Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© Deutsche Börse AG 2010
All proprietary rights and interest in this publication shall be vested in Deutsche Börse AG and all other rights including, but without
limitation to, patent, registered design, copyright, trade mark, service mark, connected with this publication shall also be vested in
Deutsche Börse AG. Whilst all reasonable care has been taken to ensure that the details contained in this publication are accurate
and not misleading at the time of publication, no liability is accepted by Deutsche Börse AG for the use of information contained
herein in any circumstances connected with actual trading or otherwise. Neither Deutsche Börse AG, nor its servants nor agents, is
responsible for any errors or omissions contained in this publication which is published for information only and shall not constitute
an investment advice. This brochure is not intended for solicitation purposes but only for the use of general information. All
descriptions, examples and calculations contained in this publication are for guidance purposes only and should not be treated as
definitive. Deutsche Börse AG reserves the right to alter any of its rules or product specifications, and such an event may affect the
validity of information contained in this publication.
® Registered trademark of Deutsche Börse AG
Network Access To Exchange Applications
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 2 of 76
V.10.03
Table of Contents
1. Amendments ............................................................................................................... 5 2. Introduction ................................................................................................................. 6 2.1 Applications and Services .............................................................................................. 7 2.2 Contacts...................................................................................................................... 8 2.3 Other Guides available to Members................................................................................. 9 2.4 Access Order Forms .................................................................................................... 10 2.5 Getting Started ........................................................................................................... 11 3. Network Overview ...................................................................................................... 12 3.1 Network Connections to the Exchange........................................................................... 13 3.1.1 Leased Line Connection .............................................................................................. 13 3.1.2 Internet Connection .................................................................................................... 14 3.2 Network Administration and Responsibilities .................................................................. 15 3.3 Network Security ........................................................................................................ 15 3.4 Network Failover ........................................................................................................ 17 4. Connection Alternatives ............................................................................................... 18 4.1 Standard Connection: Two Leased Lines........................................................................ 18 4.1.1 Consolidated Connections............................................................................................ 18 4.1.2 Enhanced Broadcast Solution....................................................................................... 20 4.1.3 Enhanced Transaction Solution .................................................................................... 20 4.1.4 CEF® ultra+............................................................................................................... 21 4.2 Combined Access: One Leased Line plus iAccess (Backup) .............................................. 22 4.3 iAccess: VPN Internet Connection ................................................................................. 22 4.4 Single Leased Line Connections.................................................................................... 23 5. Overview Access Options ............................................................................................. 24 5.1 Router-based Access Options ....................................................................................... 24 5.2 Internet-Workstation-based Access Options .................................................................... 26 6. Network Communication Protocols ............................................................................... 27 6.1 Address Scheme......................................................................................................... 29 6.2 Network Names ......................................................................................................... 29
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 3 of 76
V.10.03
6.3 General Rules for Addressing........................................................................................ 29 6.4 Market/Services Specific IP Ranges ............................................................................... 30 6.5 Individual Host Addresses............................................................................................ 30 6.6 Addressing and Name Exceptions ................................................................................. 30 6.7 Multicast Groups ........................................................................................................ 32 6.7.1 MISS-based Installations ............................................................................................. 32 6.7.2 Reference Information – Enhanced Broadcast Solution and CEF® ultra+ ............................ 32 6.7.3 Enhanced Broadcast Solution and CEF® ultra+............................................................... 34 6.7.4 Rendezvous Points Enhanced Broadcast Solution and CEF® ultra+ ................................... 35 7. Network Hardware...................................................................................................... 37 7.1 Channelised E1 Member Connections ........................................................................... 37 7.2 Channelised T1 Member Connections ........................................................................... 39 7.3 Non-channelised E1 Member Connections..................................................................... 41 7.4 Ethernet Connections with Multicast (MC) + Encrypted TCP-IP Traffic............................... 43 7.4.1 Lines with up to 60 Mbit/s MC + 10 Mbit/s encrypted TCP-IP traffic................................. 45 7.4.2 Lines with more than 60 Mbit/s MC + 20 Mbit/s encrypted TCP-IP traffic.......................... 45 7.5 Ethernet Connections with Multicast (MC) + Non-Encrypted TCP-IP Traffic........................ 46 7.5.1 Lines with up to 80 Mbit/s MC + 20 Mbit/s Non-Encrypted TCP-IP Traffic ........................ 46 7.5.2 Lines with more than 80 Mbit/s MC + 20 Mbit/s Non-Encrypted TCP-IP Traffic ................. 46 7.6 Ethernet Connections with Non-Encrypted TCP-IP Traffic ................................................. 48 7.7 X.21 and V.35 Non-channelised Member Network Connection......................................... 49 7.8 VPN Encryption Modules for VPN Internet Connections (iAccess) ...................................... 50 8. Required Ports for Firewall Configurations ...................................................................... 51 8.1 Ports used by MISS-based Front-End Setups .................................................................. 51 8.1.1 GATE - Ports.............................................................................................................. 51 8.1.2 VALUES - Ports .......................................................................................................... 52 8.2 Enhanced Risk Solution – Ports .................................................................................... 53 8.3 Enhanced Broadcast Solution / CEF® ultra+ - Ports......................................................... 53 8.4 Enhanced Transaction Solution - Ports .......................................................................... 55 8.5 CEF® - Ports .............................................................................................................. 56 8.6 XQS - Ports................................................................................................................ 57
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 4 of 76
V.10.03
9. Sample Router Configurations ...................................................................................... 58 9.1 General Setup ............................................................................................................ 58 9.1.1 Ethernet Leased Lines - Xetra 1 Gbit/s ........................................................................... 59 9.1.2 Ethernet Leased Lines - Enhanced Broadcast Solution+ Service A..................................... 60 9.1.3 Ethernet Leased Lines - Enhanced Broadcast Solution+ Service B .................................... 62 9.1.4 Optional Shaping (QoS) for Enhanced Transaction Solution Simulation .............................. 63 9.1.5 Ethernet Leased Lines for Enhanced Transaction Solution ................................................ 64 9.1.6 Optional NTP Server for Enhanced Transaction Solution................................................... 65 9.2 Adding Support for iAccess .......................................................................................... 66 9.2.1 Network Time Protocol for iAccess Connections .............................................................. 66 9.2.2 Setting the Time Manually ........................................................................................... 67 9.2.3 IPSec Configuration for iAccess..................................................................................... 67 9.2.4 IPSec Configuration for Combined Access ...................................................................... 69 9.2.5 Router Clock Verification.............................................................................................. 71 9.2.6 Enrolment ................................................................................................................. 71 9.2.7 Password for Member Verification ................................................................................. 71 9.2.8 Trusted Peer Verification.............................................................................................. 71 9.2.9 Load Certificate .......................................................................................................... 71 9.3 Router for Workstations in a Remote LAN ...................................................................... 72 10. Terms and Abbreviations ............................................................................................. 73
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 5 of 76
V.10.03
1. Amendments
In this document’s version changes according to the release of Xetra 11 have been highlighted in green.
Change History
Version Chapter Comment
2008.10 general Technical aspects such as ports to be used by the Enhanced Transaction Solution, comments on the encryption technique applied and sample router configurations have been added to the document.
2008.11 7.7 IOS versions mentioned refer to the CISCO 3800 series routers assuming Enhanced Broadcast Solution and Enhanced Transaction Solution connections terminate on the same router
8.1.5 changes in the “ip access-list extended AL_dbs_Ets” part of the example configuration
2008.20 general Adaptations to accommodate CEF®, XQS, z/OS. Deletion of the Eurex service “New Socket Datafeed”.
7.7 Hardware requirements for 100 and 120 Mbps connections
9.1.2 Port number Xetra FFM2 simulation changed
6.1.5 6.1.6 9.2
Port number for Enhanced Broadcast Solution Advanced simulation added
9.3 Port number Enhanced Transaction Solution, Advanced Simulation added
2008.30 3.3 New section security aspects
8.2, 8.5 CEF® and XQS ports included
2008.40 general Adaptations to 10 Xetra in particular with respect to router equipment
V.09.03 general Xetra 10 - New, additional trading interface
V.09.08 general Xetra 10.1 - Enhancements of the Xetra Enhanced Broadcast Solution
V.09.12 general Eurex WBAG incorporated
V.10.03 general Xetra 11, Eurex and CEF®connectivity, Enhanced Risk Solution
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 6 of 76
V.10.03
2. Introduction
The purpose of the document “Network Access to Exchange Applications” is to give an overview of network access options for connection to the Exchange platforms and markets Eurex, Xetra, CCP and how to connect to the CEF® market data feeds, XQS, the mainframe via z/OS and the services Enhanced Broadcast Solution and Enhanced Transaction Solution. Depending on the chosen access option and connection alternative, the document supports members when choosing the appropriate router equipment. Port numbers for firewall configurations and example router configurations are also included. This document is intended for network administrators.
The corresponding document Front-End Access to Exchange Applications describes the customer’s front-end setup.
The link between these two documents is the member network device joining the customer’s installation with the Exchanges’ Back-End.
The software setup of the particular MISSes, Member Devices or workstations is not part of this document. In this case please refer to the “Installation Guides” available for GATE and the respective exchanges.
The structure of the document is as follows:
Chapter 3 – Network Overview
Information on the Exchange’s leased line and Internet connections
Chapter 4 – Connection Alternatives
Explanation of the different connection possibilities
Chapter 5 – Overview Access Options
Overview of connection types and bandwidth offered for the respective market and service
Chapter 6 - Network Communication Protocols
Details of protocols and multicast addresses used
Chapter 7 - Router Hardware
Details of router hardware recommendations
Chapter 8 – Required Ports for Firewall Configurations
Details on the application and service port numbers
Chapter 9 - Router Sample Configuration
Sample router configurations for the different connectivity possibilities
Chapter 10 – Terms and Abbreviations
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 7 of 76
V.10.03
2.1 Applications and Services
The table provides an overview of the applications and services this documentation provides network access options for.
