CME NYDR VPN
To align CME Group regulatory compliance and business continuity planning strategies, CME Group provides a redundant, Out of Region Disaster Recovery (DR) facility for production failover in the event of a large-scale disruption to CME Group Production data centers.
In the event that connectivity to Chicago area datacenters is lost due to a catastrophic event, customers who subscribe to CME NYDR VPN, can access CME Globex via a CME NYDR VPN connection.
CME NYDR VPN is implemented using a virtual private network (VPN) connection. A VPN is a secure, point-to-point connection between a client and the CME Group out of Region data center. Unlike a direct Wide Area Network (WAN) connection over a costly, leased facility, VPN traffic is carried over the Internet using tunneling technology. A single router is used to establish connectivity between the client-managed router and the CME Group out of Region Data Center.
Contents
Technical Overview
Requirements
Please review the prerequisites below to determine any services, addressing tasks, software, or hardware that customers must have available or complete prior to enabling connectivity for CME NYDR VPN access to the CME production environment.
CME Group does not require customers to use specific consultant vendors. If internal resources are not available, customers are responsible for engaging resources to establish and support connectivity to CME Group.
Internet Requirements
Customers must provide a high-speed connection to the Internet. The connection must meet the following requirements:
Internet connection with static public IP address routable on the internet
Internet service provider that supports VPN protocols
Software Requirements
The VPN software on your device or service must support the following encryption requirements:
PSK for Internet Security Association and Key Management Protocol (ISAKMP)/IKE
3DES/SHA1 encryption or stronger for phase 1
AES256/SHA1 encryption or stronger phase 2
Device Requirements
The device prerequisites vary slightly depending on whether existing devices will be leveraged. The following sections describe the three tunneling configuration options that can be used to create the VPN.
Option 1 uses separate units for VPN and GRE tunneling
Option 2 uses a single unit for VPN and GRE tunneling
Option 3 uses a single unit for VPN tunneling
Option 1: Separate Units for VPN IPSEC and GRE Tunneling
Customers wishing to subscribe to market data that choose to utilize a device or service that does not support GRE tunnel encapsulation, will have to separate the IPsec and GRE termination between 2 endpoints.
Option 2: Combined Units for VPN IPSEC and GRE Tunneling
Customers wishing to subscribe to market data may choose to combine IPSEC and GRE termination into a single device or service.
Option 3: Single Unit for VPN IPSEC only
Customers not wishing to subscribe to market data do not require GRE capability.
CME NYDR VPN Connectivity Procedures
For CME NYDR VPN connectivity, a Cisco IOS configuration is presented as a guide only and must be adapted to other situations as required.
There are two options available: With Market Data and Without Market Data.
Customer NYDR Configuration Template
See NYDR configuration template options (CME Group Login required).
Testing CME NYDR VPN
Customers are provided an address to ping in order to verify and validate the health of their VPN IPSEC connectivity when CME Group is not in a DR scenario.