Network Access To Exchange Applications - Gruppe Deutsche B¶rse

© Deutsche Börse AG 2010

All proprietary rights and interest in this publication shall be vested in Deutsche Börse AG and all other rights including, but without

limitation to, patent, registered design, copyright, trade mark, service mark, connected with this publication shall also be vested in

Deutsche Börse AG. Whilst all reasonable care has been taken to ensure that the details contained in this publication are accurate

and not misleading at the time of publication, no liability is accepted by Deutsche Börse AG for the use of information contained

herein in any circumstances connected with actual trading or otherwise. Neither Deutsche Börse AG, nor its servants nor agents, is

responsible for any errors or omissions contained in this publication which is published for information only and shall not constitute

an investment advice. This brochure is not intended for solicitation purposes but only for the use of general information. All

descriptions, examples and calculations contained in this publication are for guidance purposes only and should not be treated as

definitive. Deutsche Börse AG reserves the right to alter any of its rules or product specifications, and such an event may affect the

validity of information contained in this publication.

® Registered trademark of Deutsche Börse AG

Network Access To Exchange Applications

Deutsche Börse Group


06.04.10

Page 2 of 76

V.10.03

Table of Contents

1. Amendments ............................................................................................................... 5 2. Introduction ................................................................................................................. 6 2.1 Applications and Services .............................................................................................. 7 2.2 Contacts...................................................................................................................... 8 2.3 Other Guides available to Members................................................................................. 9 2.4 Access Order Forms .................................................................................................... 10 2.5 Getting Started ........................................................................................................... 11 3. Network Overview ...................................................................................................... 12 3.1 Network Connections to the Exchange........................................................................... 13 3.1.1 Leased Line Connection .............................................................................................. 13 3.1.2 Internet Connection .................................................................................................... 14 3.2 Network Administration and Responsibilities .................................................................. 15 3.3 Network Security ........................................................................................................ 15 3.4 Network Failover ........................................................................................................ 17 4. Connection Alternatives ............................................................................................... 18 4.1 Standard Connection: Two Leased Lines........................................................................ 18 4.1.1 Consolidated Connections............................................................................................ 18 4.1.2 Enhanced Broadcast Solution....................................................................................... 20 4.1.3 Enhanced Transaction Solution .................................................................................... 20 4.1.4 CEF® ultra+............................................................................................................... 21 4.2 Combined Access: One Leased Line plus iAccess (Backup) .............................................. 22 4.3 iAccess: VPN Internet Connection ................................................................................. 22 4.4 Single Leased Line Connections.................................................................................... 23 5. Overview Access Options ............................................................................................. 24 5.1 Router-based Access Options ....................................................................................... 24 5.2 Internet-Workstation-based Access Options .................................................................... 26 6. Network Communication Protocols ............................................................................... 27 6.1 Address Scheme......................................................................................................... 29 6.2 Network Names ......................................................................................................... 29



06.04.10

Page 3 of 76

V.10.03

6.3 General Rules for Addressing........................................................................................ 29 6.4 Market/Services Specific IP Ranges ............................................................................... 30 6.5 Individual Host Addresses............................................................................................ 30 6.6 Addressing and Name Exceptions ................................................................................. 30 6.7 Multicast Groups ........................................................................................................ 32 6.7.1 MISS-based Installations ............................................................................................. 32 6.7.2 Reference Information – Enhanced Broadcast Solution and CEF® ultra+ ............................ 32 6.7.3 Enhanced Broadcast Solution and CEF® ultra+............................................................... 34 6.7.4 Rendezvous Points Enhanced Broadcast Solution and CEF® ultra+ ................................... 35 7. Network Hardware...................................................................................................... 37 7.1 Channelised E1 Member Connections ........................................................................... 37 7.2 Channelised T1 Member Connections ........................................................................... 39 7.3 Non-channelised E1 Member Connections..................................................................... 41 7.4 Ethernet Connections with Multicast (MC) + Encrypted TCP-IP Traffic............................... 43 7.4.1 Lines with up to 60 Mbit/s MC + 10 Mbit/s encrypted TCP-IP traffic................................. 45 7.4.2 Lines with more than 60 Mbit/s MC + 20 Mbit/s encrypted TCP-IP traffic.......................... 45 7.5 Ethernet Connections with Multicast (MC) + Non-Encrypted TCP-IP Traffic........................ 46 7.5.1 Lines with up to 80 Mbit/s MC + 20 Mbit/s Non-Encrypted TCP-IP Traffic ........................ 46 7.5.2 Lines with more than 80 Mbit/s MC + 20 Mbit/s Non-Encrypted TCP-IP Traffic ................. 46 7.6 Ethernet Connections with Non-Encrypted TCP-IP Traffic ................................................. 48 7.7 X.21 and V.35 Non-channelised Member Network Connection......................................... 49 7.8 VPN Encryption Modules for VPN Internet Connections (iAccess) ...................................... 50 8. Required Ports for Firewall Configurations ...................................................................... 51 8.1 Ports used by MISS-based Front-End Setups .................................................................. 51 8.1.1 GATE - Ports.............................................................................................................. 51 8.1.2 VALUES - Ports .......................................................................................................... 52 8.2 Enhanced Risk Solution – Ports .................................................................................... 53 8.3 Enhanced Broadcast Solution / CEF® ultra+ - Ports......................................................... 53 8.4 Enhanced Transaction Solution - Ports .......................................................................... 55 8.5 CEF® - Ports .............................................................................................................. 56 8.6 XQS - Ports................................................................................................................ 57



06.04.10

Page 4 of 76

V.10.03

9. Sample Router Configurations ...................................................................................... 58 9.1 General Setup ............................................................................................................ 58 9.1.1 Ethernet Leased Lines - Xetra 1 Gbit/s ........................................................................... 59 9.1.2 Ethernet Leased Lines - Enhanced Broadcast Solution+ Service A..................................... 60 9.1.3 Ethernet Leased Lines - Enhanced Broadcast Solution+ Service B .................................... 62 9.1.4 Optional Shaping (QoS) for Enhanced Transaction Solution Simulation .............................. 63 9.1.5 Ethernet Leased Lines for Enhanced Transaction Solution ................................................ 64 9.1.6 Optional NTP Server for Enhanced Transaction Solution................................................... 65 9.2 Adding Support for iAccess .......................................................................................... 66 9.2.1 Network Time Protocol for iAccess Connections .............................................................. 66 9.2.2 Setting the Time Manually ........................................................................................... 67 9.2.3 IPSec Configuration for iAccess..................................................................................... 67 9.2.4 IPSec Configuration for Combined Access ...................................................................... 69 9.2.5 Router Clock Verification.............................................................................................. 71 9.2.6 Enrolment ................................................................................................................. 71 9.2.7 Password for Member Verification ................................................................................. 71 9.2.8 Trusted Peer Verification.............................................................................................. 71 9.2.9 Load Certificate .......................................................................................................... 71 9.3 Router for Workstations in a Remote LAN ...................................................................... 72 10. Terms and Abbreviations ............................................................................................. 73



06.04.10

Page 5 of 76

V.10.03

1. Amendments

In this document’s version changes according to the release of Xetra 11 have been highlighted in green.

Change History

Version Chapter Comment

2008.10 general Technical aspects such as ports to be used by the Enhanced Transaction Solution, comments on the encryption technique applied and sample router configurations have been added to the document.

2008.11 7.7 IOS versions mentioned refer to the CISCO 3800 series routers assuming Enhanced Broadcast Solution and Enhanced Transaction Solution connections terminate on the same router

8.1.5 changes in the “ip access-list extended AL_dbs_Ets” part of the example configuration

2008.20 general Adaptations to accommodate CEF®, XQS, z/OS. Deletion of the Eurex service “New Socket Datafeed”.

7.7 Hardware requirements for 100 and 120 Mbps connections

9.1.2 Port number Xetra FFM2 simulation changed

6.1.5 6.1.6 9.2

Port number for Enhanced Broadcast Solution Advanced simulation added

9.3 Port number Enhanced Transaction Solution, Advanced Simulation added

2008.30 3.3 New section security aspects

8.2, 8.5 CEF® and XQS ports included

2008.40 general Adaptations to 10 Xetra in particular with respect to router equipment

V.09.03 general Xetra 10 - New, additional trading interface

V.09.08 general Xetra 10.1 - Enhancements of the Xetra Enhanced Broadcast Solution

V.09.12 general Eurex WBAG incorporated

V.10.03 general Xetra 11, Eurex and CEF®connectivity, Enhanced Risk Solution



06.04.10

Page 6 of 76

V.10.03

2. Introduction

The purpose of the document “Network Access to Exchange Applications” is to give an overview of network access options for connection to the Exchange platforms and markets Eurex, Xetra, CCP and how to connect to the CEF® market data feeds, XQS, the mainframe via z/OS and the services Enhanced Broadcast Solution and Enhanced Transaction Solution. Depending on the chosen access option and connection alternative, the document supports members when choosing the appropriate router equipment. Port numbers for firewall configurations and example router configurations are also included. This document is intended for network administrators.

The corresponding document Front-End Access to Exchange Applications describes the customer’s front-end setup.

The link between these two documents is the member network device joining the customer’s installation with the Exchanges’ Back-End.

The software setup of the particular MISSes, Member Devices or workstations is not part of this document. In this case please refer to the “Installation Guides” available for GATE and the respective exchanges.

The structure of the document is as follows:

Chapter 3 – Network Overview

Information on the Exchange’s leased line and Internet connections

Chapter 4 – Connection Alternatives

Explanation of the different connection possibilities

Chapter 5 – Overview Access Options

Overview of connection types and bandwidth offered for the respective market and service

Chapter 6 - Network Communication Protocols

Details of protocols and multicast addresses used

Chapter 7 - Router Hardware

Details of router hardware recommendations

Chapter 8 – Required Ports for Firewall Configurations

Details on the application and service port numbers

Chapter 9 - Router Sample Configuration

Sample router configurations for the different connectivity possibilities

Chapter 10 – Terms and Abbreviations



06.04.10

Page 7 of 76

V.10.03

2.1 Applications and Services

The table provides an overview of the applications and services this documentation provides network access options for.

Platform Market/Service Protocol

CCP CCP TCP-IP

CEF® Core TCP-IP

CEF® ultra+ Eurex / CEF® ultra+ Xetra TCP-IP, UDP-IP (Multicast) CEF®

CEF® ultra+ Irish Stock Exchange UDP-IP (Multicast)

Eurex (VALUES Connection) TCP-IP, UDP-IP (Multicast in MISS/WS LAN)

Eurex WBAG (VALUES Connection) TCP-IP, UDP-IP (Multicast in MISS/WS LAN)

EEX Derivatives (VALUES Connection) TCP-IP, UDP-IP (Multicast in MISS/WS LAN)

Enhanced Risk Solution TCP-IP

Enhanced Broadcast Solution UDP-IP (Multicast)

Eurex

Enhanced Transaction Solution TCP-IP

Xetra Frankfurt TCP-IP, UDP-IP (Multicast in MISS/WS LAN)

Xetra Frankfurt 2 TCP-IP, UDP-IP (Multicast in MISS/WS LAN)

Eurex Bonds TCP-IP, UDP-IP (Multicast in MISS/WS LAN)

Irish Stock Exchange (Irish SE) TCP-IP, UDP-IP (Multicast in MISS/WS LAN)

Bulgarian Stock Exchange TCP-IP, UDP-IP (Multicast in MISS/WS LAN)

EEX Spot Market TCP-IP, UDP-IP (Multicast in MISS/WS LAN)

Xetra WBAG TCP-IP, UDP-IP (Multicast in MISS/WS LAN)

VALU

ES C

onne

ctio

n (M

ISS)

Xetra International Market TCP-IP, UDP-IP (Multicast in MISS/WS LAN)

Enhanced Broadcast Solution available for

Xetra Frankfurt, Irish SE, Xetra International Market

UDP-IP (Multicast)

Xetra

Enhanced Transaction Solution available for Xetra Frankfurt, Irish SE, Xetra International

Market

TCP-IP

XQS XQS TCP-IP

z/OS Mainframe Applications TCP-IP



06.04.10

Page 8 of 76

V.10.03

2.2 Contacts

On various occasions reference is made to further documentation, available online. The respective websites are as follows:

Exchange websites follow … Contact the exchange at …

Eurex

CCP

www.eurexchange.com

www.eurexclearing.com

-> Member Section -> Service Point -> Contacts

+49-69-211-11700

Member Services & Admission

Xetra www.deutsche-boerse.com -> Technology Services -> Support -> Hotlines

+49-69-211-11640

Member Services & Admission

CEF® https://contracts.deutsche-boerse.com

MD+A interactive +49-69-211-13440 Customer Service

These websites contain technical documentation such as sizing guidelines, release notes, installation and operation guides and can provide additional member specific system state and configuration details on the connection between the member and the respective exchange.

Access to the “Members Only” section on the respective websites is password protected. For details please contact the member’s central coordinator who receives this access information during the admittance procedures. As well as functional support using the telephone numbers outlined in the table above, each exchange offers technical assistance using the telephone numbers below:

EUREX Customer Technical Support +49-69-211-11200 +1-312-544-1100

+41-58-854-2992

XETRA Customer Technical Support +49-69-211-18400

XETRA WBAG Customer Technical Support +49-69-211-11740

CCP Customer Technical Support +49-69-211-12800

CEF® Customer Technical Support +49-69-211-11880

XQS Customer Technical Support +49-69-211-15555

http://www.eurexchange.com

http://www.eurexclearing.com

http://www.deutsche-boerse.com

https://contracts.deutsche



06.04.10

Page 9 of 76

V.10.03

2.3 Other Guides available to Members

The Exchange has published the following additional technical guides available in the respective member section on the websites www.deutsche-boerse.com and www.eurexchange.com.