Platform Market/Service Protocol
CCP CCP TCP-IP
CEF® Core TCP-IP
CEF® ultra+ Eurex / CEF® ultra+ Xetra TCP-IP, UDP-IP (Multicast) CEF®
CEF® ultra+ Irish Stock Exchange UDP-IP (Multicast)
Eurex (VALUES Connection) TCP-IP, UDP-IP (Multicast in MISS/WS LAN)
Eurex WBAG (VALUES Connection) TCP-IP, UDP-IP (Multicast in MISS/WS LAN)
EEX Derivatives (VALUES Connection) TCP-IP, UDP-IP (Multicast in MISS/WS LAN)
Enhanced Risk Solution TCP-IP
Enhanced Broadcast Solution UDP-IP (Multicast)
Eurex
Enhanced Transaction Solution TCP-IP
Xetra Frankfurt TCP-IP, UDP-IP (Multicast in MISS/WS LAN)
Xetra Frankfurt 2 TCP-IP, UDP-IP (Multicast in MISS/WS LAN)
Eurex Bonds TCP-IP, UDP-IP (Multicast in MISS/WS LAN)
Irish Stock Exchange (Irish SE) TCP-IP, UDP-IP (Multicast in MISS/WS LAN)
Bulgarian Stock Exchange TCP-IP, UDP-IP (Multicast in MISS/WS LAN)
EEX Spot Market TCP-IP, UDP-IP (Multicast in MISS/WS LAN)
Xetra WBAG TCP-IP, UDP-IP (Multicast in MISS/WS LAN)
VALU
ES C
onne
ctio
n (M
ISS)
Xetra International Market TCP-IP, UDP-IP (Multicast in MISS/WS LAN)
Enhanced Broadcast Solution available for
Xetra Frankfurt, Irish SE, Xetra International Market
UDP-IP (Multicast)
Xetra
Enhanced Transaction Solution available for Xetra Frankfurt, Irish SE, Xetra International
Market
TCP-IP
XQS XQS TCP-IP
z/OS Mainframe Applications TCP-IP
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 8 of 76
V.10.03
2.2 Contacts
On various occasions reference is made to further documentation, available online. The respective websites are as follows:
Exchange websites follow … Contact the exchange at …
Eurex
CCP
www.eurexchange.com
www.eurexclearing.com
-> Member Section -> Service Point -> Contacts
+49-69-211-11700
Member Services & Admission
Xetra www.deutsche-boerse.com -> Technology Services -> Support -> Hotlines
+49-69-211-11640
Member Services & Admission
CEF® https://contracts.deutsche-boerse.com
MD+A interactive +49-69-211-13440 Customer Service
These websites contain technical documentation such as sizing guidelines, release notes, installation and operation guides and can provide additional member specific system state and configuration details on the connection between the member and the respective exchange.
Access to the “Members Only” section on the respective websites is password protected. For details please contact the member’s central coordinator who receives this access information during the admittance procedures. As well as functional support using the telephone numbers outlined in the table above, each exchange offers technical assistance using the telephone numbers below:
EUREX Customer Technical Support +49-69-211-11200 +1-312-544-1100
+41-58-854-2992
XETRA Customer Technical Support +49-69-211-18400
XETRA WBAG Customer Technical Support +49-69-211-11740
CCP Customer Technical Support +49-69-211-12800
CEF® Customer Technical Support +49-69-211-11880
XQS Customer Technical Support +49-69-211-15555
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 9 of 76
V.10.03
2.3 Other Guides available to Members
The Exchange has published the following additional technical guides available in the respective member section on the websites www.deutsche-boerse.com and www.eurexchange.com.
Other guides available:
• Front-End Access to Exchange Applications
• Common Front-End Sizing Guidelines (Xetra and Eurex)
• Connection Alternatives and Sizing Indication (CCP only)
• GATE Front-End Installation/Operations Guide
• Exchange specific: Front-End Installation/Operation Guides
• VALUES API: Member Front-End Development Guide (the preliminary “planning” and “programming” versions)
• Enhanced Broadcast Solution – Interface Specification
• Enhanced Transaction Solution - Programming Version (Eurex)
• Enhanced Transaction Solution - Interface Specification (Xetra)
• Release Description (Xetra)
• Xentric Quote Source 3.0 – Application Programming Interface
• Interface Specification (CEF® Core, CEF® ultra+ Eurex, CEF® ultra+ Xetra, CEF® ultra+ Irish Stock Exchange)
• CEF® Core Fields and Products
• CEF® Core Fields and Products Guideline
• CEF Release Notes
• Final Technical Release Notes (Eurex, Xetra, CCP)
• Enhanced Risk Solution - Interface Specification Final Version
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 10 of 76
V.10.03
2.4 Access Order Forms
Several forms must be completed, submitted and approved by the Exchanges in order to gain network access to the respective application environment. These forms (*.pdf) are available on the respective Exchanges websites or can be submitted electronically via the tool “Tickets & Requests” (CEF® connections cannot be ordered via “Tickets & Requests”).
Links to Ticket & Requests (online orders)
http://business.eurexchange.com
http://business.deutsche-boerse.com
Link to Eurex Order Forms:
http://www.eurexchange.com/documents/forms/trading_derivatives/single/technical/miscellaneous_en.html
Link to Xetra Order Forms:
http://deutsche-boerse.com/dbag/dispatch/de/kir/gdb_navigation/trading/40_admission_rules/100_admission_xetra/500_forms/40_Technical
Link to CEF® Order Forms
https://contracts.deutsche-boerse.com
For Exchange contact details please refer to chapter 2.2 or ask your Central Coordinator for your Key Account Manager at the Exchange.
Note: Additional forms have to be submitted if the role of providing the technical infrastructure for other members (service provider) is required or when the technical infrastructure is not hosted at your site.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 11 of 76
V.10.03
2.5 Getting Started
After the decision for the desired access option and hardware to connect to the respective Back-End has been made and the corresponding approval from the respective exchange has been received, it is the member’s responsibility to prepare facilities, select the hardware platform, purchase equipment and configure the Front-End installation. The member can commission these activities to a contractor such as Deutsche Börse Systems’ “ExServes”.
The process of setting up the connection to the Back-End is accompanied by a Technical Account Manager from Deutsche Börse Systems who co-ordinates and schedules the following tasks, which may differ according to the respective Back-End and/or connectivity:
• Installation of a leased line by the respective carrier. A system administrator or technician must be on site for this task.
• Distribution of node names, session IDs, IP addresses and passwords by the exchange, including file transfer (FTP) accounts, if applicable.
• Connection test. All hardware must be on site and correctly configured. Loop-back plugs should be available. Deutsche Börse Systems operators will verify the quality of the connection and simulate an application failure where appropriate in order to test a failover configuration. For MISS-based installations - delivery of the software (not applicable to Internet workstation-based connections). Using the FTP account, the software for simulation and production will be copied on demand or overnight, using the now established network link to the server. Alternatively, the software can be downloaded from the respective websites.
• For MISS-based installations - Installation and configuration of the software. The software kit includes installation notes which system administrators should follow (see Front-End Installation Guide).
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 12 of 76
V.10.03
3. Network Overview
In order to support the respective applications, an efficient infrastructure representing a dedicated global IP network has been established. Any member connection to the Exchanges’ Back-End systems is connected to an Access Point. Access Points, to which leased lines connect, are located throughout the world in major financial centres where the Exchange members are concentrated. This concept allows the Exchange to extend its private network up to the carriers’ demarcation point at the customer’s site. Each of these Access Points is connected to the Exchange hosts via redundant leased lines. Members are connected to an Access Point via dedicated leased lines and/or via the Internet. In case MISS-based Front-Ends are connected to the Exchange Back-Ends any MISS is communicating via a communication server within an Access Point multiplying and distributing broadcasts. The figure below shows the overall Exchange network and might differ with respect to a certain platform.
Back End LocationAccess Point LocationCustomer Location
Symbols: Vienna
Chicago
Paris
Milan
London
Helsinki
Amsterdam
Dublin
New York
Madrid Zurich
Frankfurt
Gibraltar
Luxembourg
Singapore
Diagram 3.1: Access Point Concept as of Document’s Release Date
Given the scope of this document, neither the setup of the Exchanges’ Back-Ends nor other means of electronic communication between the Exchanges and the member are discussed.
For details of setting up the member network for MISS-based installations or Member Devices setups please see the document “Front-End Access To Exchange Applications”.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 13 of 76
V.10.03
3.1 Network Connections to the Exchange
The Exchange operates a global private network consisting of leased lines and Internet connections.
3.1.1 Leased Line Connection
The Exchange will provide market and service specific dedicated bandwidth(s) (e.g. Eurex, Xetra, CCP, CEF®, XQS, Enhanced Broadcast Solution etc.). The type and the bandwidth of the underlying member network connection will be determined at the Exchange’s discretion. The Exchange decides whether line sharing with other Exchange markets and services will be applied.
The following leased line connections are provided by the Exchange to connect to the Exchange network:
Leased Line Type
Specification Market or Service
channelised, G.703 standard, framed by the Exchange CCP, CEF®, Eurex/Xetra (VALUES), Xetra, XQS, z/OS E1
non-channelised, clear channel, G.703 standard CEF®, Xetra 2 Mbit/s, XQS
T1 in the U.S.A. channelised, framed by the Exchange Eurex (VALUES), CEF®
10 to 100 Mbits/s with copper connectivity
1 Gbit/s with copper connectivity Ethernet
with fibre connectivity or dark fibre
All services mentioned in this document.
Please note the following additional details:
Proximity Location: Connections in a proximity location will be provided with RJ45 “copper” presentation.
VALUES Connections: The type and the bandwidth of the underlying member network connection will be determined at the Exchange’s discretion
Enhanced Transaction The connection for the Enhanced Transaction Solution is encrypted in the Solution Connections: network based on the IPSec (256 bit AES encryption) procedure. Only in proximity locations can Enhanced Transaction Solution encryption be switched off on request. Only a total of 2 Enhanced Transaction Solution connections per market (Eurex/Xetra) and subnet are offered and only one Enhanced Transaction Solution connection per market (Eurex/Xetra) can be established on a leased line.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 14 of 76
V.10.03
General: All leased lines will be delivered with full duplex. If it becomes apparent that solutions mentioned in this document need to be expanded the Exchange may consider adding additional options.
3.1.2 Internet Connection
The Internet connection does not need to be used exclusively for the Exchange access; an existing Internet connection may be used if appropriate. The Exchange recommends the use of a dedicated Internet connection or a shared connection with a bandwidth reservation mechanism/protocol.
Any bandwidth to the Internet Service Provider (ISP) may be used. However, on the Exchange side, the usable bandwidth will be limited to the bandwidth offered for the respective market/service.
iAccess (VPN Internet Connection)
In the case of iAccess, whereby the member utilizes its own Front-End network to distribute the trading functionality in-house, the following arrangements have to be made:
• The member has to provide the Internet connection by selecting any ISP of his choice. A registered static public Internet IP address must be available for the connection as the Exchange will only accept connections from pre-determined IP addresses.
• The router for the Internet connection must be equipped as described in Chapter 7.8 of this guide.
• A Virtual Private Network (VPN) with 168 bit 3DES encryption ensures a secure data transfer over the Internet. The Exchange uses an authentication process with a certificate (Public Key Infrastructure) that will secure communication in a closed user group.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 15 of 76
V.10.03
3.2 Network Administration and Responsibilities
The Exchange is responsible for the administration and operation of the network from the Back-End up to the boundary of the carrier demarcation point at the member’s site. All leased line connections are purchased, installed, maintained and owned by the Exchange. This applies also to cross connects in conjunction with proximity services.
