To align CME Group regulatory compliance and business continuity planning strategies, CME Group provides a redundant, Out of Region Disaster Recovery (DR) facility for production failover in the event of a large-scale disruption to CME Group Production and DR data centers.
In the event that connectivity to both Chicago area datacenters is lost due to a catastrophic event, customers who subscribe to CME NYDR VPN, can access CME Globex via a CME NYDR VPN connection.
CME NYDR VPN is implemented using a virtual private network (VPN) connection. A VPN is a secure, point-to-point connection between a client and the CME Group out of Region data center. Unlike a direct Wide Area Network (WAN) connection over a costly, leased facility, VPN traffic is carried over the Internet using tunneling technology. A single router is used to establish connectivity between the client-managed router and the CME Group out of Region Data Center.
Table of Contents |
---|
Technical Overview
Requirements
Please review the prerequisites below to determine any services, addressing tasks, software, or hardware that customers must have available or complete prior to enabling connectivity for CME NYDR VPN access to the CME production environment.
Info |
---|
CME Group does not require customers to use specific consultant vendors. If internal resources are not available, customers are responsible for engaging resources to establish and support connectivity to CME Group. |
Internet Requirements
Customers must provide a high-speed connection to the Internet. The connection must meet the following requirements:
- Internet connection with static public IP address routable on the internet
- Internet service provider that supports VPN protocols
Software Requirements
The VPN software on your device or service must support the following encryption requirements:
- PSK for Internet Security Association and Key Management Protocol (ISAKMP)/IKE
- 3DES/SHA1 encryption or stronger for phase 1
- AES256/SHA1 encryption or stronger phase 2
Device Requirements
The device prerequisites vary slightly depending on whether existing devices will be leveraged. The following sections describe the three tunneling configuration options that can be used to create the VPN.
- Option 1 uses separate units for VPN and GRE tunneling
- Option 2 uses a single unit for VPN and GRE tunneling
- Option 3 uses a single unit for VPN tunneling
Option 1: Separate Units for VPN IPSEC and GRE Tunneling
Customers wishing to subscribe to market data that choose to utilize a device or service that does not support GRE tunnel encapsulation, will have to separate the IPsec and GRE termination between 2 endpoints.
Option 2: Combined Units for VPN IPSEC and GRE Tunneling
Customers wishing to subscribe to market data may choose to combine IPSEC and GRE termination into a single device or service.
Option 3: Single Unit for VPN IPSEC only
Customers not wishing to subscribe to market data do not require GRE capability.
CME NYDR VPN Connectivity Procedures
For CME NYDR VPN connectivity, a Cisco IOS configuration is presented as a guide only and must be adapted to other situations as required. There are two options available: With Market Data and Without Market Data.
Customer NYDR Configuration Template
Configuration with Market Data
No Format |
---|
crypto isakmp policy 1 encr aes authentication pre-share crypto ipsec transform-set cmevpn esp-aes esp-sha-hmac crypto isakmp key <CME Assigned PSK> address x.x.x.x crypto isakmp keepalive 60 crypto map cmevpn 1 ipsec-isakmp set peer x.x.x.x set transform-set cmevpn match address xxx < MD ONLY> interface Loopback100 ip address <CME Assigned Loopback ADC> 255.255.255.255 <MD ONLY> interface Tunnel100 description NYDR ip address x.x.x.x y.y.y.y ip pim sparse-mode tunnel source x.x.x.x tunnel destination x.x.x.x interface FastEthernet0/0 Desc LAN Interface ip address <CME Assigned LAN Address/mask> <MD ONLY> ip pim sparse-mode interface FastEthernetx/x description to Internet ip address <Customer Public IP Address ADC> crypto map cmevpn <MD ONLY> ip pim rp-address x.x.x.x NYDR_WAN override ip route 0.0.0.0 0.0.0.0 (Next Hop To Internet) <MD ONLY> ip route x.x.x.x y.y.y.y Tunnel100 <MD ONLY> ip mroute x.x.x.x y.y.y.y Tunnel100 <B-Feed MD ONLY> ip access-list standard NYDR_WAN permit 233.119.160.64 0.0.0.63 permit 233.72.75.64 0.0.0.63 permit 224.0.27.0 0.0.0.255 permit 224.0.32.0 0.0.0.255 permit 224.0.34.0 0.0.0.255 deny any ip access-list extended 100 permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask> permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask> permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask> permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask> permit icmp <Customer Assigned LAN Address/Mask> host x.x.x.x ßVPN Test Ping <MD ONLY> permit gre host x.x.x.x host x.x.x.x |
Configuration without Market Data
No Format |
---|
crypto isakmp policy 1 encr aes authentication pre-share crypto ipsec transform-set cmevpn esp-aes esp-sha-hmac crypto isakmp key <CME Assigned PSK> address x.x.x.x crypto isakmp keepalive 60 crypto map cmevpn 1 ipsec-isakmp set peer x.x.x.x set transform-set cmevpn match address xxx interface FastEthernet0/0 Desc LAN Interface ip address <CME Assigned LAN Address/mask> interface FastEthernetx/x description to Internet ip address <Customer Public IP Address ADC> crypto map cmevpn ip route 0.0.0.0 0.0.0.0 (Next Hop To Internet) ip access-list extended 100 permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask> permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask> permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask> permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask> permit icmp <Customer Assigned LAN Address/Mask> host x.x.x.x |
Testing CME NYDR VPN
Customers will be provided an address to ping in order to verify and validate the health of their VPN IPSEC connectivity when CME Group is not in a DR scenario.