CME NYDC VPN
To align CME Group regulatory compliance and business continuity planning strategies, CME Group provides a redundant, Out of Region Disaster Recovery (DR) facility for production failover in the event of a large-scale disruption to CME Group Production and DR data centers.
In the event that connectivity to both Chicago area datacenters is lost due to a catastrophic event, customers who subscribe to CME NYDR VPN, can access CME Globex via a CME NYDR VPN connection.
CME NYDR VPN is implemented using a virtual private network (VPN) connection. A VPN is a secure, point-to-point connection between a client and the CME Group out of Region data center. Unlike a direct Wide Area Network (WAN) connection over a costly, leased facility, VPN traffic is carried over the Internet using tunneling technology. A single router is used to establish connectivity between the client-managed router and the CME Group out of Region Data Center.
Technical Overview
Requirements
Please review the prerequisites below to determine any services, addressing tasks, software, or hardware that customers must have available or complete prior to enabling connectivity for CME NYDR VPN access to the CME production environment.
CME Group does not require customers to use specific consultant vendors. If internal resources are not available, customers are responsible for engaging resources to establish and support connectivity to CME Group.
Internet Requirements
Customers must provide a high-speed connection to the Internet. The connection must meet the following requirements:
Internet connection with static public IP address routable on the internet
Internet service provider that supports VPN protocols
Software Requirements
The VPN software on your device or service must support the following encryption requirements:
PSK for Internet Security Association and Key Management Protocol (ISAKMP)/IKE
3DES/SHA1 encryption or stronger for phase 1
AES256/SHA1 encryption or stronger phase 2
Device Requirements
The device prerequisites vary slightly depending on whether existing devices will be leveraged. The following sections describe the three tunneling configuration options that can be used to create the VPN.Â
Option 1 uses separate units for VPN and GRE tunneling
Option 2 uses a single unit for VPN and GRE tunneling
Option 3 uses a single unit for VPN tunneling
Option 1: Separate Units for VPN IPSEC and GRE Tunneling
Customers wishing to subscribe to market data that choose to utilize a device or service that does not support GRE tunnel encapsulation, will have to separate the IPsec and GRE termination between 2 endpoints.
Option 2: Combined Units for VPN IPSEC and GRE Tunneling
Customers wishing to subscribe to market data may choose to combine IPSEC and GRE termination into a single device or service.
Option 3: Single Unit for VPN IPSEC only
Customers not wishing to subscribe to market data do not require GRE capability.
CME NYDR VPN Connectivity Procedures
For CME NYDR VPN connectivity, a Cisco IOS configuration is presented as a guide only and must be adapted to other situations as required. There are two options available: With Market Data and Without Market Data.
Customer NYDR Configuration Template
Configuration with Market Data
crypto isakmp policy 1
encr aes
authentication pre-share
crypto ipsec transform-set cmevpn esp-aes esp-sha-hmac
crypto isakmp key <CME Assigned PSK> address x.x.x.x
crypto isakmp keepalive 60
crypto map cmevpn 1 ipsec-isakmp
set peer x.x.x.x
set transform-set cmevpn
match address xxx
< MD ONLY> interface Loopback100
ip address <CME Assigned Loopback ADC> 255.255.255.255
<MD ONLY> interface Tunnel100
description NYDR
ip address x.x.x.x y.y.y.y
ip pim sparse-mode
tunnel source x.x.x.x
tunnel destination x.x.x.x
interface FastEthernet0/0
Desc LAN Interface
ip address <CME Assigned LAN Address/mask>
<MD ONLY> ip pim sparse-mode
interface FastEthernetx/x
description to Internet
ip address <Customer Public IP Address ADC>
crypto map cmevpn
<MD ONLY> ip pim rp-address x.x.x.x NYDR_WAN override
ip route 0.0.0.0 0.0.0.0 (Next Hop To Internet)
<MD ONLY> ip route x.x.x.x y.y.y.y Tunnel100
<MD ONLY> ip mroute x.x.x.x y.y.y.y Tunnel100
<B-Feed MD ONLY> ip access-list standard NYDR_WAN
permit 233.119.160.64 0.0.0.63
permit 233.72.75.64 0.0.0.63
permit 224.0.27.0 0.0.0.255
permit 224.0.32.0 0.0.0.255
permit 224.0.34.0 0.0.0.255
deny any
ip access-list extended 100
permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask>
permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask>
permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask>
permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask>
permit icmp <Customer Assigned LAN Address/Mask> host x.x.x.x ßVPN Test Ping
<MD ONLY> permit gre host x.x.x.x host x.x.x.x
Configuration without Market Data
crypto isakmp policy 1
encr aes
authentication pre-share
crypto ipsec transform-set cmevpn esp-aes esp-sha-hmac
crypto isakmp key <CME Assigned PSK> address x.x.x.x
crypto isakmp keepalive 60
crypto map cmevpn 1 ipsec-isakmp
set peer x.x.x.x
set transform-set cmevpn
match address xxx
interface FastEthernet0/0
Desc LAN Interface
ip address <CME Assigned LAN Address/mask>
interface FastEthernetx/x
description to Internet
ip address <Customer Public IP Address ADC>
crypto map cmevpn
ip route 0.0.0.0 0.0.0.0 (Next Hop To Internet)
ip access-list extended 100
permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask>
permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask>
permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask>
permit ip <CME Assigned LAN Network Address/Mask> <CME NETWORK/Mask>
permit icmp <Customer Assigned LAN Address/Mask> host x.x.x.x
Testing CME NYDR VPN
Customers will be provided an address to ping in order to verify and validate the health of their VPN IPSEC connectivity when CME Group is not in a DR scenario.
How was your Client Systems Wiki Experience? Submit Feedback
Copyright © 2024 CME Group Inc. All rights reserved.