For Internet connections the member has to provide the Internet connection by selecting any ISP of his choice. For iAccess connections a registered Internet IP address must be available as the exchange will only accept iAccess connections from pre-determined IP addresses.
Internet connectivity, including purchase, installation and configuration, is beyond the control and responsibility of the Exchange. Errors in the Internet connectivity and other related issues such as communication with the ISP etc. have to be handled by the member.
The administration and operation of equipment beyond the connection to the Exchanges such as routers, MISSes, workstations and other Member Devices at the member’s site are in the responsibility of the member.
However, due to the technical implementation, the Exchange stipulates the necessary parameters for the configuration and layout of the network connection and assigns configuration parameters for the member’s Front-End setup. Administration and operation of the Front-End architecture can be commissioned to a contractor such as Deutsche Börse Systems’ “ExServes” department.
3.3 Network Security
Security is one of the key functions of an Access Point in the network topology. An Access Point is the sole gateway between Exchange Back-End hosts and member installations. Several member installations are connected to the same Access Point. The functions and procedures implemented within an Access Point act as a firewall.
Depending on the market/service the components of an Access Point are:
• Router for the connectivity to Back-End host,
• Router(s) for the connectivity to member installations,
• Communication Server (MISS-based infrastructure only).
The typical IP services (i.e. Telnet, FTP, Finger, SMTP, RPC) are not available on an Access Point. Passive and active security mechanisms are designed for all Exchange routers to ensure the individual systems of the members are not able to communicate across the network through any means other than the Member Device Front-End.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 16 of 76
V.10.03
A Communication Server is an application gateway for application services. A Communication Server can only be accessed by the application-specific connection via the VALUES interface. External systems can reach a Communication Server only via application-specific authorization processes.
The Access Point acts as a shield between the member device and the Exchange Back-End hosts. As shown on the diagram below, if the member A tries to access the network of member B, the Access Point will prevent any kind of communication in that direction. Also, if member A tries to access the Back-End directly, the Access Point will stop any kind of unauthorized access to the Back-End. Only application communication is possible using a limited number of specific ports. In the case of access via a VPN Internet connection, the usage of firewalls is encouraged for additional security.
Diagram 3.2 – Network Security Policy and the Access Point
A router within the Access Point ensures the communication to the member installation. Two security features are established on all routers within an Access Point:
• Accessibility control feature: The IP networks belonging to installations of different members are not reachable by others through the Access Point network.
• Transport control feature: The Access Point network will transport only data belonging to the application-specific connection.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 17 of 76
V.10.03
3.4 Network Failover
No network failover will be provided for the markets and services mentioned in this document. The application must initialise the failover to a backup network connection if applicable. Please see the document “Front-End Access To Exchange Applications”.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 18 of 76
V.10.03
4. Connection Alternatives
4.1 Standard Connection: Two Leased Lines
This setup offers the highest availability.
to Exchange Back End
Mem
ber Device/
Router-LAN
MemberRouterAccess
Point A
AccessPoint B Member
Router
Diagram 4.1 – Two Leased Lines connected to separate Access Points
Technical Implementation:
The Exchange will provide bandwidth on a leased line and wherever possible, two leased lines are ordered from different providers with separate infrastructure (separate cabling and technical components- dual rail concept). In geographic areas where multiple telecommunication providers are not available, all measures ensuring the highest possible degree of redundancy will be taken. It is possible to terminate both connections in separate locations (split location). The Exchange will assign the same private IP address range to both connections (see section 6). The provision, operation and administration of the interconnection between both member locations is in the member’s responsibility. Recommendations for router equipment for the various types of connections are provided in chapter 7.
4.1.1 Consolidated Connections
Eurex and Xetra offer network connections which consolidate the various connection types Enhanced Broadcast Solution and/or Enhanced Transaction Solution and/or VALUES connections of the respective market, Eurex or Xetra (portfolio offered please see section 5). On a leased line only one Enhanced Broadcast Solution and one Enhanced Transaction Solution connection per market (Eurex/Xetra) can be established but multiple VALUES connections per market can be configured. Eurex and Xetra do offer a single consolidated connection for disaster recovery locations.
When the Enhanced Broadcast Solution is configured on a high bandwidth connection a minimum bandwidth of 10 Mbit/s for the Enhanced Broadcast Solution per market is required. If capacity of a consolidated connection has not been assigned to a specific Eurex/Xetra connection the remaining
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 19 of 76
V.10.03
bandwidth will be added to the Enhanced Broadcast Solution bandwidth of the respective market on the consolidated connection (please see the diagram below). Recommendations for router equipment for the various types of connections are provided in chapter 7.
Diagram 4.2 – Example: 70 Mbit/s Eurex Consolidated Connection – the remaining bandwidth of 48 Mbit/s has been assigned to
the Eurex Enhanced Broadcast Solution service. Additionally on the same leased line a 30 Mbit/s Xetra Consolidated Network
Connection has been configured. The remaining bandwidth of 17 Mbit/s of the Xetra Consolidated Network Connection has been
assigned the Xetra Enhanced Broadcast Solution service.
Note: The provision of high bandwidth Ethernet connections is subject to the technical availability in the selected location.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 20 of 76
V.10.03
4.1.2 Enhanced Broadcast Solution
The Eurex/Xetra Enhanced Broadcast Solution data stream is propagated in a “live-live” concept by disseminating two services, A and B. Both services contain the same streams but utilize different Multicast groups. Only one service (A or B) will be transmitted per leased line connection. A service (A or B) is linked to the transmitting leased line. An automatic failover of the respective service in case of a line failure is not possible. Due to the inherent unreliable nature of the delivery mechanism of the UDP protocol, packets may be lost in transmission, arrive out of order or may be duplicated. Members are advised to subscribe to both services simultaneously on different leased lines to reduce the possibility of data loss. These two leased lines will be connected to different Access Points. A specific Access Point can provide only one service. Depending on the Access Point either service A or B is provided. It is the responsibility of the client application to cater for packets which may have been lost, arrive out of order or are duplicated. The Enhanced Broadcast Solution data stream relies on IGMPv2 features.
Note: The optimal gateway location for trading a respective product via the Enhanced Transaction Solution Interface is available in the response to the Enhanced Transaction Solution request Inquire Product Request within Eurex and Inquire Instrument within Xetra. The Enhanced Broadcast Solution Stream A originates from the Eurex/Xetra data center where the products with OptiGatewayLocID = “0” are hosted and stream B originates from the data center where products with OptiGatewayLocID = “1” are hosted (please see as well document “Front-End Access To Exchange Applications” section 5).
4.1.3 Enhanced Transaction Solution
The Eurex/Xetra Enhanced Transaction Solution is an asynchronous message-based interface. The Enhanced Transaction Solution connection between members and the Eurex/Xetra system is established via a TCP connection. The Enhanced Transaction Solution is session-oriented whereby the session is the basic context of the interaction with the respective Back-End system. Sessions are assigned for use by a pair of gateways authorized from a specific class C subnet*. Members are advised to subscribe to a redundant setup. In case a redundant setup has been ordered the two gateways assigned to one session are accommodated into two different gateway groups accessible via the according leased line connections. Only the assigned gateways will accept connection requests from clients using a respective session ID belonging to the subnet* assigned by the Exchange. If Enhanced Transaction Solution-production and Enhanced Transaction Solution-simulation is used within the same connection it is recommended to protect production by enabling QoS for Enhanced Transaction Solution-simulation. “Nagle on” will slow down your application and it will make your throttle related bookkeeping unreliable.
Members are asked to set the value of the delayed/deferred acknowledge parameter in the respective operation system of their Enhanced Transaction Solution trading machine to zero - > hence no delayed/deferred acknowledge. Client host addresses are administered by customers.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 21 of 76
V.10.03
The connection for the Enhanced Transaction Solution is encrypted in the network based on the IPSec (256 bit AES encryption) procedure. Only in proximity locations can Enhanced Transaction Solution encryption be switched off on request. Eurex and Xetra production sessions assigned to Enhanced Transaction Solution connections with encryption switched off will connect to gateway groups different from the gateway groups’ sessions connect to via encrypted Enhanced Transaction Solution connections. Only a total of 2 Enhanced Transaction Solution connections per market (Eurex/Xetra) and subnet are offered and only one Enhanced Transaction Solution connection per market (Eurex/Xetra) can be established on a leased line.
In case two Enhanced Transaction Solution connections are configured on one leased line either both connections are encrypted or both are not encrypted.
*Note: Eurex and Xetra do offer the option to have two different subnets for each session assigned. Sessions used for non-encrypted Enhanced Transaction Solution connections having a second subnet for encrypted Enhanced Transaction Solution connections assigned can make use of four gateways.
4.1.4 CEF® ultra+
Technically the respective CEF® ultra+ data feeds are the same as the Enhanced Broadcast Solution Feed for Eurex and Xetra. Therefore the concept described in chapter 4.1.2 holds as well for the CEF®
ultra+ data feed.
However beside UDP, the TCP protocol is used for CEF® ultra+ connections for sending application requests/responses between an Access Point and a customer installation via a reliable communication link. This link is used for Trade Recovery Functionality.
Hosts IP addresses for production environment for trade recovery of CEF® ultra+ feeds CEF Data Feed 1 > IP Address 91.251.33.40 CEF Data Feed 2 > IP Address 91.251.34.40 Port 55003 Hosts IP addresses for simulation environment for trade recovery of CEF® ultra+ feeds CEF Data Feed 1 > IP Address 91.251.33.41 CEF Data Feed 2 > IP Address 91.251.34.41 Port 55003
* Note: CEF® ultra+ Irish Stock Exchange will not be available with a ”trade recovery” functionality.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 22 of 76
V.10.03
4.2 Combined Access: One Leased Line plus iAccess (Backup)
This solution offers high availability. The leased line is the primary connection and is used for all data traffic. Failure of the leased line results in the use of the backup VPN Internet connection.
to Exchange Back End
Mem
ber Device/
Router-LAN
MemberRouterAccess
Point A
AccessPoint B Member
Router
InternetVPN Tunnel
Diagram 4.3 – One Leased Line and one VPN Internet connection (iAccess) connected to separate Access Points
Technical Implementation:
The Exchange will provide bandwidth on a leased line. The member is responsible for the provision and availability of the Internet connection. It is possible to terminate both connections in separate locations (split location). The Exchange will assign the same private IP address range to both connections (see section 6). The provision, operation and administration of the interconnection between both member locations is in the member’s responsibility. Recommendations for router equipment for the various types of connections are provided in chapter 7.
