Skip to end of banner
Go to start of banner

VPN Connectivity Procedures

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

The topics below describe the procedure to follow for VPN connectivity.

Configuring VPN Connectivity with CME Network Services

Upon receipt of the Schedule B form, a CME Network Services engineer will review and evaluate the provided information. The engineer will send the following information to be used in configuring your connectivity:

  • A range of private addresses (per RFC 1918) from which you assign addresses to your hosts
  • A single private address (per RFC 1918) that you will use for your GRE tunnel
  • A single private loopback address (per RFC 1918) that you will use as the GRE tunnel source
  • An MDP certification template
  • A suggested router configuration
  • A unique pre-shared key (PSK) for authenticating devices and encrypting/decrypting packets
For details regarding the RFC 1918, a request for comment standards document on the topic of address allocation for private internets, see the RFC Editor site (http://www.rfc-editor.org/).
Sample Customer Cisco IOS Configuration

The following is a sample customer Cisco IOS configuration:

ip multicast-routing #(only required for MDP access)

crypto isakmp policy 2

encr aes

hash md5

authentication pre-share

crypto isakmp key xxxxxxxxx address 164.74.129.10

!

crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac

!

crypto map cmevpn 1 ipsec-isakmp

set peer 164.74.129.10

set transform-set cmevpn

match address 100

!

interface Loopback0 #(Leave interface shutdown if MDP access not required)

ip address 10.144.0.x 255.255.255.255

shutdown

interface Tunnel0 #(Leave interface shutdown if MDP access not required)

ip address 10.144.1.x 255.255.255.252

ip pim sparse-mode

tunnel source 10.144.0.x

tunnel destination 10.144.254.1

shutdown

interface fa0/0

ip address 10.144.x.1 255.255.255.0

ip pim sparse-mode #(only required for MDP access)

duplex auto

speed auto

no cdp enable

!

interface fa0/1

ip address x.x.x.x 255.255.255.x #(Customer public interface)

crypto map cmevpn

ip access-group 199 in

!

ip route 69.50.112.0 255.255.255.128 Tunnel0 #(only required for MDP access)

ip classless

no ip http server

no ip http secure-server

 

ip pim rp-address 69.50.112.254 #(only required for MDP access)

ip mroute 69.50.112.0 0.0.127 Tunnel0 #(only required for MDP access)

access-list 100 permit ip 10.144.x.0 0.0.0.255 69.50.112.0 0.0.255

access-list 100 permit gre host 10.144.0.x host 10.144.254.1 #(only required for MDP access)

access-list 199 permit ip 69.50.112.0 0.0.255 10.144.x.0 0.0.0.255

access-list 199 permit udp any any eq isakmp

access-list 199 permit ahp any any

access-list 199 permit esp any any

Verifying VPN Operation
After Configuring the VPN Connection
You will not be able to ping the CME Group public IP VPN peer address 164.74.129.10 across the VPN tunnel or from anywhere on the Internet. CME Group does not permit this traffic.

The following Cisco IOS commands are helpful in troubleshooting issues that may arise when turning up new VPN connections:

  • sh crypto isakmp sa | i 164.74.129.10 (a good output should show "QM_IDLE" state)
  • sh crypto ipsec sa | i 164.74.129.10 (a good output will show packets being encapsulated and decapsulated with no errors)

Use one of the following tests for VPN connections that include access to CME Group's MDP environments:

  • Ping across the GRE tunnel to CME Group's point-to-point IP (not the source and destination GRE loopback addresses, but the IP address assigned to the actual tunnel interface).
  • The Cisco IOS command "show ip pim neighbor" should show CME Group's head end router as a PIM neighbor.
After Verifying the VPN Connection

After completing the tests described in the previous section, you should be ready to pull multicast data.

If you do not have an MDP listener host on your local network to send an IGMP join request to your router, you may temporarily configure an IGMP static join on your router inside interface to begin pulling multicast data. The interface-level Cisco IOS command to configure the static join is "ip igmp static group x.x.x.x", where "x.x.x.x" is one of the multicast group IP addresses from the chart at CME Globex Market Data Platform Certification Channel Definitions or CME Globex Market Data Platform New Release Certification Channel Definitions. Once IGMP is working either dynamically or statically, you can confirm the groups that you are trying to join by using the Cisco IOS command "show ip igmp groups". You should then begin pulling multicast data from CME Group and can confirm this with the Cisco IOS commands "sh ip pim rp" and "sh ip mroute count".

If you have any problems or questions performing the above, please contact the network engineer who has been assigned your work request.

After Establishing Connectivity to the CME Group Certification Environments

Your firm may soon be ready to perform application testing and attain CME Group certification. Users performing certification may refer to the following topics:

  • CME Market Data Platform describes how to develop for the new platform and how the platform will read from the user interface of the customer-side application.
  • CME Market Data Platform AutoCert+ Guide describes how to log into the AutoCert+ site and lists the required and optional test scripts corresponding to MDP message functionality.

 

  • No labels



How was your Client Systems Wiki Experience? Submit Feedback

Copyright © 2024 CME Group Inc. All rights reserved.