Other guides available:

• Front-End Access to Exchange Applications

• Common Front-End Sizing Guidelines (Xetra and Eurex)

• Connection Alternatives and Sizing Indication (CCP only)

• GATE Front-End Installation/Operations Guide

• Exchange specific: Front-End Installation/Operation Guides

• VALUES API: Member Front-End Development Guide (the preliminary “planning” and “programming” versions)

• Enhanced Broadcast Solution – Interface Specification

• Enhanced Transaction Solution - Programming Version (Eurex)

• Enhanced Transaction Solution - Interface Specification (Xetra)

• Release Description (Xetra)

• Xentric Quote Source 3.0 – Application Programming Interface

• Interface Specification (CEF® Core, CEF® ultra+ Eurex, CEF® ultra+ Xetra, CEF® ultra+ Irish Stock Exchange)

• CEF® Core Fields and Products

• CEF® Core Fields and Products Guideline

• CEF Release Notes

• Final Technical Release Notes (Eurex, Xetra, CCP)

• Enhanced Risk Solution - Interface Specification Final Version

http://www.deutsche-boerse.com

http://www.eurexchange.com



06.04.10

Page 10 of 76

V.10.03

2.4 Access Order Forms

Several forms must be completed, submitted and approved by the Exchanges in order to gain network access to the respective application environment. These forms (*.pdf) are available on the respective Exchanges websites or can be submitted electronically via the tool “Tickets & Requests” (CEF® connections cannot be ordered via “Tickets & Requests”).

Links to Ticket & Requests (online orders)

http://business.eurexchange.com

http://business.deutsche-boerse.com

Link to Eurex Order Forms:

http://www.eurexchange.com/documents/forms/trading_derivatives/single/technical/miscellaneous_en.html

Link to Xetra Order Forms:

http://deutsche-boerse.com/dbag/dispatch/de/kir/gdb_navigation/trading/40_admission_rules/100_admission_xetra/500_forms/40_Technical

Link to CEF® Order Forms

https://contracts.deutsche-boerse.com

For Exchange contact details please refer to chapter 2.2 or ask your Central Coordinator for your Key Account Manager at the Exchange.

Note: Additional forms have to be submitted if the role of providing the technical infrastructure for other members (service provider) is required or when the technical infrastructure is not hosted at your site.

http://business.eurexchange.com

http://business.deutsche-boerse.com

http://www.eurexchange.com/documents/forms/trading_derivatives/single/technical/miscellaneous_en.ht

https://contracts.deutsche-boerse.com



06.04.10

Page 11 of 76

V.10.03

2.5 Getting Started

After the decision for the desired access option and hardware to connect to the respective Back-End has been made and the corresponding approval from the respective exchange has been received, it is the member’s responsibility to prepare facilities, select the hardware platform, purchase equipment and configure the Front-End installation. The member can commission these activities to a contractor such as Deutsche Börse Systems’ “ExServes”.

The process of setting up the connection to the Back-End is accompanied by a Technical Account Manager from Deutsche Börse Systems who co-ordinates and schedules the following tasks, which may differ according to the respective Back-End and/or connectivity:

• Installation of a leased line by the respective carrier. A system administrator or technician must be on site for this task.

• Distribution of node names, session IDs, IP addresses and passwords by the exchange, including file transfer (FTP) accounts, if applicable.

• Connection test. All hardware must be on site and correctly configured. Loop-back plugs should be available. Deutsche Börse Systems operators will verify the quality of the connection and simulate an application failure where appropriate in order to test a failover configuration. For MISS-based installations - delivery of the software (not applicable to Internet workstation-based connections). Using the FTP account, the software for simulation and production will be copied on demand or overnight, using the now established network link to the server. Alternatively, the software can be downloaded from the respective websites.

• For MISS-based installations - Installation and configuration of the software. The software kit includes installation notes which system administrators should follow (see Front-End Installation Guide).



06.04.10

Page 12 of 76

V.10.03

3. Network Overview

In order to support the respective applications, an efficient infrastructure representing a dedicated global IP network has been established. Any member connection to the Exchanges’ Back-End systems is connected to an Access Point. Access Points, to which leased lines connect, are located throughout the world in major financial centres where the Exchange members are concentrated. This concept allows the Exchange to extend its private network up to the carriers’ demarcation point at the customer’s site. Each of these Access Points is connected to the Exchange hosts via redundant leased lines. Members are connected to an Access Point via dedicated leased lines and/or via the Internet. In case MISS-based Front-Ends are connected to the Exchange Back-Ends any MISS is communicating via a communication server within an Access Point multiplying and distributing broadcasts. The figure below shows the overall Exchange network and might differ with respect to a certain platform.

Back End LocationAccess Point LocationCustomer Location

Symbols: Vienna

Chicago

Paris

Milan

London

Helsinki

Amsterdam

Dublin

New York

Madrid Zurich

Frankfurt

Gibraltar

Luxembourg

Singapore

Diagram 3.1: Access Point Concept as of Document’s Release Date

Given the scope of this document, neither the setup of the Exchanges’ Back-Ends nor other means of electronic communication between the Exchanges and the member are discussed.

For details of setting up the member network for MISS-based installations or Member Devices setups please see the document “Front-End Access To Exchange Applications”.



06.04.10

Page 13 of 76

V.10.03

3.1 Network Connections to the Exchange

The Exchange operates a global private network consisting of leased lines and Internet connections.

3.1.1 Leased Line Connection

The Exchange will provide market and service specific dedicated bandwidth(s) (e.g. Eurex, Xetra, CCP, CEF®, XQS, Enhanced Broadcast Solution etc.). The type and the bandwidth of the underlying member network connection will be determined at the Exchange’s discretion. The Exchange decides whether line sharing with other Exchange markets and services will be applied.

The following leased line connections are provided by the Exchange to connect to the Exchange network:

Leased Line Type

Specification Market or Service

channelised, G.703 standard, framed by the Exchange CCP, CEF®, Eurex/Xetra (VALUES), Xetra, XQS, z/OS E1

non-channelised, clear channel, G.703 standard CEF®, Xetra 2 Mbit/s, XQS

T1 in the U.S.A. channelised, framed by the Exchange Eurex (VALUES), CEF®

10 to 100 Mbits/s with copper connectivity

1 Gbit/s with copper connectivity Ethernet

with fibre connectivity or dark fibre

All services mentioned in this document.

Please note the following additional details:

Proximity Location: Connections in a proximity location will be provided with RJ45 “copper” presentation.

VALUES Connections: The type and the bandwidth of the underlying member network connection will be determined at the Exchange’s discretion

Enhanced Transaction The connection for the Enhanced Transaction Solution is encrypted in the Solution Connections: network based on the IPSec (256 bit AES encryption) procedure. Only in proximity locations can Enhanced Transaction Solution encryption be switched off on request. Only a total of 2 Enhanced Transaction Solution connections per market (Eurex/Xetra) and subnet are offered and only one Enhanced Transaction Solution connection per market (Eurex/Xetra) can be established on a leased line.



06.04.10

Page 14 of 76

V.10.03

General: All leased lines will be delivered with full duplex. If it becomes apparent that solutions mentioned in this document need to be expanded the Exchange may consider adding additional options.

3.1.2 Internet Connection

The Internet connection does not need to be used exclusively for the Exchange access; an existing Internet connection may be used if appropriate. The Exchange recommends the use of a dedicated Internet connection or a shared connection with a bandwidth reservation mechanism/protocol.

Any bandwidth to the Internet Service Provider (ISP) may be used. However, on the Exchange side, the usable bandwidth will be limited to the bandwidth offered for the respective market/service.

iAccess (VPN Internet Connection)

In the case of iAccess, whereby the member utilizes its own Front-End network to distribute the trading functionality in-house, the following arrangements have to be made:

• The member has to provide the Internet connection by selecting any ISP of his choice. A registered static public Internet IP address must be available for the connection as the Exchange will only accept connections from pre-determined IP addresses.

• The router for the Internet connection must be equipped as described in Chapter 7.8 of this guide.

• A Virtual Private Network (VPN) with 168 bit 3DES encryption ensures a secure data transfer over the Internet. The Exchange uses an authentication process with a certificate (Public Key Infrastructure) that will secure communication in a closed user group.



06.04.10

Page 15 of 76

V.10.03

3.2 Network Administration and Responsibilities

The Exchange is responsible for the administration and operation of the network from the Back-End up to the boundary of the carrier demarcation point at the member’s site. All leased line connections are purchased, installed, maintained and owned by the Exchange. This applies also to cross connects in conjunction with proximity services.

For Internet connections the member has to provide the Internet connection by selecting any ISP of his choice. For iAccess connections a registered Internet IP address must be available as the exchange will only accept iAccess connections from pre-determined IP addresses.

Internet connectivity, including purchase, installation and configuration, is beyond the control and responsibility of the Exchange. Errors in the Internet connectivity and other related issues such as communication with the ISP etc. have to be handled by the member.

The administration and operation of equipment beyond the connection to the Exchanges such as routers, MISSes, workstations and other Member Devices at the member’s site are in the responsibility of the member.

However, due to the technical implementation, the Exchange stipulates the necessary parameters for the configuration and layout of the network connection and assigns configuration parameters for the member’s Front-End setup. Administration and operation of the Front-End architecture can be commissioned to a contractor such as Deutsche Börse Systems’ “ExServes” department.

3.3 Network Security

Security is one of the key functions of an Access Point in the network topology. An Access Point is the sole gateway between Exchange Back-End hosts and member installations. Several member installations are connected to the same Access Point. The functions and procedures implemented within an Access Point act as a firewall.

Depending on the market/service the components of an Access Point are:

• Router for the connectivity to Back-End host,

• Router(s) for the connectivity to member installations,

• Communication Server (MISS-based infrastructure only).

The typical IP services (i.e. Telnet, FTP, Finger, SMTP, RPC) are not available on an Access Point. Passive and active security mechanisms are designed for all Exchange routers to ensure the individual systems of the members are not able to communicate across the network through any means other than the Member Device Front-End.



06.04.10

Page 16 of 76

V.10.03

A Communication Server is an application gateway for application services. A Communication Server can only be accessed by the application-specific connection via the VALUES interface. External systems can reach a Communication Server only via application-specific authorization processes.

The Access Point acts as a shield between the member device and the Exchange Back-End hosts. As shown on the diagram below, if the member A tries to access the network of member B, the Access Point will prevent any kind of communication in that direction. Also, if member A tries to access the Back-End directly, the Access Point will stop any kind of unauthorized access to the Back-End. Only application communication is possible using a limited number of specific ports. In the case of access via a VPN Internet connection, the usage of firewalls is encouraged for additional security.

Diagram 3.2 – Network Security Policy and the Access Point

A router within the Access Point ensures the communication to the member installation. Two security features are established on all routers within an Access Point:

• Accessibility control feature: The IP networks belonging to installations of different members are not reachable by others through the Access Point network.

• Transport control feature: The Access Point network will transport only data belonging to the application-specific connection.



06.04.10

Page 17 of 76

V.10.03

3.4 Network Failover

No network failover will be provided for the markets and services mentioned in this document. The application must initialise the failover to a backup network connection if applicable. Please see the document “Front-End Access To Exchange Applications”.



06.04.10

Page 18 of 76

V.10.03

4. Connection Alternatives

4.1 Standard Connection: Two Leased Lines

This setup offers the highest availability.

to Exchange Back End

Mem

ber Device/

Router-LAN

MemberRouterAccess

Point A

AccessPoint B Member

Router

Diagram 4.1 – Two Leased Lines connected to separate Access Points

Technical Implementation:

The Exchange will provide bandwidth on a leased line and wherever possible, two leased lines are ordered from different providers with separate infrastructure (separate cabling and technical components- dual rail concept). In geographic areas where multiple telecommunication providers are not available, all measures ensuring the highest possible degree of redundancy will be taken. It is possible to terminate both connections in separate locations (split location). The Exchange will assign the same private IP address range to both connections (see section 6). The provision, operation and administration of the interconnection between both member locations is in the member’s responsibility. Recommendations for router equipment for the various types of connections are provided in chapter 7.

4.1.1 Consolidated Connections

Eurex and Xetra offer network connections which consolidate the various connection types Enhanced Broadcast Solution and/or Enhanced Transaction Solution and/or VALUES connections of the respective market, Eurex or Xetra (portfolio offered please see section 5). On a leased line only one Enhanced Broadcast Solution and one Enhanced Transaction Solution connection per market (Eurex/Xetra) can be established but multiple VALUES connections per market can be configured. Eurex and Xetra do offer a single consolidated connection for disaster recovery locations.

When the Enhanced Broadcast Solution is configured on a high bandwidth connection a minimum bandwidth of 10 Mbit/s for the Enhanced Broadcast Solution per market is required. If capacity of a consolidated connection has not been assigned to a specific Eurex/Xetra connection the remaining



06.04.10

Page 19 of 76

V.10.03

bandwidth will be added to the Enhanced Broadcast Solution bandwidth of the respective market on the consolidated connection (please see the diagram below). Recommendations for router equipment for the various types of connections are provided in chapter 7.

Diagram 4.2 – Example: 70 Mbit/s Eurex Consolidated Connection – the remaining bandwidth of 48 Mbit/s has been assigned to

the Eurex Enhanced Broadcast Solution service. Additionally on the same leased line a 30 Mbit/s Xetra Consolidated Network

Connection has been configured. The remaining bandwidth of 17 Mbit/s of the Xetra Consolidated Network Connection has been

assigned the Xetra Enhanced Broadcast Solution service.

Note: The provision of high bandwidth Ethernet connections is subject to the technical availability in the selected location.



06.04.10

Page 20 of 76

V.10.03

4.1.2 Enhanced Broadcast Solution

The Eurex/Xetra Enhanced Broadcast Solution data stream is propagated in a “live-live” concept by disseminating two services, A and B. Both services contain the same streams but utilize different Multicast groups. Only one service (A or B) will be transmitted per leased line connection. A service (A or B) is linked to the transmitting leased line. An automatic failover of the respective service in case of a line failure is not possible. Due to the inherent unreliable nature of the delivery mechanism of the UDP protocol, packets may be lost in transmission, arrive out of order or may be duplicated. Members are advised to subscribe to both services simultaneously on different leased lines to reduce the possibility of data loss. These two leased lines will be connected to different Access Points. A specific Access Point can provide only one service. Depending on the Access Point either service A or B is provided. It is the responsibility of the client application to cater for packets which may have been lost, arrive out of order or are duplicated. The Enhanced Broadcast Solution data stream relies on IGMPv2 features.