4.3 iAccess: VPN Internet Connection
The connection alternative "iAccess" is a permanent point-to-point VPN Internet connection between a member router and an Access Point. Virtual Private Networks use advanced encryption and tunnelling to permit organizations to establish secure end-to-end, private network connections over third-party networks, such as the Internet. A tunnel through the Internet is established by employing IPSec (3DES 168 bit). The availability of this access option is determined by the reliability of the underlying Internet connection. The member is responsible for the provision and availability of the Internet connection.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 23 of 76
V.10.03
Diagram 4.4 – VPN Internet connection (iAccess)
Technical Implementation: The router connecting the member to the Exchange via a VPN Internet connection uses the IPSec protocol – 168bit 3DES. The total bandwidth must be the sum of the required bandwidths for each required market (platform). Recommendations for router equipment for the various types of connections are provided in chapter 7.
4.4 Single Leased Line Connections
Under certain circumstances the Exchanges will allow the connection of a single leased line to Eurex, Xetra or CCP production environment i.e. without a leased line or iAccess backup.
Diagram 4.5 – Single leased line connection
In general, single leased line connections are not intended for trading installations, but may be allowed for disaster recovery and backup locations. The ”Enhanced Transactions Solution” can be installed with a single leased line connection with the consequence of lack of redundancy. Due to the nature of the data stream Enhanced Broadcast Solution the Exchange advises the member to subscribe service A and service B via independent connections (see section 4.1.2. of this chapter).
Technical Implementation: The Exchange will provide bandwidth on a leased line. Recommendations for router equipment for the various types of connections are provided in chapter 7.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 24 of 76
V.10.03
5. Overview Access Options
The following tables in this section summarise the connection alternatives for the particular Exchange markets and services. Please refer to Chapter 4 “Connection Alternatives” for further explanation.
5.1 Router-based Access Options
Platform Market/Service
Standard
Access
Consolidated
Connection (3)
Combined
Access
iAccess
Single
Leased Line
(2)
CCP CCP 64 kbit/s n.a. 64 kbit/s 64 kbit/s 64 kbit/s
CEF® Core
2 Mbit/s
to
1 Gbit/s
10 Mbit/s to 1 Gbit/s
2 Mbit/s
to
4 Mbit/s
2 Mbit/s
to
4 Mbit/s
2 Mbit/s
to
1 Gbit/s CEF®
CEF® ultra+ Eurex CEF® ultra+ Xetra
CEF® ultra+ Irish Stock Exchange
10 Mbit/s to 1 Gbit/s
10 Mbit/s to 1 Gbit/s
n.a. n.a. 10 Mbit/s to
1 Gbit/s
VALUES (MISS) Connection
1 Mbit/s
10 Mbit/s
n x 1 Mbit/s
n x 10 Mbit/s 1 Mbit/s 1 Mbit/s
n x 1 Mbit/s
n x 10 Mbit/s
Eurex WBAG 128 kbit/s n.a. 128 kbit/s 128 kbit/s n.a.
EEX Derivatives 1 Mbit/s n.a.
1 Mbit/s 1 Mbit/s 1 Mbit/s
Enhanced Risk Solution (1)
1 Mbit/s n.a. 1 Mbit/s 1 Mbit/s 1 Mbit/s
Enhanced Transaction Solution
10 Mbit/s 1 Mbit/s
10 Mbit/s n.a. n.a. 10 Mbit/s
Eurex*
Enhanced Broadcast Solution
10, 20, 30, 50, 60, 70
Mbit/s
10 Mbit/s +
remaining
bandwidth of Consolidated
Eurex Connection
n.a. n.a.
10, 20, 30, 50, 60, 70
Mbit/s
*Within Proximity locations Eurex offers additionally 100, 120 and 600 Mbit/s consolidated connection options and 1 Gbit/s Eurex Enhanced Broadcast Solution connections. In London a 600 Mbit/s
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 25 of 76
V.10.03
consolidated connection option is offered beside the consolidated Eurex connections which can be ordered outside the proximity locations (please see table above).
Platform Market/Service
Standard
Access
Consolidated
Connection (3)
Combined
Access
iAccess
Single
Leased Line
(2)
Enhanced Transaction Solution available for Xetra
Frankfurt, Irish SE,
Xetra International Market
10 Mbit/s
2 Mbit/s
10 Mbit/s n.a. n.a. 10 Mbit/s
Enhanced Broadcast Solution available for Xetra
Frankfurt, Irish SE, Xetra
International Market
10, 20, 30, 40,
50 Mbit/s
10 Mbit/s +
remaining
bandwidth of Consolidated
Xetra Connection
n.a. n.a.
10, 20, 30, 40, 50
Mbit/s
Xetra Frankfurt
Xetra Frankfurt 2 (4)
Eurex Bonds
Irish Stock Exchange (Irish SE)
Bulgarian Stock Exchange
Xetra International Market
512 kbit/s
2 Mbit/s
1 Gbit/s
512 kbit/s
2 Mbit/s
EEX Spot Market 512 kbit/s n. a.
512 kbit/s 512 kbit/s
512 kbit/s
Xetra
VALU
ES C
onne
ctio
n (M
ISS)
Xetra WBAG 128 kbit/s n.a.
128 kbit/s 128 kbit/s
n.a.
XQS XQS Issuers XQS Specialists (5)
64,128, 256, 512
kbit/s
1 or 2 Mbit/s
n.a. n.a. n.a.
64, 128, 256, 512,
kbit/s
1 or 2 Mbit/s
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 26 of 76
V.10.03
z/OS Mainframe Applications 64, 128, 256 kbit/s
n.a. 64, 128, 256 kbit/s
64, 128, 256 kbit/s
n.a.
(1) Enhanced A Eurex Clearing AG service (optional) providing members near-time risk data.
Risk Solution
(2) Div. Regarding Eurex (VALUES), Xetra (512 kbit/s) single leased line connections are allowed for disaster recovery and backup locations only. Not advised for the CEF® and the Enhanced Broadcast Solution service (see 4.1.2).
(3) Consolidated Eurex offers consolidated connections up to 70 Mbit/s in steps of 10 Mbit/s Connection (except 40 Mbit/s). Within Proximity locations Eurex offers additionally 100, 120 and 600 Mbit/s consolidated connection options and 1 Gbit/s Eurex Enhanced
Broadcast Solution connections. In London a 600 Mbit/s consolidated connection option is offered beside the consolidated Eurex connections which can be ordered
outside the proximity locations. The Eurex Enhanced Broadcast Solution 1 Gbit/s connection does not allow any other service to be transmitted on the same circuit. Xetra offers consolidated connections up to 50 Mbit/s in steps of 10 Mbit/s. A Eurex/Xetra trading membership is mandatory to connect to the production environment of the Enhanced Broadcast Solution.
CEF® offers consolidated connections up to 1 Gbit/s e.g. if the customer wants to combine several CEF® Data Feeds on a single connection.
(4) Xetra Frankfurt 2 In case 512 kbit/s or 2 Mbit/s Xetra Frankfurt connections are used in shared mode on 2 Mbit/s lines the Xetra Frankfurt outbound traffic will be prioritised over Xetra Frankfurt 2 outbound traffic (outbound = traffic from the Xetra Back-End to the member). Issuers and Specialists can use XQS to provide quotes to Xetra Frankfurt 2 with respect to the appropriate market model.
(5) XQS Specialist For Specialists it is compulsory to have the quote machines in separate locations which are at minimum 2 km apart.
(6) General The type and bandwidth of the member network connection will be determined at the Exchange’s discretion
5.2 Internet-Workstation-based Access Options
Platform Market/Service Internet
Bandwidth
Eurex EEX Derivatives 1 Mbps1
Xetra EEX Spot Market 1 Mbps1
1) Minimum bandwidth of the underlying Internet connection.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 27 of 76
V.10.03
6. Network Communication Protocols
Depending on the market/service and the network connection different protocols are used:
• Leased lines E1 or T1 EIGRP and TCP-IP
• Ethernet Connections EIGRP and TCP-IP VALUES, and all CEF® Core connections EIGRP and TCP-IP
• Enhanced Risk Solution EIGRP, TCP-IP, SSL
• Ethernet Connections CEF® ultra+, EIGRP and UDP-IP (Multicast)
Enhanced Broadcast Solution
• Ethernet Connections EIGRP, TCP-IP and IPSec (AES 256 bit) Enhanced Transaction Solution
• All VPN Internet Connections: EIGRP, TCP-IP and IPSec (3DES 168 bit)
• Internet Workstation-based TCP-IP, SSL, SFTP
Note: Within proximity locations Enhanced Transaction Solution encryption can be switched off on request.
IPSec AES (Enhanced Transaction Solution connections)
The Advanced Encryption Standard (AES) feature adds support for the encryption standard AES, with Cipher Block Chaining (CBC) mode, to IP Security (IPSec). AES is a privacy transform for IPSec and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. AES has a variable key length—the algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key.
EIGRP (all leased line connections)
Member routers connected to the Exchange’s Access Points via leased lines or VPN Internet connections (iAccess) use EIGRP (default). The Exchange will assign an autonomous EIGRP system number.
IGMP (Enhanced Broadcast Solution, CEF® ultra+)
The Internet-Group-Management-Protocol (IGMP) is a control mechanism. The Enhanced Broadcast Solution data stream and CEF® ultra+ rely on IGMPv2 features.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 28 of 76
V.10.03
IP
For details on the Internet Engineering Task Force (IETF) please visit the following website about the Internet Protocol (IP): http://www.ietf.org.
IPSec 3DES (iAccess connections)
The router connecting the member to the Exchange via a VPN Internet connection uses the IPSec protocol. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. Several functions are implemented as part of IPSec:
• Certification Authority (CA). The Exchange issues certificates for the member router. The member router will request the certificate during initial setup. The certificate will be shown on the member router and must be accepted or rejected by the member. The validity of the certificate will be verified interactively between the member and the Exchange. After validation the certificate is stored permanently in the router. Certificates expire after a period of 36 months. The member is responsible for deleting the certificate from his router if the router is no longer needed for connection to the Exchange. If the router becomes unavailable or inoperative the member must inform the Exchange immediately who will then revoke the certificate.
• Encryption policy defining how to encrypt. 3DES is used utilizing 168 bit keys (’168bit 3DES)
• Crypto map set defining, what data is to be encrypted. All the data exchanged between the customer and the Exchange is encrypted.
• enrollment url http://193.29.78.191:10081/cgi-bin/pkiclient.exe
• port 10081
SSL
The Secure Socket Layer (SSL 3.0) is an Internet standard protocol that supports the standard security features (confidentiality, data integrity, data origin authentication and server authentication). Regarding the SSL encryption used by the Enhanced Risk Solution please be referred to the document “Enhanced Risk Solution - Interface Specification Final Version”.
