (ISAKMP)/IKE
  • 3DES/SHA1 encryption or stronger for phase 1
  • AES256/SHA1 encryption or stronger for phase 2

The device prerequisites vary slightly depending on whether existing devices will be leveraged. The following sections describe the two tunneling configuration options that can be used to create the VPN. To support MDP redundancy, you may want to configure a second device.

  • Option 1 uses separate units for VPN and GRE tunneling.
  • Option 2 uses a single unit for VPN and GRE tunneling.

Customers that choose to utilize a device or service that does not support GRE tunnel encapsulation, will have to separate the IPsec and GRE termination between 2 endpoints.

Figure: Customer-Side Connections for Option 1
This option requires separate VPN and GRE tunneling endpoints.

New CME Group customers and those CME Group customers without previous experience accessing the CME Group production environment may be building a CME Group connection for the first time. Therefore, these users have the opportunity to incorporate a device or service combining VPN and GRE technologies. 

Figure: Customer-Side Connections for Option 2
This option requires a device or service capable of the following: ipsec/isakmp crypto, ip multicast, GRE (for market data) CME Group does not make hardware or software recommendations. Customers should contact their network vendor.

The customer routers must be configured to PIM (protocol independent multicast) sparse mode (PIM-SM). PIM-SM uses an explicit request approach, where a router has to ask for the multicast feed with a PIM Join message. PIM-SM allows customer to more precisely control traffic, especially if you have large volumes of IP multicast traffic compared to your bandwidth. PIM-SM scales well because packets only go where they are needed, and because it creates state in routers only as needed. The assigned CME Networking engineer provides the data center IP addresses.

On each customer side router, such as Customer-Managed Router 1, define the IP address of the corresponding rendezvous point. The CME Group account representative provides the rendezvous point IP addresses.

The route, or path, of the data feed must be static between each data center and customer-managed router. Customers must define certain router features to ensure the predictability of this path.