Note: The optimal gateway location for trading a respective product via the Enhanced Transaction Solution Interface is available in the response to the Enhanced Transaction Solution request Inquire Product Request within Eurex and Inquire Instrument within Xetra. The Enhanced Broadcast Solution Stream A originates from the Eurex/Xetra data center where the products with OptiGatewayLocID = “0” are hosted and stream B originates from the data center where products with OptiGatewayLocID = “1” are hosted (please see as well document “Front-End Access To Exchange Applications” section 5).

4.1.3 Enhanced Transaction Solution

The Eurex/Xetra Enhanced Transaction Solution is an asynchronous message-based interface. The Enhanced Transaction Solution connection between members and the Eurex/Xetra system is established via a TCP connection. The Enhanced Transaction Solution is session-oriented whereby the session is the basic context of the interaction with the respective Back-End system. Sessions are assigned for use by a pair of gateways authorized from a specific class C subnet*. Members are advised to subscribe to a redundant setup. In case a redundant setup has been ordered the two gateways assigned to one session are accommodated into two different gateway groups accessible via the according leased line connections. Only the assigned gateways will accept connection requests from clients using a respective session ID belonging to the subnet* assigned by the Exchange. If Enhanced Transaction Solution-production and Enhanced Transaction Solution-simulation is used within the same connection it is recommended to protect production by enabling QoS for Enhanced Transaction Solution-simulation. “Nagle on” will slow down your application and it will make your throttle related bookkeeping unreliable.

Members are asked to set the value of the delayed/deferred acknowledge parameter in the respective operation system of their Enhanced Transaction Solution trading machine to zero - > hence no delayed/deferred acknowledge. Client host addresses are administered by customers.



06.04.10

Page 21 of 76

V.10.03

The connection for the Enhanced Transaction Solution is encrypted in the network based on the IPSec (256 bit AES encryption) procedure. Only in proximity locations can Enhanced Transaction Solution encryption be switched off on request. Eurex and Xetra production sessions assigned to Enhanced Transaction Solution connections with encryption switched off will connect to gateway groups different from the gateway groups’ sessions connect to via encrypted Enhanced Transaction Solution connections. Only a total of 2 Enhanced Transaction Solution connections per market (Eurex/Xetra) and subnet are offered and only one Enhanced Transaction Solution connection per market (Eurex/Xetra) can be established on a leased line.

In case two Enhanced Transaction Solution connections are configured on one leased line either both connections are encrypted or both are not encrypted.

*Note: Eurex and Xetra do offer the option to have two different subnets for each session assigned. Sessions used for non-encrypted Enhanced Transaction Solution connections having a second subnet for encrypted Enhanced Transaction Solution connections assigned can make use of four gateways.

4.1.4 CEF® ultra+

Technically the respective CEF® ultra+ data feeds are the same as the Enhanced Broadcast Solution Feed for Eurex and Xetra. Therefore the concept described in chapter 4.1.2 holds as well for the CEF®

ultra+ data feed.

However beside UDP, the TCP protocol is used for CEF® ultra+ connections for sending application requests/responses between an Access Point and a customer installation via a reliable communication link. This link is used for Trade Recovery Functionality.

Hosts IP addresses for production environment for trade recovery of CEF® ultra+ feeds CEF Data Feed 1 > IP Address 91.251.33.40 CEF Data Feed 2 > IP Address 91.251.34.40 Port 55003 Hosts IP addresses for simulation environment for trade recovery of CEF® ultra+ feeds CEF Data Feed 1 > IP Address 91.251.33.41 CEF Data Feed 2 > IP Address 91.251.34.41 Port 55003

* Note: CEF® ultra+ Irish Stock Exchange will not be available with a ”trade recovery” functionality.



06.04.10

Page 22 of 76

V.10.03

4.2 Combined Access: One Leased Line plus iAccess (Backup)

This solution offers high availability. The leased line is the primary connection and is used for all data traffic. Failure of the leased line results in the use of the backup VPN Internet connection.

to Exchange Back End

Mem

ber Device/

Router-LAN

MemberRouterAccess

Point A

AccessPoint B Member

Router

InternetVPN Tunnel

Diagram 4.3 – One Leased Line and one VPN Internet connection (iAccess) connected to separate Access Points

Technical Implementation:

The Exchange will provide bandwidth on a leased line. The member is responsible for the provision and availability of the Internet connection. It is possible to terminate both connections in separate locations (split location). The Exchange will assign the same private IP address range to both connections (see section 6). The provision, operation and administration of the interconnection between both member locations is in the member’s responsibility. Recommendations for router equipment for the various types of connections are provided in chapter 7.

4.3 iAccess: VPN Internet Connection

The connection alternative "iAccess" is a permanent point-to-point VPN Internet connection between a member router and an Access Point. Virtual Private Networks use advanced encryption and tunnelling to permit organizations to establish secure end-to-end, private network connections over third-party networks, such as the Internet. A tunnel through the Internet is established by employing IPSec (3DES 168 bit). The availability of this access option is determined by the reliability of the underlying Internet connection. The member is responsible for the provision and availability of the Internet connection.



06.04.10

Page 23 of 76

V.10.03

Diagram 4.4 – VPN Internet connection (iAccess)

Technical Implementation: The router connecting the member to the Exchange via a VPN Internet connection uses the IPSec protocol – 168bit 3DES. The total bandwidth must be the sum of the required bandwidths for each required market (platform). Recommendations for router equipment for the various types of connections are provided in chapter 7.

4.4 Single Leased Line Connections

Under certain circumstances the Exchanges will allow the connection of a single leased line to Eurex, Xetra or CCP production environment i.e. without a leased line or iAccess backup.

Diagram 4.5 – Single leased line connection

In general, single leased line connections are not intended for trading installations, but may be allowed for disaster recovery and backup locations. The ”Enhanced Transactions Solution” can be installed with a single leased line connection with the consequence of lack of redundancy. Due to the nature of the data stream Enhanced Broadcast Solution the Exchange advises the member to subscribe service A and service B via independent connections (see section 4.1.2. of this chapter).

Technical Implementation: The Exchange will provide bandwidth on a leased line. Recommendations for router equipment for the various types of connections are provided in chapter 7.



06.04.10

Page 24 of 76

V.10.03

5. Overview Access Options

The following tables in this section summarise the connection alternatives for the particular Exchange markets and services. Please refer to Chapter 4 “Connection Alternatives” for further explanation.

5.1 Router-based Access Options

Platform Market/Service

Standard

Access

Consolidated

Connection (3)

Combined

Access

iAccess

Single

Leased Line

(2)

CCP CCP 64 kbit/s n.a. 64 kbit/s 64 kbit/s 64 kbit/s

CEF® Core

2 Mbit/s

to

1 Gbit/s

10 Mbit/s to 1 Gbit/s

2 Mbit/s

to

4 Mbit/s

2 Mbit/s

to

4 Mbit/s

2 Mbit/s

to

1 Gbit/s CEF®

CEF® ultra+ Eurex CEF® ultra+ Xetra

CEF® ultra+ Irish Stock Exchange



n.a. n.a. 10 Mbit/s to

1 Gbit/s

VALUES (MISS) Connection

1 Mbit/s

10 Mbit/s

n x 1 Mbit/s

n x 10 Mbit/s 1 Mbit/s 1 Mbit/s

n x 1 Mbit/s

n x 10 Mbit/s

Eurex WBAG 128 kbit/s n.a. 128 kbit/s 128 kbit/s n.a.

EEX Derivatives 1 Mbit/s n.a.

1 Mbit/s 1 Mbit/s 1 Mbit/s

Enhanced Risk Solution (1)

1 Mbit/s n.a. 1 Mbit/s 1 Mbit/s 1 Mbit/s

Enhanced Transaction Solution

10 Mbit/s 1 Mbit/s

10 Mbit/s n.a. n.a. 10 Mbit/s

Eurex*

Enhanced Broadcast Solution

10, 20, 30, 50, 60, 70

Mbit/s

10 Mbit/s +

remaining

bandwidth of Consolidated

Eurex Connection

n.a. n.a.

10, 20, 30, 50, 60, 70

Mbit/s

*Within Proximity locations Eurex offers additionally 100, 120 and 600 Mbit/s consolidated connection options and 1 Gbit/s Eurex Enhanced Broadcast Solution connections. In London a 600 Mbit/s



06.04.10

Page 25 of 76

V.10.03

consolidated connection option is offered beside the consolidated Eurex connections which can be ordered outside the proximity locations (please see table above).

Platform Market/Service

Standard

Access

Consolidated

Connection (3)

Combined

Access

iAccess

Single

Leased Line

(2)

Enhanced Transaction Solution available for Xetra

Frankfurt, Irish SE,

Xetra International Market

10 Mbit/s

2 Mbit/s

10 Mbit/s n.a. n.a. 10 Mbit/s

Enhanced Broadcast Solution available for Xetra

Frankfurt, Irish SE, Xetra

International Market

10, 20, 30, 40,

50 Mbit/s

10 Mbit/s +

remaining

bandwidth of Consolidated

Xetra Connection

n.a. n.a.

10, 20, 30, 40, 50

Mbit/s

Xetra Frankfurt

Xetra Frankfurt 2 (4)

Eurex Bonds

Irish Stock Exchange (Irish SE)

Bulgarian Stock Exchange

Xetra International Market

512 kbit/s

2 Mbit/s

1 Gbit/s

512 kbit/s

2 Mbit/s

EEX Spot Market 512 kbit/s n. a.

512 kbit/s 512 kbit/s

512 kbit/s

Xetra

VALU

ES C

onne

ctio

n (M

ISS)

Xetra WBAG 128 kbit/s n.a.

128 kbit/s 128 kbit/s

n.a.

XQS XQS Issuers XQS Specialists (5)

64,128, 256, 512

kbit/s

1 or 2 Mbit/s

n.a. n.a. n.a.

64, 128, 256, 512,

kbit/s

1 or 2 Mbit/s



06.04.10

Page 26 of 76

V.10.03

z/OS Mainframe Applications 64, 128, 256 kbit/s

n.a. 64, 128, 256 kbit/s

64, 128, 256 kbit/s

n.a.

(1) Enhanced A Eurex Clearing AG service (optional) providing members near-time risk data.

Risk Solution

(2) Div. Regarding Eurex (VALUES), Xetra (512 kbit/s) single leased line connections are allowed for disaster recovery and backup locations only. Not advised for the CEF® and the Enhanced Broadcast Solution service (see 4.1.2).

(3) Consolidated Eurex offers consolidated connections up to 70 Mbit/s in steps of 10 Mbit/s Connection (except 40 Mbit/s). Within Proximity locations Eurex offers additionally 100, 120 and 600 Mbit/s consolidated connection options and 1 Gbit/s Eurex Enhanced

Broadcast Solution connections. In London a 600 Mbit/s consolidated connection option is offered beside the consolidated Eurex connections which can be ordered

outside the proximity locations. The Eurex Enhanced Broadcast Solution 1 Gbit/s connection does not allow any other service to be transmitted on the same circuit. Xetra offers consolidated connections up to 50 Mbit/s in steps of 10 Mbit/s. A Eurex/Xetra trading membership is mandatory to connect to the production environment of the Enhanced Broadcast Solution.

CEF® offers consolidated connections up to 1 Gbit/s e.g. if the customer wants to combine several CEF® Data Feeds on a single connection.

(4) Xetra Frankfurt 2 In case 512 kbit/s or 2 Mbit/s Xetra Frankfurt connections are used in shared mode on 2 Mbit/s lines the Xetra Frankfurt outbound traffic will be prioritised over Xetra Frankfurt 2 outbound traffic (outbound = traffic from the Xetra Back-End to the member). Issuers and Specialists can use XQS to provide quotes to Xetra Frankfurt 2 with respect to the appropriate market model.

(5) XQS Specialist For Specialists it is compulsory to have the quote machines in separate locations which are at minimum 2 km apart.

(6) General The type and bandwidth of the member network connection will be determined at the Exchange’s discretion

5.2 Internet-Workstation-based Access Options

Platform Market/Service Internet

Bandwidth

Eurex EEX Derivatives 1 Mbps1

Xetra EEX Spot Market 1 Mbps1

1) Minimum bandwidth of the underlying Internet connection.



06.04.10

Page 27 of 76

V.10.03

6. Network Communication Protocols

Depending on the market/service and the network connection different protocols are used:

• Leased lines E1 or T1 EIGRP and TCP-IP

• Ethernet Connections EIGRP and TCP-IP VALUES, and all CEF® Core connections EIGRP and TCP-IP

• Enhanced Risk Solution EIGRP, TCP-IP, SSL

• Ethernet Connections CEF® ultra+, EIGRP and UDP-IP (Multicast)


• Ethernet Connections EIGRP, TCP-IP and IPSec (AES 256 bit) Enhanced Transaction Solution

• All VPN Internet Connections: EIGRP, TCP-IP and IPSec (3DES 168 bit)

• Internet Workstation-based TCP-IP, SSL, SFTP

Note: Within proximity locations Enhanced Transaction Solution encryption can be switched off on request.

IPSec AES (Enhanced Transaction Solution connections)

The Advanced Encryption Standard (AES) feature adds support for the encryption standard AES, with Cipher Block Chaining (CBC) mode, to IP Security (IPSec). AES is a privacy transform for IPSec and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. AES has a variable key length—the algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key.

EIGRP (all leased line connections)

Member routers connected to the Exchange’s Access Points via leased lines or VPN Internet connections (iAccess) use EIGRP (default). The Exchange will assign an autonomous EIGRP system number.