UDP
As with IP, UDP is a connectionless protocol and does not provide the same mechanisms that TCP does regarding lost or out of order packets. Consequently it is the application’s responsibility to manage lost, out of order or duplicated packets.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 29 of 76
V.10.03
6.1 Address Scheme
The Exchange network is a private network with private IP addressing rules and naming conventions. The private IP addresses will be assigned to all the network interfaces connected to the Member Device (MD)/router LAN. Addresses are class A, being subnetted to class C, using subnetting as defined in the TCP/IP standards
All Exchange and member devices are given addresses in the x.a.b.0 network using class C subnet masks:
Where:
x is a number in the range between 89 and 94 assigned by the Exchange for the respective markets/services; a and b can hold any value between 1 and 254; this means that 64516 (254*254) IP networks are available; h = 1 up to 254 is a maximum number of hosts available within one network; h = 0 is used to address the entire x.a.b network.
Example: A MD with the IP address 90.1.201.8 and a network mask of 255.255.255.0. Here, 90.1.201 is the network part and 8 is the host id. The whole MD/router network is referred to as 90.1.201.0.
6.2 Network Names
The Exchange allocates host names for the member Front-End components. The first character is either ‘M’ or ‘R’, indicating whether the node is a MD or a Router. This is followed by a number assigned by the Exchange. The use of the Exchange defined names is compulsory for the Internet connected VPN routers and is strongly recommended for the rest of the hardware components since this also facilitates the administration and communication between the member system administrator and the Exchange.
6.3 General Rules for Addressing
The addressing concept for a network is based on the following principles:
• The Exchange network is a private network and it does not conform to the Internet conventions
• The Exchange uses the networks 89.0.0.0 to 94.255.255.0 except for the source addresses of the Enhanced Broadcast Solution where official public IP address are used (please see section 6.5)
Host ID
IP address: x . a . b . h
Subnet mask: 255 . 255 . 255 . 0
Network part
Subnet ID
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 30 of 76
V.10.03
• The IP network(s) and addresses are provided and distributed to members by the Exchange during the admission process
• The first 3 octets of the member addresses are fixed; the 4th octet is used for addressing different devices within the member installation
• A Class C subnet mask 255.255.255.0 is used
6.4 Market/Services Specific IP Ranges
Private IP address ranges assigned by the Exchange with respect to the according market/service:
1. Octet Market/Service Example
89 or 90 Eurex and Xetra 90.1.201.0
91 CEF® 91.1.201.0
92 z/OS 92.1.201.0
94 XQS 94.1.201.0
6.5 Individual Host Addresses
The individual hosts are assigned within the member installation as shown below:
Range Usage
1 - 20 MD (assigned by the Exchange)
21 - 40 Routers (assigned by the Exchange)
41 - 199 Available for assignment by the member. These may be used for workstations in case of a single LAN configuration. In a two-LAN configuration, the member is free to use his own addressing rules for the workstations.
200 - 255 Reserved for future use
6.6 Addressing and Name Exceptions
Some older configurations use different names and addresses. These may be kept if desired. The setup in this document is to be used accordingly. In case of any queries please contact the Customer Technical Support of the respective Exchange – for contact information see chapter 2.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 31 of 76
V.10.03
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 32 of 76
V.10.03
6.7 Multicast Groups
Please take into consideration that the multicast groups for the Enhanced Broadcast Solution and CEF® ultra+ do not conflict with the local multicast groups used for MISS-based installations. Please see the recommendation given in section 6.7.1. An overview of the port numbers is given in Chapter 9.
6.7.1 MISS-based Installations
The multicast groups used by a MISS Server for each application must be assigned by the member’s network administrator.
RFC0791 defines the range from 224.0.0.0 through 239.255.255.255 as valid multicast addresses. The Exchange recommends using the limited scope of 239.0.0.0/10 on MISSes.
6.7.2 Reference Information – Enhanced Broadcast Solution and CEF® ultra+
The product reference information provided by the reference information stream contains the respective multicast channel information (i.e. multicast group and port number) for all available products. The multicast group and port number combinations for the reference data disseminated by the static reference data interface are as follows:
Eurex/CEF® ultra+ Eurex
Service
Environment Service A Service B Platform
Production 224.0.29.255:50099 224.0.30.255:50099 Eurex , CEF® ultra+ Eurex
Simulation 233.49.81.127:50199 233.49.81.255:50199 Eurex, CEF® ultra+ Eurex
Adv. Simulation 233.49.81.127:50399 233.49.81.255:50399 Eurex, CEF® ultra+ Eurex
Xetra Frankfurt/CEF® ultra+ Xetra
Service
Environment Service A Service B Platform
Production 224.0.46.0:55199 224.0.47.0:55199 Xetra, CEF® ultra+ Xetra
Simulation 224.0.48.0:55299 224.0.49.0:55299 Xetra, CEF® ultra+ Xetra
Adv. Simulation 224.0.48.104:55399 224.0.49.104:55399 Xetra, CEF® ultra+ Xetra
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 33 of 76
V.10.03
Xetra Irish SE/CEF® ultra+ Irish Stock Exchange
Service
Environment Service A Service B Platform
Production 224.0.46.80:55599 224.0.47.0:55599 Xetra Irish SE*, CEF® ultra+ Irish Stock Exchange
Simulation 224.0.48.0:55299 224.0.49.0:55299 Xetra Frankfurt, CEF® ultra+ Irish Stock Exchange
*Note: The reference information for Xetra Irish SE will be included in the reference information stream of Xetra Frankfurt.
Xetra International Market/CEF® ultra+ Xetra
Service
Environment Service A Service B Platform
Production 224.0.46.240:55799 224.0.47.240:55799 Xetra International Market *, CEF® ultra+ Xetra,
Simulation 224.0.48.0:55299 224.0.49.0:55299 Xetra Frankfurt, CEF® ultra+ Xetra
* Note: The reference information for Xetra International Market will be included in the reference information stream of Xetra Frankfurt.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 34 of 76
V.10.03
6.7.3 Enhanced Broadcast Solution and CEF® ultra+
The following multicast group ranges are used for the Enhanced Broadcast Solution/CEF® ultra+: - Multicast groups - official public IP range assigned to the Exchange by IANA - Eurex Simulation/Advanced Simulation multicast groups only - GLOP with official public AS number (2nd and 3rd octet). Important Note: The multicast addresses mentioned in the tables below might be subject to changes. The multicast addresses used are transmitted with the reference information stream, please see section 6.7.2 above.
Eurex Enhanced Broadcast Solution/CEF® ultra+ Eurex
Service
Environment Description Service A Service B
Multicast Groups 224.0.29.0/24 224.0.30.0/24
Production Multicast Source
Networks
193.29.95.0/27 and 193.29.95.32/27
193.29.95.64/27 and 193.29.95.96/27
Multicast Groups 233.49.81.0/25 233.49.81.128/25 Simulation and Advanced Simulation
Multicast Source
Networks
193.29.95.128/29 and 193.29.95.136/29
193.29.95.144/29 and 193.29.95.152/29
Xetra Frankfurt Enhanced Broadcast Solution/CEF® ultra+ Xetra
Service
Environment Description Service A Service B
Multicast Groups 224.0.46.0 – 79 224.0.47.0 - 79
Production Multicast Source
Networks
193.29.93.0/27 and 193.29.93.32/27
193.29.93.64/27 and 193.29.93.96/27
Multicast Groups 224.0.48.0 – 39 224.0.49.0 - 39
Simulation Multicast Source
Networks
193.29.93.128/29 and 193.29.93.136/29
193.29.93.144/29 and 193.29.93.152/29
Advanced Simulation
Multicast Groups 224.0.48.104 – 143 224.0.49.104 - 143
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 35 of 76
V.10.03
Multicast Source
Networks
193.29.93.128/29 and 193.29.93.136/29
193.29.93.144/29 and 193.29.93.152/29
Xetra Irish SE Enhanced Broadcast Solution/CEF® ultra+ Irish Stock Exchange
Service
Environment Description Service A Service B
Multicast Groups 224.0.46.80 – 95 224.0.47.80 - 95
Production Multicast Source
Networks
193.29.93.0/27 and 193.29.93.32/27
193.29.93.64/27 and 193.29.93.96/27
Multicast Groups 224.0.48.40 – 47 224.0.49.40 - 47
Simulation Multicast Source
Networks
193.29.93.128/29 and 193.29.93.136/29
193.29.93.144/29 and 193.29.93.152/29
Xetra International Market Enhanced Broadcast Solution/CEF® ultra+ Xetra
Service
Environment Description Service A Service B
Multicast Groups 224.0.46.240 – 255 224.0.47.240 - 255
Production Multicast Source
Networks
193.29.93.0/27 and 193.29.93.32/27
193.29.93.64/27 and 193.29.93.96/27
Multicast Groups 224.0.48.208 – 215 224.0.49. 208 – 215
Simulation Multicast Source
Networks
193.29.93.128/29 and 193.29.93.136/29
193.29.93.144/29 and 193.29.93.152/29
6.7.4 Rendezvous Points Enhanced Broadcast Solution and CEF® ultra+
Due to the use of PIM Sparse Mode and “Any Source Multicast” a rendezvous point for each multicast stream is required. The rendezvous points for the Enhanced Broadcast Solution and CEF® ultra+ are as follows:
Service
Platform Service A Service B
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 36 of 76
V.10.03
Eurex and CEF® ultra+ Eurex 193.29.95.252/32 193.29.95.253/32
Xetra Frankfurt, Xetra International Market, Irish SE, CEF® ultra+ Xetra and CEF® ultra+ Irish Stock Exchange
193.29.93.252/32 193.29.93.253/32
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 37 of 76
V.10.03
7. Network Hardware
The exchange operated network is built on a homogeneous supplier platform using equipment from Cisco Systems. Network security, high availability and the uniform routing protocol were the essential criteria for choosing this hardware platform. Therefore, only Cisco routers featuring the IOS operating system are required. Depending on the connection type and market/service it is recommended to use certain Cisco equipment such as the ASR 1000 or the 7600/6500 series. Other supported routers are: Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800 and 7200 series. All routers connecting to the exchange via a VPN Internet connection (iAccess) or to an Enhanced Transaction Solution interface via an encrypted connection must be equipped with VPN Hardware Encryption functionality. Cisco 1800, 2800 and 3800 series routers come with embedded security hardware acceleration, enabling VPN services with the appropriate Cisco IOS.
Please note: Cisco switches are not recommended with exception of the Cisco Catalyst 6500 series, Catalyst 4900M and 4948.
In order to allow the Exchange to monitor its leased lines, members are asked to allow ICMP echo requests coming from the exchange to the member network interface via the exchange leased line and the ICMP echo reply on such request.
7.1 Channelised E1 Member Connections
Channelised E1 leased lines ordered by the Exchange are presented with a RJ45 jack (balanced-120Ω impedance) and the pin layout 1,2;4,5. If a RJ45 jack cannot be provided by the carrier, a BNC jack (unbalanced - 75Ω impedance) will be provided. In this case a BALUN could be necessary on the customer side to match the router interface impedance and the leased line impedance. Please refer to the table below. The Cisco E1 cards VWIC-1MFT-E1 and VWIC-1MFT-G703 are not supported because they are limited to only two channel groups.