IGMP (Enhanced Broadcast Solution, CEF® ultra+)

The Internet-Group-Management-Protocol (IGMP) is a control mechanism. The Enhanced Broadcast Solution data stream and CEF® ultra+ rely on IGMPv2 features.



06.04.10

Page 28 of 76

V.10.03

IP

For details on the Internet Engineering Task Force (IETF) please visit the following website about the Internet Protocol (IP): http://www.ietf.org.

IPSec 3DES (iAccess connections)

The router connecting the member to the Exchange via a VPN Internet connection uses the IPSec protocol. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. Several functions are implemented as part of IPSec:

• Certification Authority (CA). The Exchange issues certificates for the member router. The member router will request the certificate during initial setup. The certificate will be shown on the member router and must be accepted or rejected by the member. The validity of the certificate will be verified interactively between the member and the Exchange. After validation the certificate is stored permanently in the router. Certificates expire after a period of 36 months. The member is responsible for deleting the certificate from his router if the router is no longer needed for connection to the Exchange. If the router becomes unavailable or inoperative the member must inform the Exchange immediately who will then revoke the certificate.

• Encryption policy defining how to encrypt. 3DES is used utilizing 168 bit keys (’168bit 3DES)

• Crypto map set defining, what data is to be encrypted. All the data exchanged between the customer and the Exchange is encrypted.

• enrollment url http://193.29.78.191:10081/cgi-bin/pkiclient.exe

• port 10081

SSL

The Secure Socket Layer (SSL 3.0) is an Internet standard protocol that supports the standard security features (confidentiality, data integrity, data origin authentication and server authentication). Regarding the SSL encryption used by the Enhanced Risk Solution please be referred to the document “Enhanced Risk Solution - Interface Specification Final Version”.

UDP

As with IP, UDP is a connectionless protocol and does not provide the same mechanisms that TCP does regarding lost or out of order packets. Consequently it is the application’s responsibility to manage lost, out of order or duplicated packets.

http://www.ietf.org

http://193.29.78.191:10081/cgi-bin/pkiclient.exe



06.04.10

Page 29 of 76

V.10.03

6.1 Address Scheme

The Exchange network is a private network with private IP addressing rules and naming conventions. The private IP addresses will be assigned to all the network interfaces connected to the Member Device (MD)/router LAN. Addresses are class A, being subnetted to class C, using subnetting as defined in the TCP/IP standards

All Exchange and member devices are given addresses in the x.a.b.0 network using class C subnet masks:

Where:

x is a number in the range between 89 and 94 assigned by the Exchange for the respective markets/services; a and b can hold any value between 1 and 254; this means that 64516 (254*254) IP networks are available; h = 1 up to 254 is a maximum number of hosts available within one network; h = 0 is used to address the entire x.a.b network.

Example: A MD with the IP address 90.1.201.8 and a network mask of 255.255.255.0. Here, 90.1.201 is the network part and 8 is the host id. The whole MD/router network is referred to as 90.1.201.0.

6.2 Network Names

The Exchange allocates host names for the member Front-End components. The first character is either ‘M’ or ‘R’, indicating whether the node is a MD or a Router. This is followed by a number assigned by the Exchange. The use of the Exchange defined names is compulsory for the Internet connected VPN routers and is strongly recommended for the rest of the hardware components since this also facilitates the administration and communication between the member system administrator and the Exchange.

6.3 General Rules for Addressing

The addressing concept for a network is based on the following principles:

• The Exchange network is a private network and it does not conform to the Internet conventions

• The Exchange uses the networks 89.0.0.0 to 94.255.255.0 except for the source addresses of the Enhanced Broadcast Solution where official public IP address are used (please see section 6.5)

Host ID

IP address: x . a . b . h

Subnet mask: 255 . 255 . 255 . 0

Network part

Subnet ID



06.04.10

Page 30 of 76

V.10.03

• The IP network(s) and addresses are provided and distributed to members by the Exchange during the admission process

• The first 3 octets of the member addresses are fixed; the 4th octet is used for addressing different devices within the member installation

• A Class C subnet mask 255.255.255.0 is used

6.4 Market/Services Specific IP Ranges

Private IP address ranges assigned by the Exchange with respect to the according market/service:

1. Octet Market/Service Example

89 or 90 Eurex and Xetra 90.1.201.0

91 CEF® 91.1.201.0

92 z/OS 92.1.201.0

94 XQS 94.1.201.0

6.5 Individual Host Addresses

The individual hosts are assigned within the member installation as shown below:

Range Usage

1 - 20 MD (assigned by the Exchange)

21 - 40 Routers (assigned by the Exchange)

41 - 199 Available for assignment by the member. These may be used for workstations in case of a single LAN configuration. In a two-LAN configuration, the member is free to use his own addressing rules for the workstations.

200 - 255 Reserved for future use

6.6 Addressing and Name Exceptions

Some older configurations use different names and addresses. These may be kept if desired. The setup in this document is to be used accordingly. In case of any queries please contact the Customer Technical Support of the respective Exchange – for contact information see chapter 2.



06.04.10

Page 31 of 76

V.10.03



06.04.10

Page 32 of 76

V.10.03

6.7 Multicast Groups

Please take into consideration that the multicast groups for the Enhanced Broadcast Solution and CEF® ultra+ do not conflict with the local multicast groups used for MISS-based installations. Please see the recommendation given in section 6.7.1. An overview of the port numbers is given in Chapter 9.

6.7.1 MISS-based Installations

The multicast groups used by a MISS Server for each application must be assigned by the member’s network administrator.

RFC0791 defines the range from 224.0.0.0 through 239.255.255.255 as valid multicast addresses. The Exchange recommends using the limited scope of 239.0.0.0/10 on MISSes.

6.7.2 Reference Information – Enhanced Broadcast Solution and CEF® ultra+

The product reference information provided by the reference information stream contains the respective multicast channel information (i.e. multicast group and port number) for all available products. The multicast group and port number combinations for the reference data disseminated by the static reference data interface are as follows:

Eurex/CEF® ultra+ Eurex

Service

Environment Service A Service B Platform

Production 224.0.29.255:50099 224.0.30.255:50099 Eurex , CEF® ultra+ Eurex

Simulation 233.49.81.127:50199 233.49.81.255:50199 Eurex, CEF® ultra+ Eurex

Adv. Simulation 233.49.81.127:50399 233.49.81.255:50399 Eurex, CEF® ultra+ Eurex

Xetra Frankfurt/CEF® ultra+ Xetra

Service


Production 224.0.46.0:55199 224.0.47.0:55199 Xetra, CEF® ultra+ Xetra

Simulation 224.0.48.0:55299 224.0.49.0:55299 Xetra, CEF® ultra+ Xetra

Adv. Simulation 224.0.48.104:55399 224.0.49.104:55399 Xetra, CEF® ultra+ Xetra



06.04.10

Page 33 of 76

V.10.03

Xetra Irish SE/CEF® ultra+ Irish Stock Exchange

Service


Production 224.0.46.80:55599 224.0.47.0:55599 Xetra Irish SE*, CEF® ultra+ Irish Stock Exchange

Simulation 224.0.48.0:55299 224.0.49.0:55299 Xetra Frankfurt, CEF® ultra+ Irish Stock Exchange

*Note: The reference information for Xetra Irish SE will be included in the reference information stream of Xetra Frankfurt.

Xetra International Market/CEF® ultra+ Xetra

Service


Production 224.0.46.240:55799 224.0.47.240:55799 Xetra International Market *, CEF® ultra+ Xetra,

Simulation 224.0.48.0:55299 224.0.49.0:55299 Xetra Frankfurt, CEF® ultra+ Xetra

* Note: The reference information for Xetra International Market will be included in the reference information stream of Xetra Frankfurt.



06.04.10

Page 34 of 76

V.10.03

6.7.3 Enhanced Broadcast Solution and CEF® ultra+

The following multicast group ranges are used for the Enhanced Broadcast Solution/CEF® ultra+: - Multicast groups - official public IP range assigned to the Exchange by IANA - Eurex Simulation/Advanced Simulation multicast groups only - GLOP with official public AS number (2nd and 3rd octet). Important Note: The multicast addresses mentioned in the tables below might be subject to changes. The multicast addresses used are transmitted with the reference information stream, please see section 6.7.2 above.

Eurex Enhanced Broadcast Solution/CEF® ultra+ Eurex

Service

Environment Description Service A Service B

Multicast Groups 224.0.29.0/24 224.0.30.0/24

Production Multicast Source

Networks

193.29.95.0/27 and 193.29.95.32/27

193.29.95.64/27 and 193.29.95.96/27

Multicast Groups 233.49.81.0/25 233.49.81.128/25 Simulation and Advanced Simulation

Multicast Source

Networks

193.29.95.128/29 and 193.29.95.136/29

193.29.95.144/29 and 193.29.95.152/29

Xetra Frankfurt Enhanced Broadcast Solution/CEF® ultra+ Xetra

Service


Multicast Groups 224.0.46.0 – 79 224.0.47.0 - 79


Networks

193.29.93.0/27 and 193.29.93.32/27

193.29.93.64/27 and 193.29.93.96/27


Simulation Multicast Source

Networks

193.29.93.128/29 and 193.29.93.136/29

193.29.93.144/29 and 193.29.93.152/29

Advanced Simulation




06.04.10

Page 35 of 76

V.10.03

Multicast Source

Networks

193.29.93.128/29 and 193.29.93.136/29

193.29.93.144/29 and 193.29.93.152/29

Xetra Irish SE Enhanced Broadcast Solution/CEF® ultra+ Irish Stock Exchange

Service




Networks

193.29.93.0/27 and 193.29.93.32/27

193.29.93.64/27 and 193.29.93.96/27



Networks

193.29.93.128/29 and 193.29.93.136/29

193.29.93.144/29 and 193.29.93.152/29

Xetra International Market Enhanced Broadcast Solution/CEF® ultra+ Xetra

Service




Networks

193.29.93.0/27 and 193.29.93.32/27

193.29.93.64/27 and 193.29.93.96/27

Multicast Groups 224.0.48.208 – 215 224.0.49. 208 – 215


Networks

193.29.93.128/29 and 193.29.93.136/29

193.29.93.144/29 and 193.29.93.152/29

6.7.4 Rendezvous Points Enhanced Broadcast Solution and CEF® ultra+

Due to the use of PIM Sparse Mode and “Any Source Multicast” a rendezvous point for each multicast stream is required. The rendezvous points for the Enhanced Broadcast Solution and CEF® ultra+ are as follows:

Service

Platform Service A Service B



06.04.10

Page 36 of 76

V.10.03

Eurex and CEF® ultra+ Eurex 193.29.95.252/32 193.29.95.253/32

Xetra Frankfurt, Xetra International Market, Irish SE, CEF® ultra+ Xetra and CEF® ultra+ Irish Stock Exchange

193.29.93.252/32 193.29.93.253/32



06.04.10

Page 37 of 76

V.10.03

7. Network Hardware

The exchange operated network is built on a homogeneous supplier platform using equipment from Cisco Systems. Network security, high availability and the uniform routing protocol were the essential criteria for choosing this hardware platform. Therefore, only Cisco routers featuring the IOS operating system are required. Depending on the connection type and market/service it is recommended to use certain Cisco equipment such as the ASR 1000 or the 7600/6500 series. Other supported routers are: Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800 and 7200 series. All routers connecting to the exchange via a VPN Internet connection (iAccess) or to an Enhanced Transaction Solution interface via an encrypted connection must be equipped with VPN Hardware Encryption functionality. Cisco 1800, 2800 and 3800 series routers come with embedded security hardware acceleration, enabling VPN services with the appropriate Cisco IOS.

Please note: Cisco switches are not recommended with exception of the Cisco Catalyst 6500 series, Catalyst 4900M and 4948.

In order to allow the Exchange to monitor its leased lines, members are asked to allow ICMP echo requests coming from the exchange to the member network interface via the exchange leased line and the ICMP echo reply on such request.

7.1 Channelised E1 Member Connections

Channelised E1 leased lines ordered by the Exchange are presented with a RJ45 jack (balanced-120Ω impedance) and the pin layout 1,2;4,5. If a RJ45 jack cannot be provided by the carrier, a BNC jack (unbalanced - 75Ω impedance) will be provided. In this case a BALUN could be necessary on the customer side to match the router interface impedance and the leased line impedance. Please refer to the table below. The Cisco E1 cards VWIC-1MFT-E1 and VWIC-1MFT-G703 are not supported because they are limited to only two channel groups.