Router Type
Supported Modules Minimum IOS Version
E1 Router Cable Leased Line Presentation RJ45 (balanced - 120Ω)
E1 Router Cable Leased Line Presentation BNC (unbalanced -
75Ω)
NM-1CE1B (1 Port)
NM-2CE1B (2 Ports)
CAB-E1-PRI
CAB-E1-BNC and
appropriate BALUN
2600 not
available from
Cisco
NM-1CE1U (1 Port)
NM-2CE1U (2 Ports
12.0(1), 12.1(1) or 12.2(1)
CAB-E1-BNC and
appropriate BALUN
CAB-E1-BNC
2600XM
not
NM-1CE1B (1 Port)
NM-2CE1B (2 Ports)
12.1(14) or
CAB-E1-PRI
(see Note 1)
CAB-E1-BNC and
appropriate BALUN
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 38 of 76
V.10.03
Router Type
Supported Modules Minimum IOS Version
E1 Router Cable Leased Line Presentation RJ45 (balanced - 120Ω)
E1 Router Cable Leased Line Presentation BNC (unbalanced - 75Ω)
NM-1CE1U (1 Port)
NM-2CE1U (2 Ports)
12.2(12) CAB-E1-BNC and
appropriate BALUN
CAB-E1-BNC available from Cisco
2600XM NM-1CE1T1-PRI (1 Port)
NM-2CE1T1-PRI (2 Ports)
12.3(1) any RJ45 to RJ45 straight through, shielded twisted pair cable
CAB-E1-RJ45BNC
NM-1CE1T1-PRI(1 Port)
NM-2CE1T1-PRI (2 Ports)
2811/ 2821/ 2851
HWIC-1CE1T1-PRI HWIC-2CE1T1-PRI
12.3(8)T
12.4(20)T
any RJ45 to RJ45 straight through, shielded twisted pair cable
CAB-E1-RJ45BNC
NM-1CE1B (1 Port)
NM-2CE1B (2 Ports)
CAB-E1-PRI (see Note 1)
CAB-E1-BNC and appropriate BALUN
NM-1CE1U (1 Port)
NM-2CE1U (2 Ports)
CAB-E1-BNC and appropriate BALUN
CAB-E1-BNC
NM-1FE1CE1B (1 Port)
NM-1FE2CE1B (2Ports)
CAB-E1-PRI
(see Note 1)
CAB-E1-BNC and appropriate BALUN
3600 not
available from Cisco
NM-1FE1CE1U (1 Port) - NM-1FE2CE1U (2 Ports)
12.0(1), 12.1(1) or 12.2(1)
12.0(1), 12.1(1) or 12.2(1)
CAB-E1-BNC
appropriate BALUN
CAB-E1-BNC
NM-1CE1B (1 Port)
NM-2CE1B (2 Ports)
CAB-E1-PRI
(see Note 1)
CAB-E1-BNC and appropriate BALUN
NM-1CE1U (1 Port)
NM-2CE1U (2 Ports)
12.2(8)T
12.3(2)T
CAB-E1-BNC and
appropriate BALUN
CAB-E1-BNC
3725/ 3745
not available
from Cisco NM-1CE1T1-PRI (1 Port)
NM-2CE1T1-PRI (2 Ports)
12.3(1) any RJ45 to RJ45 straight through, shielded twisted pair cable
CAB-E1-RJ45BNC
3825/ 3845
NM-1CE1T1-PRI (1 Port)
NM-2CE1T1-PRI (2 Ports)
12.3(11)T
any RJ45 to RJ45 straight through, shielded
CAB-E1-RJ45BNC
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 39 of 76
V.10.03
Router Type
Supported Modules Minimum IOS Version
E1 Router Cable Leased Line Presentation RJ45 (balanced - 120Ω)
E1 Router Cable Leased Line Presentation BNC (unbalanced - 75Ω)
HWIC-1CE1T1-PRI HWIC-2CE1T1-PRI
12.4(20)T twisted pair cable
General information: 1. Since May 2004 the NM-1CE1B/NM-1CE1U and NM-2CE1B/NM-2CE1U cards are no longer
available from Cisco. Since January 2009 the cards NM-1CE1T1-PRI and NM-2CE1T1-PRI have been replaced by the cards HWIC-1CE1T1-PRI and HWIC-2CE1T1-PRI.
2. The NM-1CE1T1-PRI and the HWIC-1CE1T1-PRI card will not appear in the list of interfaces in a
router until it is configured with the ‘card type’ command. For example (config mode): Config#> card type e1 1 where 1 is the slot number in the router. The new NM-1CE1T1-PRI card is set to 120Ω impedance by default but can be adjusted to 75Ω impedance.
3. The router RAM configuration depends on the hardware type, model and IOS version. Therefore, a
general guideline cannot be given here. Please consult your Cisco hardware provider for the required amount and type.
7.2 Channelised T1 Member Connections
Channelised T1 network connections ordered by the exchange are presented with a RJ48 (RJ45) jack pin layout 1,2; 4,5. The T1 cards of the type VWIC-1MFT-T1 and VWIC-2MFT-T1 are not supported because they are limited to only two channel groups.
Router Type
Supported T1 Card
Minimum IOS Version
T1 Router Cable
2600 not
available from Cisco
NM-1CT1-CSU (1 Port)
NM-2CT1-CSU (2 Ports)
12.0(1),
12.1(1) or
12.2(1)
any standard RJ48 T1-cable
NM-1CT1-CSU (1 Port)
NM-2CT1-CSU (2 Ports)
12.1(14) or
12.2(12)
any standard RJ48 T1-cable
2600XM
not available
from Cisco NM-1CE1T1-PRI (1 Port)
NM-2CE1T1-PRI (2 Ports)
12.3(1) any standard RJ48 T1-cable
2811/ NM-1CE1T1-PRI (1 Port) 12.3(8)T any standard RJ48 T1-
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 40 of 76
V.10.03
NM-2CE1T1-PRI (2 Ports) 2821/ 2851
HWIC-1CE1T1-PRI HWIC-2CE1T1-PRI
12.4(20)T
cable
3600 not
available from Cisco
NM-1CT1-CSU (1 Port)
NM-2CT1-CSU (2 Ports)
12.0(1),
12.1(1) or
12.2(1)
any standard RJ48 T1-cable
Router Type
Supported T1 Card
Minimum IOS Version
T1 Router Cable
NM-1CT1-CSU (1 Port)
NM-2CT1-CSU (2 Ports)
12.2(8)T1 or
12.3(2)T
any standard RJ48 T1-cable
3725/ 3745
not available
from Cisco
NM-1CE1T1-PRI (1 Port)
NM-2CE1T1-PRI (2 Ports)
12.3(1) any standard RJ48 T1-cable
NM-1CE1T1-PRI (1 Port)
NM-2CE1T1-PRI (2 Ports)
3825/ 3845
HWIC-1CE1T1-PRI HWIC-2CE1T1-PRI
12.3(11)T
12.4(20)T
any standard RJ48 T1-cable
General Information:
1. Since May 2004 the NM-1CE1B/NM-1CE1U and NM-2CE1B/NM-2CE1U cards are no longer available from Cisco. Since January 2009 the cards NM-1CE1T1-PRI and NM-2CE1T1-PRI have been replaced by the cards HWIC-1CE1T1-PRI and HWIC-2CE1T1-PRI.
2. The NM-1CE1T1-PRI and the HWIC-1CE1T1-PRI card will not appear in the list of interfaces in a router until it is configured with the ‘card type’ command. For example (config mode):
Config#> card type t1 1
where 1 is the slot number in the router. The new NM-1CE1T1-PRI card is set to 120Ω impedance by default but can be adjusted to 75Ω impedance.
3. The RAM configuration of the router depends on the type, model and IOS version. Therefore, a general guideline cannot be given here. Please consult your Cisco hardware provider for the required amount and type.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 41 of 76
V.10.03
7.3 Non-channelised E1 Member Connections
Non-channelised E1 network connections ordered by the Exchange are presented with a RJ45 jack (balanced-120Ω impedance) and the pin layout 1,2;4,5. In case a RJ45 jack cannot be provided by the carrier, a BNC jack (unbalanced - 75Ω impedance) will be provided. In this case, a BALUN could be necessary on the customer side to match the router interface impedance and the leased line impedance. Please refer to the table below.
The Cisco E1 cards VWIC-1MFT-E1 and VWIC-2MFT-E1 are not supported because they do not support clear channel E1s.
Router Type
Supported Modules Minimum IOS Version
E1 Router Cable Leased Line Presentation RJ45
(balanced - 120Ω)
E1 Router Cable Leased Line Presentation BNC (unbalanced - 75Ω)
1721, 1751, 1760,
2600XM, 2691, 2800, 3700, 3800
VWIC2-1MFT-G.703
VWIC2-2MFT-G.703
12.3(14) T
any RJ45 to RJ45 straight through, shielded twisted pair cable
CAB-E1-RJ45BNC
2600, 3620, 3640, 3660
VWIC-1MFT-G.703
VWIC-2MFT-G.703
12.1(1) T
any RJ45 to RJ45 straight through, shielded twisted pair cable
CAB-E1-RJ45BNC
2600XM, 2691, 3700
VWIC-1MFT-G.703
VWIC-2MFT-G.703
12.2(8) T
any RJ45 to RJ45 straight through, shielded twisted pair cable
CAB-E1-RJ45BNC
2600XM, VWIC-1MFT-G.703
NM-1CE1T1-PRI or resp. 2 port version
12.2(8) T
any RJ45 to RJ45 straight through, shielded twisted pair cable
CAB-E1-RJ45BNC
2800 VWIC-1MFT-G.703
NM-1CE1T1-PRI HWIC-1CE1T1-PRI or resp. 2 port version
12.3(8) T4
12.4(20)T
any RJ45 to RJ45 straight through, shielded twisted pair c able
CAB-E1-RJ45BNC
3800 VWIC-1MFT-G.703
NM-1CE1T1-PRI HWIC-1CE1T1-PRI or
12.3(11) T
any RJ45 to RJ45 straight through, shielded twisted pair cable
CAB-E1-RJ45BNC
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 42 of 76
V.10.03
Router Type
Supported Modules Minimum IOS Version
E1 Router Cable Leased Line Presentation RJ45
(balanced - 120Ω)
E1 Router Cable Leased Line Presentation BNC (unbalanced - 75Ω)
resp. 2 port version 12.4(20)T
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 43 of 76
V.10.03
7.4 Ethernet Connections with Multicast (MC) + Encrypted TCP-IP Traffic
Deutsche Börse recommends to use CISCO equipment of the type ASR 1000, 7600 or 6500 series for Ethernet connections with Enhanced Broadcast Solution (multicast) and encrypted Enhanced Transaction Solution (TCP-IP) traffic.