Router Type

Supported Modules Minimum IOS Version

E1 Router Cable Leased Line Presentation RJ45 (balanced - 120Ω)

E1 Router Cable Leased Line Presentation BNC (unbalanced -

75Ω)

NM-1CE1B (1 Port)

NM-2CE1B (2 Ports)

CAB-E1-PRI

CAB-E1-BNC and

appropriate BALUN

2600 not

available from

Cisco

NM-1CE1U (1 Port)

NM-2CE1U (2 Ports

12.0(1), 12.1(1) or 12.2(1)

CAB-E1-BNC and

appropriate BALUN

CAB-E1-BNC

2600XM

not

NM-1CE1B (1 Port)

NM-2CE1B (2 Ports)

12.1(14) or

CAB-E1-PRI

(see Note 1)

CAB-E1-BNC and

appropriate BALUN



06.04.10

Page 38 of 76

V.10.03

Router Type



E1 Router Cable Leased Line Presentation BNC (unbalanced - 75Ω)

NM-1CE1U (1 Port)

NM-2CE1U (2 Ports)

12.2(12) CAB-E1-BNC and

appropriate BALUN

CAB-E1-BNC available from Cisco

2600XM NM-1CE1T1-PRI (1 Port)

NM-2CE1T1-PRI (2 Ports)

12.3(1) any RJ45 to RJ45 straight through, shielded twisted pair cable

CAB-E1-RJ45BNC

NM-1CE1T1-PRI(1 Port)


2811/ 2821/ 2851

HWIC-1CE1T1-PRI HWIC-2CE1T1-PRI

12.3(8)T

12.4(20)T

any RJ45 to RJ45 straight through, shielded twisted pair cable

CAB-E1-RJ45BNC

NM-1CE1B (1 Port)

NM-2CE1B (2 Ports)

CAB-E1-PRI (see Note 1)

CAB-E1-BNC and appropriate BALUN

NM-1CE1U (1 Port)

NM-2CE1U (2 Ports)


CAB-E1-BNC

NM-1FE1CE1B (1 Port)

NM-1FE2CE1B (2Ports)

CAB-E1-PRI

(see Note 1)


3600 not

available from Cisco

NM-1FE1CE1U (1 Port) - NM-1FE2CE1U (2 Ports)

12.0(1), 12.1(1) or 12.2(1)

12.0(1), 12.1(1) or 12.2(1)

CAB-E1-BNC

appropriate BALUN

CAB-E1-BNC

NM-1CE1B (1 Port)

NM-2CE1B (2 Ports)

CAB-E1-PRI

(see Note 1)


NM-1CE1U (1 Port)

NM-2CE1U (2 Ports)

12.2(8)T

12.3(2)T

CAB-E1-BNC and

appropriate BALUN

CAB-E1-BNC

3725/ 3745

not available

from Cisco NM-1CE1T1-PRI (1 Port)


12.3(1) any RJ45 to RJ45 straight through, shielded twisted pair cable

CAB-E1-RJ45BNC

3825/ 3845

NM-1CE1T1-PRI (1 Port)


12.3(11)T

any RJ45 to RJ45 straight through, shielded

CAB-E1-RJ45BNC



06.04.10

Page 39 of 76

V.10.03

Router Type





12.4(20)T twisted pair cable

General information: 1. Since May 2004 the NM-1CE1B/NM-1CE1U and NM-2CE1B/NM-2CE1U cards are no longer

available from Cisco. Since January 2009 the cards NM-1CE1T1-PRI and NM-2CE1T1-PRI have been replaced by the cards HWIC-1CE1T1-PRI and HWIC-2CE1T1-PRI.

2. The NM-1CE1T1-PRI and the HWIC-1CE1T1-PRI card will not appear in the list of interfaces in a

router until it is configured with the ‘card type’ command. For example (config mode): Config#> card type e1 1 where 1 is the slot number in the router. The new NM-1CE1T1-PRI card is set to 120Ω impedance by default but can be adjusted to 75Ω impedance.

3. The router RAM configuration depends on the hardware type, model and IOS version. Therefore, a

general guideline cannot be given here. Please consult your Cisco hardware provider for the required amount and type.

7.2 Channelised T1 Member Connections

Channelised T1 network connections ordered by the exchange are presented with a RJ48 (RJ45) jack pin layout 1,2; 4,5. The T1 cards of the type VWIC-1MFT-T1 and VWIC-2MFT-T1 are not supported because they are limited to only two channel groups.

Router Type

Supported T1 Card

Minimum IOS Version

T1 Router Cable

2600 not


NM-1CT1-CSU (1 Port)

NM-2CT1-CSU (2 Ports)

12.0(1),

12.1(1) or

12.2(1)

any standard RJ48 T1-cable



12.1(14) or

12.2(12)


2600XM

not available

from Cisco NM-1CE1T1-PRI (1 Port)


12.3(1) any standard RJ48 T1-cable

2811/ NM-1CE1T1-PRI (1 Port) 12.3(8)T any standard RJ48 T1-



06.04.10

Page 40 of 76

V.10.03

NM-2CE1T1-PRI (2 Ports) 2821/ 2851


12.4(20)T

cable

3600 not




12.0(1),

12.1(1) or

12.2(1)


Router Type

Supported T1 Card

Minimum IOS Version

T1 Router Cable



12.2(8)T1 or

12.3(2)T


3725/ 3745

not available

from Cisco



12.3(1) any standard RJ48 T1-cable



3825/ 3845


12.3(11)T

12.4(20)T


General Information:

1. Since May 2004 the NM-1CE1B/NM-1CE1U and NM-2CE1B/NM-2CE1U cards are no longer available from Cisco. Since January 2009 the cards NM-1CE1T1-PRI and NM-2CE1T1-PRI have been replaced by the cards HWIC-1CE1T1-PRI and HWIC-2CE1T1-PRI.

2. The NM-1CE1T1-PRI and the HWIC-1CE1T1-PRI card will not appear in the list of interfaces in a router until it is configured with the ‘card type’ command. For example (config mode):

Config#> card type t1 1

where 1 is the slot number in the router. The new NM-1CE1T1-PRI card is set to 120Ω impedance by default but can be adjusted to 75Ω impedance.

3. The RAM configuration of the router depends on the type, model and IOS version. Therefore, a general guideline cannot be given here. Please consult your Cisco hardware provider for the required amount and type.



06.04.10

Page 41 of 76

V.10.03

7.3 Non-channelised E1 Member Connections

Non-channelised E1 network connections ordered by the Exchange are presented with a RJ45 jack (balanced-120Ω impedance) and the pin layout 1,2;4,5. In case a RJ45 jack cannot be provided by the carrier, a BNC jack (unbalanced - 75Ω impedance) will be provided. In this case, a BALUN could be necessary on the customer side to match the router interface impedance and the leased line impedance. Please refer to the table below.

The Cisco E1 cards VWIC-1MFT-E1 and VWIC-2MFT-E1 are not supported because they do not support clear channel E1s.

Router Type


E1 Router Cable Leased Line Presentation RJ45

(balanced - 120Ω)


1721, 1751, 1760,

2600XM, 2691, 2800, 3700, 3800

VWIC2-1MFT-G.703

VWIC2-2MFT-G.703

12.3(14) T


CAB-E1-RJ45BNC

2600, 3620, 3640, 3660

VWIC-1MFT-G.703

VWIC-2MFT-G.703

12.1(1) T


CAB-E1-RJ45BNC

2600XM, 2691, 3700

VWIC-1MFT-G.703

VWIC-2MFT-G.703

12.2(8) T


CAB-E1-RJ45BNC

2600XM, VWIC-1MFT-G.703

NM-1CE1T1-PRI or resp. 2 port version

12.2(8) T


CAB-E1-RJ45BNC

2800 VWIC-1MFT-G.703

NM-1CE1T1-PRI HWIC-1CE1T1-PRI or resp. 2 port version

12.3(8) T4

12.4(20)T

any RJ45 to RJ45 straight through, shielded twisted pair c able

CAB-E1-RJ45BNC

3800 VWIC-1MFT-G.703

NM-1CE1T1-PRI HWIC-1CE1T1-PRI or

12.3(11) T


CAB-E1-RJ45BNC



06.04.10

Page 42 of 76

V.10.03

Router Type


E1 Router Cable Leased Line Presentation RJ45

(balanced - 120Ω)


resp. 2 port version 12.4(20)T



06.04.10

Page 43 of 76

V.10.03

7.4 Ethernet Connections with Multicast (MC) + Encrypted TCP-IP Traffic

Deutsche Börse recommends to use CISCO equipment of the type ASR 1000, 7600 or 6500 series for Ethernet connections with Enhanced Broadcast Solution (multicast) and encrypted Enhanced Transaction Solution (TCP-IP) traffic.

Although it is possible to use routers of the type Cisco 3800 and 7200 series for connections with up to 60 Mbit/s Multicast traffic and 10 Mbps encrypted Enhanced Transaction Solution traffic which meets the current minimum requirement for such a constellation in the course of rapidly increasing bandwidth requirements of market feeds Deutsche Börse recommends to use more powerful equipment of the type ASR 1000, 7600 or 6500 series.

Concerning the IOS Versions mentioned in the tables in this section 7.4 later IOS versions should also work but have not been verified. As of document’s release date concerning consolidated Eurex – Xetra connections two leased lines can be connected to the CISCO devices ASR 1000, Catalyst 6500 and 7600 series.

Additional information on recommended CISCO hardware connected to Ethernet connections with multicast + encrypted TCP-IP traffic.

CISCO 7200 series Only the onboard Gigabit-Ethernet ports (NPE-G2) have been tested the “old” PA-GE card is not recommended. CISCO ASR 1000 series

If encrypted Enhanced Transaction Solution connections are terminated on a CISCO ASR 1000 series router the encryption right-to-use feature licence for the ASR1000 series is required. The ASR 1002 comes with 4 on board 1 Gbps ports. The ASR routers 1004 and 1006 require Ethernet ports such as the Cisco 5-Port Gigabit Ethernet shared port adapter. In any case the respective SFP modules are required.

CISCO Catalyst 6500 series If encrypted Enhanced Transaction Solution connections are terminated on a CISCO Catalyst 6500, then Crypto and bearer Cards (7600-SSC-400 and SPA-IPSEC-2G) as well as an IOS Advanced IP Services Image are required. The additional cards require a Supervisor Engine 720. Note: Bandwidth Shaping of Enhanced Transaction Solution Simulation is not possible on the Catalyst 6500. RTR must be used instead of IP SLA for the IPSEC Tunnel keep-alive. ISAKMP keep-alive with Periodic mode is not supported on the IOS version 12.2(18)SXF. This feature is supported from IOS 12.2(33)SXH onwards.



06.04.10

Page 44 of 76

V.10.03

CISCO 7600 series If encrypted Enhanced Transaction Solution connections are terminated on a CISCO 7600, then Crypto and bearer Cards (7600-SSC-400 and SPA-IPSEC-2G) as well as an IOS Advanced IP Services Image are required The additional cards require a Supervisor Engine 720.

CISCO SFPs with DOM (Digital Optical Monitoring)

If case dark fibres are delivered and provided your equipment allows to read the optical power using SFPs with DOM (Digital Optical Monitoring) it can be verified whether the optical power is within the module specification. This feature supports to selected the appropriate attenuator if needed (SFPs with DOM - e.g. SFP-GE-L or SFP-GE-Z, non DOM e.g. GLC-LH-SM or GLC-ZX-SM).

Please see below following example where in the last line the optical power (here: -2.1 dBm) is not within the specification.

Command: #sh interface transceiver

Example Output:

Optical High Alarm High Warn Low Warn Low Alarm

Transmit

Power Threshold Threshold Threshold Threshold

Port (dBm) (dBm) (dBm) (dBm) (dBm)

------- ----------- ---------- --------- --------- ---------

Gi1/1 -5.7 -2.5 -3.0 -9.5 -10.0

Optical High Alarm High Warn Low Warn Low Alarm

Receive

Power Threshold Threshold Threshold Threshold

Port (dBm) (dBm) (dBm) (dBm) (dBm)

------- -------------- ---------- --------- --------- ---------

Gi1/1 -2.1 ++ -3.0 -3.0 -19.0 -19.5 <=

mA: milliamperes, dBm: decibels (milliwatts), NA or N/A: not applicable.

++ : high alarm, + : high warning, - : low warning, -- : low alarm.



06.04.10

Page 45 of 76

V.10.03

A2D readouts (if they differ), are reported in parentheses.

The threshold values are calibrated.

7.4.1 Lines with up to 60 Mbit/s MC + 10 Mbit/s encrypted TCP-IP traffic

Device Type Modules Required for Encryption Tested IOS Versions

3825/ 3845

embedded security hardware 12.4(16b)

7206VXR NPE-G2 with SA-VAM2+ 12.4(16b)

ASR 1002, 1004, 1006

embedded security hardware 12.2.(33)XNA1

Catalyst 6500

Supervisor Engine 720 with 7600-SSC-400 and SPA-IPSEC-2G

12.2.(18)SXF13 12.2.(33)SXH3

7600 Supervisor Engine 720 with 7600-SSC-400 and SPA-IPSEC-2G

12.2.(33)SRC

Note: Concerning latency optimisation in proximity it is not recommended to use any kind of HWIC modules to pass through multicast while encryption is enabled on the respective interface.

7.4.2 Lines with more than 60 Mbit/s MC + 20 Mbit/s encrypted TCP-IP traffic

Device Type Modules Required for Encryption Tested IOS Versions

7206VXR* NPE-G2 with SA-VAM2+ 12.4(16b)

ASR 1002, 1004, 1006

embedded security hardware 12.2.(33)XNA1

Catalyst 6500

Supervisor Engine 720 with 7600-SSC-400 and SPA-IPSEC-2G

12.2.(18)SXF13 12.2.(33)SXH3

7600 Supervisor Engine 720 with 7600-SSC-400 and SPA-IPSEC-2G

12.2.(33)SRC

* The 7200 series is not recommended to be connected to Ethernet connections with more than 80 Mbit/s multicast and 20 Mbit/s encrypted Enhanced Transaction Solution TCP-IP traffic.



06.04.10

Page 46 of 76

V.10.03

Note: Concerning latency optimisation in proximity it is not recommended to use any kind of HWIC modules to pass through multicast while encryption is enabled on the respective interface.

7.5 Ethernet Connections with Multicast (MC) + Non-Encrypted TCP-IP Traffic

Within proximity locations the Enhanced Transaction Solution encryption can be switched off on request. Although it is possible to use routers of the type Cisco 3800 and 7200 series for connections with up to 80 Mbit/s multicast traffic and e.g. 20 Mbps non-encrypted Enhanced Transaction Solution traffic which meets the current minimum requirement for such a constellation in the course of rapidly increasing bandwidth requirements of market feeds Deutsche Börse recommends to use more powerful equipment of the type ASR 1000, 7600 or Catalyst 6500 series, 4948 or 4900M. Concerning the IOS Versions mentioned in the tables in this section later IOS versions should also work but have not been verified. As of document’s release date concerning consolidated Eurex – Xetra connections two leased lines can be connected to the CISCO devices ASR 1000, 7600, Catalyst 6500 series, 4948 and 4900M.

7.5.1 Lines with up to 80 Mbit/s MC + 20 Mbit/s Non-Encrypted TCP-IP Traffic

Device Type Tested IOS Versions

3825 or 3845 12.4(16b)

7206VXR 12.4(16b)

ASR 1002, 1004 or 1006 12.2.(33)XNA1

4948 12.2(46)SG

4900M 12.2.(46)SG

Catalyst 6500 12.2.(18)SXF13 12.2.(33)SXH3

7600 12.2.(33)SRC

7.5.2 Lines with more than 80 Mbit/s MC + 20 Mbit/s Non-Encrypted TCP-IP Traffic

Device Type Tested IOS Versions

7206VXR* 12.4(16b)

ASR 1002, 1004 or 1006 12.2.(33)XNA1

4948 12.2(46)SG

4900M 12.2.(46)SG

Catalyst 6500 12.2.(18)SXF13 12.2.(33)SXH3

7600 12.2.(33)SRC



06.04.10

Page 47 of 76

V.10.03

* The 7200 series is not recommended to be connected to Ethernet connections with more than 150 Mbit/s multicast and 40 Mbit/s non-encrypted Enhanced Transaction Solution TCP-IP traffic.



06.04.10

Page 48 of 76

V.10.03

7.6 Ethernet Connections with Non-Encrypted TCP-IP Traffic

Router Type

1 Gigabit Ports on-board and additional Modules

Copper Connectivity

Fibre Connectivity SFP Part Number

Minimum IOS Version

2811 HWIC-1GE-SFP (1 Port)

GLC-T= GLC-LH-SM (up to 10 km) GLC-ZX-SM (up to 70-100 km)

12.3(8)T

2 ports on-board on-board on-board ports not adaptable to fibre

12.3(8)T 2821/ 2851

HWIC-1GE-SFP (1 Port)


12.3(8)T

3725/ 3745

NM-1GE (1 Port) WS-G5483 WS-G5486 (up to 10 km)

WS-G5487 (up to 70-100 km)

12.3(2)T

2 ports on-board

on-board Port 0 can be adapted to fiber GLC-LH-SM (up to 10 km) GLC-ZX-SM (up to 70-100 km)

12.3(11)T

HWIC-1GE-SFP (1 Port)


12.3(11)T

3825/ 3845

NM-1GE (1 Port)

WS-G5483 WS-G5486 (up to 10 km)

WS-G5487 (up to 70-100 km)

12.3(11)T

4 ports on-board SFP-GE-T SFP-GE-L (up to 10 km) SFP-GE-Z (up to 70-100 km)

12.2.(33)XNA1

ASR 1002

(e.g. 5 port)

SPA-5X1GE-V2

SFP-GE-T SFP-GE-L (up to 10 km) SFP-GE-Z (up to 70-100 km)

12.2.(33)XNA1

Note: The single-port Cisco HWIC provides Gigabit Ethernet connectivity but will not support line rate since the throughput is limited by the router platforms.



06.04.10

Page 49 of 76

V.10.03

7.7 X.21 and V.35 Non-channelised Member Network Connection

The following table shows the supported Cisco router types, WAN modules, IOS versions and connection cables for non-channelised member network connections presented with X.21 (Europe) or V.35 (U.S.A.) standard.

Router Type

Supported Module

Minimum IOS Version

Router Cable

Europe

Router Cable

U.S.A.

1700

not available from Cisco

WIC-1T (1 Port)

WIC-2T (2 Ports)

12.0(1), 12.1(1)

or 12.2(1)

CAB-X21MT

CAB-SS-X21MT

CAB-V35MT

CAB-SS-V35MT

2600 not available from Cisco

WIC-1T (1 Port)

WIC-2T (2 Ports)

12.0(1), 12.1(1)

or 12.2(1)

CAB-X21MT

CAB-SS-X21MT

CAB-V35MT

CAB-SS-V35MT

2600XM


WIC-1T (1 Port)

WIC-2T (2 Ports)

12.1(14) or 12.2(12)

CAB-X21MT

CAB-SS-X21MT

CAB-V35MT

CAB-SS-V35MT

2811/ 2821/ 2851

WIC-1T (1 Port)

WIC-2T (2 Ports)

12.3(8)T1 CAB-X21MT

CAB-SS-X21MT

CAB-V35MT

CAB-SS-V35MT

3600 not available from Cisco

WIC-1T (1 Port)

WIC-2T (2 Ports)

12.0(1), 12.1(1)

or 12.2(1)

CAB-X21MT

CAB-SS-X21MT

CAB-V35MT

CAB-SS-V35MT

3725/ 3745


WIC-1T (1 Port)

WIC-2T (2 Ports)

12.2(8)T, 12.3(2)T

or 12.3(1)

CAB-X21MT

CAB-SS-X21MT

CAB-V35MT

CAB-SS-V35MT

3825/ 3845

WIC-1T (1 Port)

WIC-2T (2 Ports)

12.3(11)T CAB-X21MT

CAB-SS-X21MT

CAB-V35MT

CAB-SS-V35MT



06.04.10

Page 50 of 76

V.10.03

7.8 VPN Encryption Modules for VPN Internet Connections (iAccess)

Routers connecting via a VPN Internet connection (iAccess) to the Exchange trading applications Eurex, and Xetra must be equipped with VPN Hardware Encryption functionality. Routers of the type Cisco 1800, 2800 and 3800 series are delivered with an embedded security hardware acceleration enabling VPN services with the appropriate Cisco IOS. Hence an AIM module must not necessarily be installed in routers of the type Cisco 2800 and 3800 series depending on the bandwidth required.

The following table shows the Cisco router models and supported VPN hardware modules.

Supported Routers

VPN Module

1700 Series

1800 Series

2610 2611

2620 2621

2650 2651

2600 XM

Series 2691

2800 Series

3620 3640 3660 3725 3745

3825

3845

On-Board X X X X

MOD1700-VPN

X

AIM-VPN/BP X X X X X AIM-VPN/EP X X X X AIM-VPN/HP

X X

AIM-VPN/BPII

X

AIM-VPN/EPII

X

X X

AIM-VPN/HPII

X X

AIM-VPN/MP

X

AIM-VPN/BPII-PLUS

X

AIM-VPN/EPII-PLUS

X

X

X

X

AIM-VPN/HPII-PLUS

X

X

X

X

General Information:

1. Cisco IOS versions with feature set 3DES: It is recommended to use IOS versions ≥12.4.16b The electronic certificate issued by the exchange for the VPN Internet connection expires after 36 months and must be renewed in advance in consultation with Customer Technical Support.

2. The RAM configuration of the router depends on the type, model and IOS version. Therefore, a general guideline cannot be given here. Please consult your Cisco hardware provider for the required amount and type.



06.04.10

Page 51 of 76

V.10.03

8. Required Ports for Firewall Configurations

The tables in this section list the port numbers used for the respective network communication.

8.1 Ports used by MISS-based Front-End Setups

8.1.1 GATE - Ports

Ports used by GATE of the MISS-based Front-End architecture. For GATE @@ has to be replaced by:

• 90 for production • 91 for simulation • 93 for advanced simulation.

Port Description Direction Protocol

1@@13 Listen Port of GATE (Watch Server) bi-directional between GATE Watch Server and GATE Watch Client

TCP/IP

1@@22 Listen Port of GATE (Server) bi-directional between GATE and mmg (Message Manager)

TCP/IP

1@@33 Listen Port of GATE (Server) bi-directional between GATE Server and GATE Client

TCP/IP

1@@95 Main Broadcast Port used by GATE Server for broadcasts dissemination, i.e. GATE Server ==> GATE Client

Multicast sender: GATE server Multicast receiver: GATE Client

IP (UDP) Multicast

1@@96 Broadcast Retransmission Requests used by GATE Client for sending Retransmission Requests Attention: "Receiver" is GATE Server as well as GATE Client !!!

Multicast sender: GATE Client Multicast receiver: GATE Client GATE Server

IP (UDP) Multicast

1@@97 Broadcast Retransmission Responses used by GATE Server for sending of responses for Broadcast Retransmission Requests, i.e. GATE Server ==> GATE Client

Multicast sender: GATE server Multicast receiver: GATE Client

IP (UDP) Multicast



06.04.10

Page 52 of 76

V.10.03

8.1.2 VALUES - Ports

The variables @@ of the ports shall be replaced by the respective numbers as shown in the table below.

Market Environment

@@ for

CCP

@@ for

Eurex

@@ for

Eurex WBAG

@@ for

Xetra WBAG

@@ for

Xetra Frankfurt

@@ for

Xetra Frankfurt 2

@@ for

Xetra Irish SE

@@ for Xetra


Production 20 00 10 68 51 61 55 57

Simulation 21 01 11 69 52 62 52 52

Advanced Simulation n.a. 03 n.a. n.a. 53 n.a. n.a. n.a.

Ports used by the platforms of the MISS-based Front-End architecture. Between the Communication Server and the MISS the ports for an active ftp connection are used.

Port Description Platform Protocol

1@@03 Listen Port on CS (File Server)

Eurex, CCP, Xetra

TCP/IP

1@@05 Listen Port on CS Eurex, CCP, Xetra

TCP/IP

1@@06 Listen Port on CS Eurex, CCP, Xetra

TCP/IP

1@@07 Listen Port on BESS Eurex, CCP, Xetra

TCP/IP

1@@10 Listen Port on BESS (Re-Transmitter)

Eurex TCP/IP

1@@11 Listen Port on BESS (Data Server)

Eurex, Xetra TCP/IP

1@@50 Listen Port on BESS (Application Server)

Eurex, Xetra TCP/IP

1@@52 Listen Port on BESS (Application Manager)

CCP TCP/IP

1@@57 Listen Port on BESS (Re-Transmitter) Xetra TCP/IP

1@@58 Listen Port on BESS (Broadcast Server)

Eurex TCP/IP

1@@80 Listen Port of XPERT CCP http or https



06.04.10

Page 53 of 76

V.10.03

8.2 Enhanced Risk Solution – Ports

Ports used by the Enhanced Risk Solution architecture.

Market Environment

Enhanced Risk Solution

Production 18080 Simulation 18181

8.3 Enhanced Broadcast Solution / CEF® ultra+ - Ports


Market Environment

@@ for

Eurex

@@ for

Xetra Frankfurt

@@ for

Xetra Irish SE

@@ for Xetra


Production 00 51 55 57 Simulation 01 52 52 52

Advanced Simulation

03 53 n.a. n.a.

Ports used by the platforms for the Enhanced Broadcast Solution architecture.

Port Destination Direction Protocol

5@@00 to 5@@99

Destination Port Production - propagated by reference data stream

uni-directional IP (UDP) Multicast

5@@00 to 5@@99

Destination Port Simulation - propagated by reference data stream


5@@00 to 5@@99

Destination Port Advanced Simulation - propagated by reference data stream


5@@99 Reference data stream Production uni-directional IP (UDP) Multicast

5@@99 Reference data stream Simulation uni-directional IP (UDP) Multicast

5@@99 Reference data stream Advanced Simulation uni-directional

IP (UDP) Multicast



06.04.10

Page 54 of 76

V.10.03



06.04.10

Page 55 of 76

V.10.03

8.4 Enhanced Transaction Solution - Ports


Market Environment

@@ for

Eurex

@@ for

Xetra Frankfurt

@@ for

Xetra Irish SE

@@ for Xetra


Production 00 51 55 57 Simulation 01 52 52 52

Advanced Simulation

03 53 n.a. n.a.

Ports used by the platforms for the Enhanced Transaction Solution architecture.

Port Description Direction Protocol

1@@45 Destination Port Production uni-directional TCP/IP

1@@45 Destination Port Simulation uni-directional TCP/IP

1@@45 Destination Port Advanced Simulation uni-directional TCP/IP

.



06.04.10

Page 56 of 76

V.10.03

8.5 CEF® - Ports

For communication the following ports are used:

Port Nagle on Description Direction CEF®-Service Protocol

51005 Yes Destination Port uni-directional CEF® Core TCP/IP

51004 No Destination Port uni-directional CEF® Core TCP/IP

51003 Yes Destination Port uni-directional CEF® Core (Scoach) TCP/IP

51002 No Destination Port uni-directional CEF® Core® (Scoach) TCP/IP

Note: The Nagle algorithm is a technique by which, on a TCP connection, small data packets are held back for later transmissions to combine small data packets to a larger data packet in order to lower the overall network overhead.

Port Description Direction Platform Protocol

50000 to 50099


uni-directional CEF® ultra+ Eurex IP (UDP) Multicast

50100 to 50199


uni-directional CEF® ultra+ Eurex IP (UDP) Multicast

50099 Reference data stream Production uni-directional CEF® ultra+ Eurex IP (UDP) Multicast

50199 Reference data stream Simulation uni-directional CEF® ultra+ Eurex IP (UDP) Multicast

55003 Trade Recovery Functionality for CEF® ultra+ Eurex and CEF® ultra+ Xetra

uni-directional CEF® ultra+ Eurex

CEF® ultra+ Xetra

TCP/IP

55100 to 55299


uni-directional CEF® ultra+ Xetra IP (UDP) Multicast

55200 to 55299


uni-directional CEF® ultra+ Xetra IP (UDP) Multicast

55300 to 55399

Destination Port Advanced Simulation - propagated by reference data stream uni-directional CEF® ultra+ Xetra IP (UDP)

Multicast

55199 Reference data stream Production uni-directional CEF® ultra+ Xetra IP (UDP) Multicast

55299 Reference data stream Simulation uni-directional CEF® ultra+ Xetra IP (UDP) Multicast

55399 Reference data stream Advanced Simulation uni-directional CEF® ultra+ Xetra IP (UDP)

Multicast



06.04.10

Page 57 of 76

V.10.03

8.6 XQS - Ports

For communication the following ports are used:

Port Description Direction XQS Protoc

ol

25500 to 25510

Destination Port Production Issuer sends quotes to specialist via XQS Specialist sends quotes to CEF® via XQS

bi-directional Specialist - Model TCP/IP

26000 to 26010

Destination Port Simulation Issuer sends quotes to specialist via XQS Specialist sends quotes to CEF® via XQS

bi-directional Specialist - Model TCP/IP

25550 to 25560

Destination Port Production Issuer sends quotes to Xetra FFM2 via XQS bi-directional Issuer-Model TCP/IP

26050 to 26060

Destination Port Simulation Issuer sends quotes to Xetra FFM2 via XQS

bi-directional Issuer-Model TCP/IP

25600 to 25610

Destination Port Production Specialist sends quotes to CEF® via XQS bi-directional Funds-Model TCP/IP

26100 to 26110

Destination Port Simulation Specialist sends quotes to CEF® via XQS

bi-directional Funds-Model TCP/IP



06.04.10

Page 58 of 76

V.10.03

9. Sample Router Configurations

Please ensure the configuration is saved and copied to the start-up configuration otherwise the configuration will be lost when the router is restarted. Routers connecting to the exchange must be configured for EIGRP.