Although it is possible to use routers of the type Cisco 3800 and 7200 series for connections with up to 60 Mbit/s Multicast traffic and 10 Mbps encrypted Enhanced Transaction Solution traffic which meets the current minimum requirement for such a constellation in the course of rapidly increasing bandwidth requirements of market feeds Deutsche Börse recommends to use more powerful equipment of the type ASR 1000, 7600 or 6500 series.
Concerning the IOS Versions mentioned in the tables in this section 7.4 later IOS versions should also work but have not been verified. As of document’s release date concerning consolidated Eurex – Xetra connections two leased lines can be connected to the CISCO devices ASR 1000, Catalyst 6500 and 7600 series.
Additional information on recommended CISCO hardware connected to Ethernet connections with multicast + encrypted TCP-IP traffic.
CISCO 7200 series Only the onboard Gigabit-Ethernet ports (NPE-G2) have been tested the “old” PA-GE card is not recommended. CISCO ASR 1000 series
If encrypted Enhanced Transaction Solution connections are terminated on a CISCO ASR 1000 series router the encryption right-to-use feature licence for the ASR1000 series is required. The ASR 1002 comes with 4 on board 1 Gbps ports. The ASR routers 1004 and 1006 require Ethernet ports such as the Cisco 5-Port Gigabit Ethernet shared port adapter. In any case the respective SFP modules are required.
CISCO Catalyst 6500 series If encrypted Enhanced Transaction Solution connections are terminated on a CISCO Catalyst 6500, then Crypto and bearer Cards (7600-SSC-400 and SPA-IPSEC-2G) as well as an IOS Advanced IP Services Image are required. The additional cards require a Supervisor Engine 720. Note: Bandwidth Shaping of Enhanced Transaction Solution Simulation is not possible on the Catalyst 6500. RTR must be used instead of IP SLA for the IPSEC Tunnel keep-alive. ISAKMP keep-alive with Periodic mode is not supported on the IOS version 12.2(18)SXF. This feature is supported from IOS 12.2(33)SXH onwards.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 44 of 76
V.10.03
CISCO 7600 series If encrypted Enhanced Transaction Solution connections are terminated on a CISCO 7600, then Crypto and bearer Cards (7600-SSC-400 and SPA-IPSEC-2G) as well as an IOS Advanced IP Services Image are required The additional cards require a Supervisor Engine 720.
CISCO SFPs with DOM (Digital Optical Monitoring)
If case dark fibres are delivered and provided your equipment allows to read the optical power using SFPs with DOM (Digital Optical Monitoring) it can be verified whether the optical power is within the module specification. This feature supports to selected the appropriate attenuator if needed (SFPs with DOM - e.g. SFP-GE-L or SFP-GE-Z, non DOM e.g. GLC-LH-SM or GLC-ZX-SM).
Please see below following example where in the last line the optical power (here: -2.1 dBm) is not within the specification.
Command: #sh interface transceiver
Example Output:
Optical High Alarm High Warn Low Warn Low Alarm
Transmit
Power Threshold Threshold Threshold Threshold
Port (dBm) (dBm) (dBm) (dBm) (dBm)
------- ----------- ---------- --------- --------- ---------
Gi1/1 -5.7 -2.5 -3.0 -9.5 -10.0
Optical High Alarm High Warn Low Warn Low Alarm
Receive
Power Threshold Threshold Threshold Threshold
Port (dBm) (dBm) (dBm) (dBm) (dBm)
------- -------------- ---------- --------- --------- ---------
Gi1/1 -2.1 ++ -3.0 -3.0 -19.0 -19.5 <=
mA: milliamperes, dBm: decibels (milliwatts), NA or N/A: not applicable.
++ : high alarm, + : high warning, - : low warning, -- : low alarm.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 45 of 76
V.10.03
A2D readouts (if they differ), are reported in parentheses.
The threshold values are calibrated.
7.4.1 Lines with up to 60 Mbit/s MC + 10 Mbit/s encrypted TCP-IP traffic
Device Type Modules Required for Encryption Tested IOS Versions
3825/ 3845
embedded security hardware 12.4(16b)
7206VXR NPE-G2 with SA-VAM2+ 12.4(16b)
ASR 1002, 1004, 1006
embedded security hardware 12.2.(33)XNA1
Catalyst 6500
Supervisor Engine 720 with 7600-SSC-400 and SPA-IPSEC-2G
12.2.(18)SXF13 12.2.(33)SXH3
7600 Supervisor Engine 720 with 7600-SSC-400 and SPA-IPSEC-2G
12.2.(33)SRC
Note: Concerning latency optimisation in proximity it is not recommended to use any kind of HWIC modules to pass through multicast while encryption is enabled on the respective interface.
7.4.2 Lines with more than 60 Mbit/s MC + 20 Mbit/s encrypted TCP-IP traffic
Device Type Modules Required for Encryption Tested IOS Versions
7206VXR* NPE-G2 with SA-VAM2+ 12.4(16b)
ASR 1002, 1004, 1006
embedded security hardware 12.2.(33)XNA1
Catalyst 6500
Supervisor Engine 720 with 7600-SSC-400 and SPA-IPSEC-2G
12.2.(18)SXF13 12.2.(33)SXH3
7600 Supervisor Engine 720 with 7600-SSC-400 and SPA-IPSEC-2G
12.2.(33)SRC
* The 7200 series is not recommended to be connected to Ethernet connections with more than 80 Mbit/s multicast and 20 Mbit/s encrypted Enhanced Transaction Solution TCP-IP traffic.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 46 of 76
V.10.03
Note: Concerning latency optimisation in proximity it is not recommended to use any kind of HWIC modules to pass through multicast while encryption is enabled on the respective interface.
7.5 Ethernet Connections with Multicast (MC) + Non-Encrypted TCP-IP Traffic
Within proximity locations the Enhanced Transaction Solution encryption can be switched off on request. Although it is possible to use routers of the type Cisco 3800 and 7200 series for connections with up to 80 Mbit/s multicast traffic and e.g. 20 Mbps non-encrypted Enhanced Transaction Solution traffic which meets the current minimum requirement for such a constellation in the course of rapidly increasing bandwidth requirements of market feeds Deutsche Börse recommends to use more powerful equipment of the type ASR 1000, 7600 or Catalyst 6500 series, 4948 or 4900M. Concerning the IOS Versions mentioned in the tables in this section later IOS versions should also work but have not been verified. As of document’s release date concerning consolidated Eurex – Xetra connections two leased lines can be connected to the CISCO devices ASR 1000, 7600, Catalyst 6500 series, 4948 and 4900M.
7.5.1 Lines with up to 80 Mbit/s MC + 20 Mbit/s Non-Encrypted TCP-IP Traffic
Device Type Tested IOS Versions
3825 or 3845 12.4(16b)
7206VXR 12.4(16b)
ASR 1002, 1004 or 1006 12.2.(33)XNA1
4948 12.2(46)SG
4900M 12.2.(46)SG
Catalyst 6500 12.2.(18)SXF13 12.2.(33)SXH3
7600 12.2.(33)SRC
7.5.2 Lines with more than 80 Mbit/s MC + 20 Mbit/s Non-Encrypted TCP-IP Traffic
Device Type Tested IOS Versions
7206VXR* 12.4(16b)
ASR 1002, 1004 or 1006 12.2.(33)XNA1
4948 12.2(46)SG
4900M 12.2.(46)SG
Catalyst 6500 12.2.(18)SXF13 12.2.(33)SXH3
7600 12.2.(33)SRC
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 47 of 76
V.10.03
* The 7200 series is not recommended to be connected to Ethernet connections with more than 150 Mbit/s multicast and 40 Mbit/s non-encrypted Enhanced Transaction Solution TCP-IP traffic.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 48 of 76
V.10.03
7.6 Ethernet Connections with Non-Encrypted TCP-IP Traffic
Router Type
1 Gigabit Ports on-board and additional Modules
Copper Connectivity
Fibre Connectivity SFP Part Number
Minimum IOS Version
2811 HWIC-1GE-SFP (1 Port)
GLC-T= GLC-LH-SM (up to 10 km) GLC-ZX-SM (up to 70-100 km)
12.3(8)T
2 ports on-board on-board on-board ports not adaptable to fibre
12.3(8)T 2821/ 2851
HWIC-1GE-SFP (1 Port)
GLC-T= GLC-LH-SM (up to 10 km) GLC-ZX-SM (up to 70-100 km)
12.3(8)T
3725/ 3745
NM-1GE (1 Port) WS-G5483 WS-G5486 (up to 10 km)
WS-G5487 (up to 70-100 km)
12.3(2)T
2 ports on-board
on-board Port 0 can be adapted to fiber GLC-LH-SM (up to 10 km) GLC-ZX-SM (up to 70-100 km)
12.3(11)T
HWIC-1GE-SFP (1 Port)
GLC-T= GLC-LH-SM (up to 10 km) GLC-ZX-SM (up to 70-100 km)
12.3(11)T
3825/ 3845
NM-1GE (1 Port)
WS-G5483 WS-G5486 (up to 10 km)
WS-G5487 (up to 70-100 km)
12.3(11)T
4 ports on-board SFP-GE-T SFP-GE-L (up to 10 km) SFP-GE-Z (up to 70-100 km)
12.2.(33)XNA1
ASR 1002
(e.g. 5 port)
SPA-5X1GE-V2
SFP-GE-T SFP-GE-L (up to 10 km) SFP-GE-Z (up to 70-100 km)
12.2.(33)XNA1
Note: The single-port Cisco HWIC provides Gigabit Ethernet connectivity but will not support line rate since the throughput is limited by the router platforms.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 49 of 76
V.10.03
7.7 X.21 and V.35 Non-channelised Member Network Connection
The following table shows the supported Cisco router types, WAN modules, IOS versions and connection cables for non-channelised member network connections presented with X.21 (Europe) or V.35 (U.S.A.) standard.
Router Type
Supported Module
Minimum IOS Version
Router Cable
Europe
Router Cable
U.S.A.