9.1 General Setup

The following router configuration is mandatory and it should be entered in the enable mode.

Router Command Comments

Config terminal Enter configuration mode

no service config Don’t load configuration by tftp

no service finger Don’t allow the IP finger service

service password-encryption Don’t show passwords in plain text

hostname RXXXXXX Router name as defined by the Exchange

enable secret "enable-password" freely chosen enable password

ip subnet-zero

no ip classless Do not use the exchange as “default gateway”

interface Ethernet0/0 The interface ID can be different on a given router, i.e. 0/1, etc.

description "free text" Free description for interface (optional)

ip address a.b.c.d 255.255.255.0 a.b.c.d - IP address of MISS/Router LAN

line con 0 Console port of router

exec-timeout 120 0 Logout user if inactive for 120 seconds

password "login-password" Freely chosen password for console access

Login

line vty 0 4 Virtual port for telnet connections to router

exec-timeout 120 0 Logout user if inactive for 120 seconds

password "login-password" Freely chosen password for telnet access

Login

End Exit config mode

write Save configuration permanently (to retain after power off)



06.04.10

Page 59 of 76

V.10.03

9.1.1 Ethernet Leased Lines - Xetra 1 Gbit/s

The following configuration is valid for Cisco routers

Router Command Comment

config terminal enter configuration mode

interface Fastethernet0/0 the interface names Fastethenet0/n may need to be

amended to reflect the actual name of the router interfaces

description “free text“ free description for interface, optional

ip address x.x.x.h 255.255.255.0 x.x.x.h=IP of MISS/Router LAN

255.255.255.0=subnet mask for network

interface FastEthernet0/1 the interface names Fastethenet0/n may need to be


duplex full

speed z

z = depending on the physical line speed provided by the

carrier. It may be necessary to set a speed of 10 for 10

Mbit/s circuits or instead a speed of 100. For 1 GBit/s

circuits the speed is set to 1000.

ip address Y.Y.Y.2 255.255.255.0 YYY.2 = IP address for Ethernet leased line to access

point provided by the Exchange

interface Tunnel1 GRE tunnel for network monitoring

no ip address no IP address, not used for data or routing

keepalive 5 3 handshaking setup

tunnel source Y.Y.Y.2 source is interface to Exchange

tunnel destination Y.Y.Y.1 destination is Exchange interface

router eigrp ZZ number provided by the Exchange

network 90.0.0.0 please take the number of interface used for IP connection

end exit config mode

write save configuration permanently (to retain after power off)



06.04.10

Page 60 of 76

V.10.03

The tunnel interface is only necessary to provide end to end monitoring. No traffic is transported over this interface.

9.1.2 Ethernet Leased Lines - Enhanced Broadcast Solution+ Service A

The following configuration is valid for Cisco routers.



ip multicast-routing enable multicast on router



description “free text“ free description for interface, e.g. member LAN

ip address 90.x.x.21 255.255.255.0 90.x.x.21=IP of MISS/Router LAN


ip pim sparse-mode multicast mode

ip pim neighbor-filter DenyRtrB

ip igmp access-group EbsA multicast segregation of service A vs. service B

interface FastEthernet0/1 the interface names Fastethenet0/n may need to be


description “free text“ free description for the interface, e.g. to Deutsche Boerse

ip address 90.y.y.2 255.255.255.0 255.255.255.0=subnet mask for network


speed z



Mbit/s circuits or instead a speed of 100.

duplex full


description “free text“ free description for interface, e.g. to Monitor Tunnel


tunnel source 90.a.a.2 source is interface to Exchange, supplied by the Exchange

tunnel destination 90.a.a.1 destination is Exchange interface, supplied by the



06.04.10

Page 61 of 76

V.10.03

Exchange


ip access-list standard DenyRtrB

deny any multicast segregation of service A vs. service B

ip pim rp-address 193.29.95.252 EbsA address of the multicast rendezvous point at the Exchange

ip access-list standard EbsA

permit 224.0.29.0 0.0.0.255

permit 233.49.81.0 0.0.0.127

deny any

multicast segregation of service A vs. service B

router eigrp 56 router protocol and group

network 90.0.0.0 physical connected network

end



06.04.10

Page 62 of 76

V.10.03

9.1.3 Ethernet Leased Lines - Enhanced Broadcast Solution+ Service B




ip multicast-routing enable multicast on router



description “free text“ free description for interface, e.g. member LAN

ip address 90.x.x.22 255.255.255.0 90.x.x.22=IP of MISS/Router LAN



ip pim neighbor-filter DenyRtrA

ip igmp access-group EbsB multicast segregation of service A vs. service B

interface FastEthernet0/1 the interface names FastEthernet0/n may need to be


description “free text“ free description for interface, e.g. to Deutsche Boerse

ip address 90.y.y.2 255.255.255.0 255.255.255.0=subnet mask for network


speed z



Mbit/s circuits or instead a speed of 100.

duplex full


description “free text“ free description for interface, e.g. to Monitor Tunnel


tunnel source 90.a.a.2 source is interface to Exchange, supplied by the Exchange



06.04.10

Page 63 of 76

V.10.03

tunnel destination 90.a.a.1 destination is Exchange interface, supplied by the

Exchange


ip access-list standard DenyRtrA

deny any multicast segregation of service A vs. service B

ip pim rp-address 193.29.95.253 EbsB address of the multicast rendezvous point at the Exchange

ip access-list standard EbsB

permit 224.0.30.0 0.0.0.255

permit 233.49.81.128. 0.0.0.127

deny any

multicast segregation of service A vs. service B

router eigrp 56 router protocol and group

network 90.0.0.0 physical connected network

end

9.1.4 Optional Shaping (QoS) for Enhanced Transaction Solution Simulation

If the desire is to limit the amount of bandwidth that the Enhanced Transaction Solution simulation can use then the following section can be configured (see end of configuration section 9.1.5.).


ip access-list extended AL_Eurex_Ets_Simu define access list

permit tcp any any eq 10145 applicable for ETS simulation port 10145

class-map match-all CM_Ets_Simu define class

match access-group name AL_Eurex_Ets_Simu criteria class

policy-map Ets_Out define policy

class CM_Ets_Simu criteria for policy

shape average 256000 the value 256 000 - can be changed as required



06.04.10

Page 64 of 76

V.10.03

9.1.5 Ethernet Leased Lines for Enhanced Transaction Solution



******** Configure IP SLA to keep the IPSEC tunnel alive ********

ip sla monitor 12

type tcpConnect dest-ipaddr 193.29.94.n dest-port 10045 source-ipaddr

a.b.c.d. source-port 58418 control disable

a.b.c.d. - IP address assigned by the exchange

ip sla monitor schedule 12 life forever start-time now start ip sla

******** RSA Key generation ********

Before generating the RSA Keys ensure that the time on the router is correct and that the ip domain-name has been configured!

ip domain name <fqdn> <fully qualified domain name>

crypto key generate rsa

Enter 1024 to the question <How many bits in the modules [512]:>

******** End of RSA Key generation. ********

crypto isakmp policy 10

encr aes 256

group 5

configure isakmp setting

crypto pki trustpoint TP_dbs_subca1

enrollment url http://193.29.95.250:80

subject-name OU=ETS

revocation-check none

auto-enroll 90 regenerate

configure certificate authority

crypto isakmp identity dn

crypto isakmp keepalive 10 periodic

crypto ipsec transform-set TS_dbsset_Ets esp-aes 256 esp-sha-hmac

http://193.29.95.250:80



06.04.10

Page 65 of 76

V.10.03

ip access-list extended AL_dbs_Ets

5 permit tcp 90.201.11.0 0.0.0.255 193.29.94.0 0.0.0.127 configure access list for encryption

crypto map CM_dbs_Ets 10 ipsec-isakmp configure crypto map

set peer 193.29.95.224 primary peer

set peer 193.29.95.225 backup peer

set security-association lifetime seconds 28800

set transform-set TS_dbsset_Ets

set pfs group5

match address AL_dbs_Ets

qos pre-classify

interface fastethernet0/1

the interface names FastEthernet0/n may need to

be amended to reflect the actual name of the

router interfaces

speed 100 physical line speed provided by the carrier.

duplex full

description To Deutsche Boerse

ip address a.b.c.d 255.255.255.0 a.b.c.d. - IP address assigned by the exchange

!ntp broadcast client optional when member has no ntp server (see

9.1.6).

crypto map CM_dbs_ets required for ETS encryption

! service-policy output Ets_Out !optional for simulation shapingoj (see 9.1.4)

9.1.6 Optional NTP Server for Enhanced Transaction Solution

To allow Enhanced Transaction Solution member routers to use the exchange routers as ntp servers following command could be applied optional in the configuration above. The correct clock time is crucial for IPSec encryption.


ntp broadcast client see end of configuration in section 9.1.5.

time zone -> in all cases the CET time zone.



06.04.10

Page 66 of 76

V.10.03

9.2 Adding Support for iAccess

Member routers connecting to the exchange via the Internet must be configured for IPSec. Members are responsible for the secure configuration of their router(s). The following security configurations, e.g. access lists, are recommendations only which have to be customized according to the specific requirements. The basic part of the configuration may be entered at any time; the installation of the certificate must be conducted interactively together with the exchange.

9.2.1 Network Time Protocol for iAccess Connections

The router must be configured with the correct time in order to check the validity of the certificate. A connection to the exchange will only be possible if the current time on the router is within the valid time frame of the certificate. The simplest solution is to request the time from the Internet (UTC), however any means of time settings for the router will work.

The commands listed below are used to synchronize the router's time with an NTP server on the Internet. Please note, that using symbolic server names necessitates the configuration of IP address resolution. Commands should be entered in the Enable mode.

Router Command Comments

config terminal Enter configuration mode

clock timezone CET Time zone: CET for Europe, CST for the US

clock calendar-valid

ntp update-calendar

scheduler interval 300

ntp server ″server name″ first place to look for network time provider (see explanation)

ntp server ″server name″ Second place to look for network time provider

- and so on -

Any known network time providers may be entered as the “servername” in the above. Internet Service Providers may provide one or more network time providers as DNS-names. The exchange has no control over the availability, reliability or access policy of Internet network time providers. A list of such providers may be found at http://support.ntp.org/bin/view/Servers/WebHome. Some of these providers are shown below:

• clock.isc.org • clock.via.net • ntp1.fau.de • ptbtime2.ptb.de • bernina.ethz.ch • ntp.univ-lyon1.fr

• ntp2a.mcc.ac.uk

Use the “show clock“ command to check the current time of the router.

http://support.ntp.org/bin/view/Servers/WebHome



06.04.10

Page 67 of 76

V.10.03

9.2.2 Setting the Time Manually

If it is necessary to set the time manually because an NTP server is not reachable, then the following Cisco command can be used in the Enable mode.


clock set hh:mm:ss dd mmm yyyy Example: clock set 11:33:00 29 JUL 2003 (UTC)

9.2.3 IPSec Configuration for iAccess


config terminal Enter configuration mode

service compress-config

ip domain-name <customer.ext> Customer domain and extension, for example: ABCFR.DE

hostname <Router Name> Router name as defined on configuration sheet

ip domain-lookup Enable domain lookup

ip name-server <Name Server IP> DNS address (obtained from ISP). Several DNS IPs are entered repeating the same command with the different IP

ip subnet-zero

no ip source-route

no ip finger

crypto pki trustpoint baltimore Name of exchange certification authority


enrollment retry count 100

enrollment mode ra

enrollment url http://193.29.78.191:10081/cgi-bin/pkiclient.exe Path for CEPT negotiation

crl optional optional -> the router only uses the crl if it gets them

crypto isakmp policy 1 ISAKAMP policy

crypto IPSec transform-set <Name_Transformset> esp-3des esp-sha-hmac

IPSec policy

crypto map <Crypto_Name> 1 IPSec-isakmp Definition of first Crypto Map

set peer <iAccess Point Router 1> IP-Address of first iAccess Point Router according to configuration sheet

set transform-set <Name_Transformset>

match address 1XX Specifies the list (1XX) for the traffic to encrypt

crypto map <Crypto_Name> 2 IPSec-isakmp Definition of second Crypto Map

set peer <iAccess Point Router 2> IP-Address of second iAccess Point Router according to the information from the exchange


match address 1YY Specifies the list (1YY) for the traffic to encrypt

http://193.29.78.191:10081/cgi



06.04.10

Page 68 of 76

V.10.03

interface Tunnel 1 Definition of first Tunnel interface

ip address 90.XXX.XXX.XXX 255.255.255.0 According to configuration sheet

no ip direct-broadcast

no ip route-cache

no ip mroute-cache

tunnel source <Router Internet IP-Address> Customer Router Internet IP-Address, assigned by ISP

tunnel destination <iAccess Point Router 1> According to configuration sheet

crypto map <Name_Crypto_Map> Activate crypto map for this interface

interface Tunnel2 Definition of second Tunnel interface

ip address 90.YYY.YYY.YYY 255.255.255.0 According to configuration sheet


no ip route-cache

no ip mroute-cache

tunnel source <Router Internet IP-Address> Customer Router Internet IP-Address

tunnel destination <iAccess Point Router 2> According to configuration sheet


Interface <INTERNET> Interface with Internet address

ip address <Router Internet IP Address> <Internet Subnet-Mask>

bandwidth XX XX 1024 for Eurex trading and 512 for Xetra

ip access-group 1ZZ in General access list, see access lists below

no ip route cache

no ip mroute-cache

no ip unreachable

no cdp enable


Interface <LAN> Interface to connect to Customer LAN

ip address <Router LAN IP Address> <LAN Subnet-Mask>

no ip route cache

no ip mroute-cache

router eigrp ZZ ZZ is the EIGRP number as defined on the config sheet

network A.0.0.0 Where A is the first octet of the MISS/Router LAN

no auto-summary

no ip classless

ip route 0.0.0.0 0.0.0.0 <Default-Route> Set the default gateway (normally the ISP’s router)

no ip http server

ip access-list extended 1ZZ Recommended general access list

permit gre host <iAccess Point Router 1> any Allow VPN protocol

permit gre host <iAccess Point Router 2> any Allow VPN protocol

permit icmp any any echo Allow PING request

permit icmp any any echo-reply Allow PING reply



06.04.10

Page 69 of 76

V.10.03

permit udp any any eq isakmp Allow VPN protocol

permit udp host <NTP Srv Address>any eq ntp Allow time synchronization protocol

permit eigrp any any Allow EIGRP

permit esp host <iAccess Point Router 1> any Allow VPN protocol

permit esp host <iAccess Point Router 2> any Allow VPN protocol

deny ip any any log Deny everything else

ip access-list extended 1XX

permit ip gre host <Router Internet IP-Address> host <iAccess Router 1>

Example: permit gre host 212.69.76.5 host 193.29.78.1

ip access-list extended 1YY permit ip gre host <Router Internet IP-Address> host <iAccess Router 2>

Example: permit ip gre host 212.69.76.5 host 193.29.78.2

9.2.4 IPSec Configuration for Combined Access


service compress-config

ip domain-name <customer.ext> Customer’s domain and extension

hostname <Router Name> Router name as defined on configuration sheet

ip domain-lookup Enable domain lookup

ip name-server <Name Server IP-Address> Name server

ip subnet-zero

no ip source-route

no ip finger

crypto pki trustpoint baltimore Name of exchange certification authority


enrollment retry count 100

enrollment mode ra

enrollment url http://193.29.78.191:10081/cgi-bin/pkiclient.exe Path for CEPT negotiation

crl optional optional -> the router only uses the crl if it gets them

crypto isakmp policy 1 ISAKAMP policy

crypto IPSec transform-set <Name_Transformset> esp-3des esp-sha- hmac

IPSEC policy

crypto map <Crypto_Name> 1 IPSec-isakmp Definition of first Crypto Map

set peer <iAccess Point Router> IP-Address of first iAccess Point Router according to configuration sheet


match address 1XX Specifies the list (1XX) of traffic to encrypt (see below)

interface Tunnel 1 Definition of first Tunnel interface

ip address 90.XXX.XXX.XXX 255.255.255.0 according to configuration sheet


no ip route-cache

http://193.29.78.191:10081/cgi-bin/pkiclient.exe



06.04.10

Page 70 of 76

V.10.03

no ip mroute-cache

tunnel source <Router Internet IP-Address> Customer Router Internet IP-Address

tunnel destination <iAccess Point Router 1> according to configuration sheet

crypto map <Crypto_Name> Activate crypto map for this interface

interface <INTERNET> Interface with Internet address

ip address <Router Internet IP Address> <Internet Subnet-Mask>

bandwidth <XX> XX 1024 for Eurex trading and of 512 for Xetra

no ip route-cache

no ip mroute-cache

ip access-group 1ZZ in General access list

no ip redirects

no ip unreachable

no cdp enable

crypto map <Crypto_Name> Activate crypto map for this interface

interface <LAN> Interface to connect to Customer LAN

ip address <Router LAN IP Address> <LAN Subnet-Mask>

no ip route-cache

no ip mroute-cache

router eigrp ZZ ZZ is the EIGRP number for leased line as defined on configuration sheet

network 90.0.0.0

no auto-summary

router eigrp YY EIGRP number for Internet as defined on configuration sheet

network 90.0.0.0

no auto-summary

no ip classless

ip route 0.0.0.0 0.0.0.0 <Default-Route> Set the default gateway (normally the ISP’s router)

no ip http server

ip access-list extended 1ZZ Recommended general access list

permit gre host <iAccess Point Router 1> any

permit icmp any any echo

permit icmp any any echo-reply

permit udp any any eq isakmp

permit udp host <NTP Server Address>any eq ntp Time server IP address

permit eigrp any any

permit esp host <iAccess Point Router 1> any

deny ip any any log

ip access-list extended 1XX

permit ip gre host <Router Internet IP-Address> host <iAccess Router>

Example permit gre host 212.69.76.5 host 193.29.78.1



06.04.10

Page 71 of 76

V.10.03

9.2.5 Router Clock Verification

The certificates used are valid for a defined timeframe of 36 months only. The local clock of the member router is used to check against the validity of the certificate.

9.2.6 Enrolment

Enrolment is the authentication and installation process of the certificates on the member router. The process is conducted interactively between member and the exchange. The member must have access to the router during the enrolment. The steps for the enrolment are shown in the following paragraphs. Please make sure that the clock is set correctly before starting enrolment. Neither the crypto map nor the access list should be bound on the interface for enrolment.

9.2.7 Password for Member Verification

The exchange issues a password for authorization of the member. This password is distributed to the member by mail. During the setup the exchange requests the password to authenticate the member.

9.2.8 Trusted Peer Verification

To verify that the requested certificate originates from the exchange, enter the following commands on the router:


config terminal

crypto ca authenticate exchangeCA request authorization

End exit config mode

The shown fingerprint must be compared to the one shown on the exchange side. The exchange’s view of the fingerprint will be available via phone or mail.

9.2.9 Load Certificate

After establishing a trusted peer the certificate can be requested from the exchange:


config terminal

crypto ca enrol exchangeCA request certificate

Respond to the questions as explained below

end exit config mode



06.04.10

Page 72 of 76

V.10.03

The router will request the following information:

• Challenge password -- to be used for identification • If the router serial number is to be included in the subject name; enter NO • If an IP-Address is to be included in the subject name; enter NO • If the certificate is to be requested; enter YES

The command “show cr ca cert“ allows the process of loading the certificate to be verified. The status will be pending until the exchange responds to the request. The status will then change to “available”.

9.3 Router for Workstations in a Remote LAN

It is the member’s responsibility to select, install and configure routers for connecting workstations in a remote LAN to the MISS/Workstation LAN. By default, there is no transmission of multicasts across routers. The use of protocols, for example PIM (Protocol Independent Multicast), makes it possible to configure routers to forward multicasts. All interconnecting components must be able to transport multicasts.



06.04.10

Page 73 of 76

V.10.03

10. Terms and Abbreviations

3DES A method to encrypt data by applying DES 3 times.

AP Access Point - Within this document the Access Point’s key function is to route data transactions to and from the Exchange’s Back-Ends.

API Application Programming Interface is the specific method prescribed by a computer operating system or by another application program by which an application program can make requests of the operating system or another application. In the context of exchange applications, the VALUES API is supported.

BALUN A BALUN (BALanced-UNbalanced) is an adapter to match the impedance of a leased line with the impedance of a router interface (e.g. to match a 75 Ohms leased line impedance to 120 Ohms interface impedance and vice versa).

BESS Back-End Specific Subsystems are needed to access the exchange-specific Back-End. BESSes are available for Xetra Frankfurt, Xetra Vienna, Eurex and CCP.

CCP The Central Counter Party is an intermediary which guarantees delivery of trades in selected equities by mediating between the buying and the selling party.

CEF® Real-time data feed operated by Deutsche Börse AG

Combined Access Connection alternative using a leased line connection together with an iAccess connection (backup) to connect to the Back-End.

CS Communications Server

DES Digital Encryption Standard. A classical symmetric encryption algorithm. Symmetry means, the same key is used for encryption and decryption.

EEX European Energy Exchange

EIGRP Enhanced Interior Gateway Routing Protocol. An advanced version of the IGRP router-to-router protocol developed by Cisco. Provides superior convergence properties and operating efficiency and combines the advantages of link state protocols with those of distance vector protocols.


The Eurex/Xetra Enhanced Broadcast Solution data stream is propagated in a “live-live” concept by disseminating two services, A and B. Both services contain the same streams but utilize different Multicast groups.

Enhanced Risk Solution

A Eurex Clearing AG service (optional) providing members near-time risk data



06.04.10

Page 74 of 76

V.10.03

Enhanced Transaction Solution

The Eurex/Xetra Enhanced Transaction Solution is an asynchronous message-based interface.. The Enhanced Transaction Solution is session-oriented whereby the session is the basic context of the interaction with the respective Back-End system.

Environment Environments are: Production, Simulation or Advanced Simulation

Eurex Eurex is a derivatives Exchange. The Eurex system provides functions for trading/clearing, trading/clearing support and security. The Eurex platform also supports trading and clearing for the derivatives side of the European Energy Exchange (EEX).

Eurex (VALUES) MISS-based Eurex connection

Exchange In this documentation the term “Exchange” refers to these Exchanges the IT Branch of Group Deutsche Börse provides the network access to the respective markets and services for.

FTP File Transfer Protocol – description of a method of transferring files between computers.

GATE Generic Access To Exchanges is a common Front-End architecture software component for all MISS-based exchange applications. GATE provides common execution and operations services to all exchange applications (Eurex, Xetra, CCP and others).

GRE Generic Routing Encapsulation – Standard for tunnelling IP and other network protocols- described in the RFCs 1701 and 1702.

HTML Hypertext Mark-up Language is the set of mark-up symbols or codes inserted into a text file intended for display on a World Wide Web browser page.

HTTP Hypertext Transfer Protocol is the underlying protocol used by the World Wide Web to transfer hypertext requests and information between servers and browsers.

HTTPS Hypertext Transfer Protocol over Secure Socket Layer is a Web protocol similar to HTTP. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server.

iAccess Connection alternative "iAccess" is a permanent point-to-point VPN Internet connection between a member router and an Access Point to connect to the Back-End. A tunnel through the Internet is established by employing IPSec.

IANA Internet Assigned Numbers Authority

ICMP Internet Control Message Protocol - an extension to the Internet Protocol defined by RFC 792. ICMP supports packets containing error, control, and informational messages.



06.04.10

Page 75 of 76

V.10.03

IOS Cisco system software that provides common functionality, scalability and security for all products under the Cisco Fusion architecture. Cisco IOS allows centralized, integrated and automated installation and management of interconnected networks, while ensuring support for a wide variety of protocols, media, services and platforms.

IP multicast IP multicasting is a bandwidth conserving technology that reduces network traffic by simultaneously delivering a single stream of information to computers in a network configured with the same multicast address.

IPSec IP Security protocol. An Internet Engineering Task Force (IETF) specification for IP network layer security supporting end-to-end encryption and authentication for secure communication in public and private networks.

Irish - SE Irish Stock Exchange

ISP Internet Service Provider

LAN Local Area Network connects computers in a workgroup, department or building.

Leased Line Within this document the wording “leased line” is synonymous with the wording “bandwidth on leased line”.

Market Trading or clearing market of a platform. Whereas a platform is the application CCP, Eurex or Xetra.

MD Member Device. The term “member device” is used to describe any generic server.

MISS Member Integrated System Server (the Front-End server) is an MD running an Exchange application allowing members to access to the trading system. The MISS can either run as a stand-alone machine on which the entire set of Front-End applications is available or as a server for additional workstations.

Redundancy Redundancy refers to is the duplication of critical components of a system with the intention of increasing reliability of the system.

Platform Trading or Clearing application serving one or several markets (e.g. Eurex, Xetra etc.)

Proximity Services Services offered by Deutsche Börse Systems, the IT branch of Deutsche Börse. The services address market demand for ultra low latency by placing member trading engines physically close to the exchange Back-End.

Proximity Location Partner data centers in Frankfurt co-operating with Deutsche Börse Systems

RSA An asymmetric encryption algorithm invented by Ramir, Shamir and Adleman. Asymmetry means that a different key is used for decryption and encryption. The quality of encryption is measured in terms of bit length of the private key.



06.04.10

Page 76 of 76

V.10.03

SSL Secure Socket Layer is a protocol to exchange messages in confidentiality and integrity. i.e. messages are exchanged encrypted, missing or replaced messages are detected and the authenticity of the communication partners can be established.

Standard Access Connection alternative using 2 leased lines to connect to the Back-End

TCP/IP Transmission Control Protocol/Internet Protocol is a method (protocol) used to send data in the form of message units between computers over a LAN/WAN. TCP guarantees the messages are delivered uncorrupted, lossless and in sequence.

UDP User Datagram Protocol is a method of communication between computers in a network using the Internet Protocol (IP). UDP guarantees messages are delivered uncorrupted. However, contrary to TCP, UDP does not employ any mechanisms to ensure lossless and sequential message transmission.

USIM A file used as a token to prove a MISS is permitted to connect to a specific Back-End.

VALUES Virtual Access Link Using Exchange Services is an exchange developed and supported API, enabling members to interface their own applications to the exchange.

VPN Virtual Private Networks use advanced encryption and tunnelling to permit organizations to establish secure end-to-end, private network connections over third-party networks, such as the Internet or Frame Relay networks.

WAN Wide Area Network is a geographically dispersed telecommunications network and the term distinguishes a broader telecommunication structure from a LAN.

WBAG Wiener Börse AG / Vienna Stock Exchange

Xetra EXchange Electronic TRAding, the electronic stock trading system of Deutsche Börse AG. The Xetra platform supports the spot markets of the Exchanges: Wiener Börse AG (Vienna Stock Exchange), Irish Stock Exchange, European Energy Exchange (EEX), Eurex Bonds, Bulgarian Stock Exchange, Xetra Frankfurt, Xetra Frankfurt 2 and Xetra International Market.

Xetra Frankfurt 2 pan European multi-market venue

XQS The product Xentric Quote Source (XQS) supports the centralized processing and administration of quotes.

Documents

Network Access To Exchange Applications - Gruppe Deutsche B¶rse