1700
not available from Cisco
WIC-1T (1 Port)
WIC-2T (2 Ports)
12.0(1), 12.1(1)
or 12.2(1)
CAB-X21MT
CAB-SS-X21MT
CAB-V35MT
CAB-SS-V35MT
2600 not available from Cisco
WIC-1T (1 Port)
WIC-2T (2 Ports)
12.0(1), 12.1(1)
or 12.2(1)
CAB-X21MT
CAB-SS-X21MT
CAB-V35MT
CAB-SS-V35MT
2600XM
not available from Cisco
WIC-1T (1 Port)
WIC-2T (2 Ports)
12.1(14) or 12.2(12)
CAB-X21MT
CAB-SS-X21MT
CAB-V35MT
CAB-SS-V35MT
2811/ 2821/ 2851
WIC-1T (1 Port)
WIC-2T (2 Ports)
12.3(8)T1 CAB-X21MT
CAB-SS-X21MT
CAB-V35MT
CAB-SS-V35MT
3600 not available from Cisco
WIC-1T (1 Port)
WIC-2T (2 Ports)
12.0(1), 12.1(1)
or 12.2(1)
CAB-X21MT
CAB-SS-X21MT
CAB-V35MT
CAB-SS-V35MT
3725/ 3745
not available from Cisco
WIC-1T (1 Port)
WIC-2T (2 Ports)
12.2(8)T, 12.3(2)T
or 12.3(1)
CAB-X21MT
CAB-SS-X21MT
CAB-V35MT
CAB-SS-V35MT
3825/ 3845
WIC-1T (1 Port)
WIC-2T (2 Ports)
12.3(11)T CAB-X21MT
CAB-SS-X21MT
CAB-V35MT
CAB-SS-V35MT
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 50 of 76
V.10.03
7.8 VPN Encryption Modules for VPN Internet Connections (iAccess)
Routers connecting via a VPN Internet connection (iAccess) to the Exchange trading applications Eurex, and Xetra must be equipped with VPN Hardware Encryption functionality. Routers of the type Cisco 1800, 2800 and 3800 series are delivered with an embedded security hardware acceleration enabling VPN services with the appropriate Cisco IOS. Hence an AIM module must not necessarily be installed in routers of the type Cisco 2800 and 3800 series depending on the bandwidth required.
The following table shows the Cisco router models and supported VPN hardware modules.
Supported Routers
VPN Module
1700 Series
1800 Series
2610 2611
2620 2621
2650 2651
2600 XM
Series 2691
2800 Series
3620 3640 3660 3725 3745
3825
3845
On-Board X X X X
MOD1700-VPN
X
AIM-VPN/BP X X X X X AIM-VPN/EP X X X X AIM-VPN/HP
X X
AIM-VPN/BPII
X
AIM-VPN/EPII
X
X X
AIM-VPN/HPII
X X
AIM-VPN/MP
X
AIM-VPN/BPII-PLUS
X
AIM-VPN/EPII-PLUS
X
X
X
X
AIM-VPN/HPII-PLUS
X
X
X
X
General Information:
1. Cisco IOS versions with feature set 3DES: It is recommended to use IOS versions ≥12.4.16b The electronic certificate issued by the exchange for the VPN Internet connection expires after 36 months and must be renewed in advance in consultation with Customer Technical Support.
2. The RAM configuration of the router depends on the type, model and IOS version. Therefore, a general guideline cannot be given here. Please consult your Cisco hardware provider for the required amount and type.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 51 of 76
V.10.03
8. Required Ports for Firewall Configurations
The tables in this section list the port numbers used for the respective network communication.
8.1 Ports used by MISS-based Front-End Setups
8.1.1 GATE - Ports
Ports used by GATE of the MISS-based Front-End architecture. For GATE @@ has to be replaced by:
• 90 for production • 91 for simulation • 93 for advanced simulation.
Port Description Direction Protocol
1@@13 Listen Port of GATE (Watch Server) bi-directional between GATE Watch Server and GATE Watch Client
TCP/IP
1@@22 Listen Port of GATE (Server) bi-directional between GATE and mmg (Message Manager)
TCP/IP
1@@33 Listen Port of GATE (Server) bi-directional between GATE Server and GATE Client
TCP/IP
1@@95 Main Broadcast Port used by GATE Server for broadcasts dissemination, i.e. GATE Server ==> GATE Client
Multicast sender: GATE server Multicast receiver: GATE Client
IP (UDP) Multicast
1@@96 Broadcast Retransmission Requests used by GATE Client for sending Retransmission Requests Attention: "Receiver" is GATE Server as well as GATE Client !!!
Multicast sender: GATE Client Multicast receiver: GATE Client GATE Server
IP (UDP) Multicast
1@@97 Broadcast Retransmission Responses used by GATE Server for sending of responses for Broadcast Retransmission Requests, i.e. GATE Server ==> GATE Client
Multicast sender: GATE server Multicast receiver: GATE Client
IP (UDP) Multicast
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 52 of 76
V.10.03
8.1.2 VALUES - Ports
The variables @@ of the ports shall be replaced by the respective numbers as shown in the table below.
Market Environment
@@ for
CCP
@@ for
Eurex
@@ for
Eurex WBAG
@@ for
Xetra WBAG
@@ for
Xetra Frankfurt
@@ for
Xetra Frankfurt 2
@@ for
Xetra Irish SE
@@ for Xetra
International Market
Production 20 00 10 68 51 61 55 57
Simulation 21 01 11 69 52 62 52 52
Advanced Simulation n.a. 03 n.a. n.a. 53 n.a. n.a. n.a.
Ports used by the platforms of the MISS-based Front-End architecture. Between the Communication Server and the MISS the ports for an active ftp connection are used.
Port Description Platform Protocol
1@@03 Listen Port on CS (File Server)
Eurex, CCP, Xetra
TCP/IP
1@@05 Listen Port on CS Eurex, CCP, Xetra
TCP/IP
1@@06 Listen Port on CS Eurex, CCP, Xetra
TCP/IP
1@@07 Listen Port on BESS Eurex, CCP, Xetra
TCP/IP
1@@10 Listen Port on BESS (Re-Transmitter)
Eurex TCP/IP
1@@11 Listen Port on BESS (Data Server)
Eurex, Xetra TCP/IP
1@@50 Listen Port on BESS (Application Server)
Eurex, Xetra TCP/IP
1@@52 Listen Port on BESS (Application Manager)
CCP TCP/IP
1@@57 Listen Port on BESS (Re-Transmitter) Xetra TCP/IP
1@@58 Listen Port on BESS (Broadcast Server)
Eurex TCP/IP
1@@80 Listen Port of XPERT CCP http or https
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 53 of 76
V.10.03
8.2 Enhanced Risk Solution – Ports
Ports used by the Enhanced Risk Solution architecture.
Market Environment
Enhanced Risk Solution
Production 18080 Simulation 18181
8.3 Enhanced Broadcast Solution / CEF® ultra+ - Ports
The variables @@ of the ports shall be replaced by the respective numbers as shown in the table below.
Market Environment
@@ for
Eurex
@@ for
Xetra Frankfurt
@@ for
Xetra Irish SE
@@ for Xetra
International Market
Production 00 51 55 57 Simulation 01 52 52 52
Advanced Simulation
03 53 n.a. n.a.
Ports used by the platforms for the Enhanced Broadcast Solution architecture.
Port Destination Direction Protocol
5@@00 to 5@@99
Destination Port Production - propagated by reference data stream
uni-directional IP (UDP) Multicast
5@@00 to 5@@99
Destination Port Simulation - propagated by reference data stream
uni-directional IP (UDP) Multicast
5@@00 to 5@@99
Destination Port Advanced Simulation - propagated by reference data stream
uni-directional IP (UDP) Multicast
5@@99 Reference data stream Production uni-directional IP (UDP) Multicast
5@@99 Reference data stream Simulation uni-directional IP (UDP) Multicast
5@@99 Reference data stream Advanced Simulation uni-directional
IP (UDP) Multicast
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 54 of 76
V.10.03
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 55 of 76
V.10.03
8.4 Enhanced Transaction Solution - Ports
The variables @@ of the ports shall be replaced by the respective numbers as shown in the table below.
Market Environment
@@ for
Eurex
@@ for
Xetra Frankfurt
@@ for
Xetra Irish SE
@@ for Xetra
International Market
Production 00 51 55 57 Simulation 01 52 52 52
Advanced Simulation
03 53 n.a. n.a.
Ports used by the platforms for the Enhanced Transaction Solution architecture.
Port Description Direction Protocol
1@@45 Destination Port Production uni-directional TCP/IP
1@@45 Destination Port Simulation uni-directional TCP/IP
1@@45 Destination Port Advanced Simulation uni-directional TCP/IP
.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 56 of 76
V.10.03
8.5 CEF® - Ports
For communication the following ports are used:
Port Nagle on Description Direction CEF®-Service Protocol
51005 Yes Destination Port uni-directional CEF® Core TCP/IP
51004 No Destination Port uni-directional CEF® Core TCP/IP
51003 Yes Destination Port uni-directional CEF® Core (Scoach) TCP/IP
51002 No Destination Port uni-directional CEF® Core® (Scoach) TCP/IP
Note: The Nagle algorithm is a technique by which, on a TCP connection, small data packets are held back for later transmissions to combine small data packets to a larger data packet in order to lower the overall network overhead.
Port Description Direction Platform Protocol
50000 to 50099
Destination Port Production - propagated by reference data stream
uni-directional CEF® ultra+ Eurex IP (UDP) Multicast
50100 to 50199
Destination Port Simulation - propagated by reference data stream
uni-directional CEF® ultra+ Eurex IP (UDP) Multicast
50099 Reference data stream Production uni-directional CEF® ultra+ Eurex IP (UDP) Multicast
50199 Reference data stream Simulation uni-directional CEF® ultra+ Eurex IP (UDP) Multicast
55003 Trade Recovery Functionality for CEF® ultra+ Eurex and CEF® ultra+ Xetra
uni-directional CEF® ultra+ Eurex
CEF® ultra+ Xetra
TCP/IP
55100 to 55299
Destination Port Production - propagated by reference data stream
uni-directional CEF® ultra+ Xetra IP (UDP) Multicast
55200 to 55299
Destination Port Simulation - propagated by reference data stream
uni-directional CEF® ultra+ Xetra IP (UDP) Multicast
55300 to 55399
Destination Port Advanced Simulation - propagated by reference data stream uni-directional CEF® ultra+ Xetra IP (UDP)
Multicast
55199 Reference data stream Production uni-directional CEF® ultra+ Xetra IP (UDP) Multicast
55299 Reference data stream Simulation uni-directional CEF® ultra+ Xetra IP (UDP) Multicast
55399 Reference data stream Advanced Simulation uni-directional CEF® ultra+ Xetra IP (UDP)
Multicast
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 57 of 76
V.10.03
8.6 XQS - Ports
For communication the following ports are used:
Port Description Direction XQS Protoc
ol
25500 to 25510
Destination Port Production Issuer sends quotes to specialist via XQS Specialist sends quotes to CEF® via XQS
bi-directional Specialist - Model TCP/IP
26000 to 26010
Destination Port Simulation Issuer sends quotes to specialist via XQS Specialist sends quotes to CEF® via XQS
bi-directional Specialist - Model TCP/IP
25550 to 25560
Destination Port Production Issuer sends quotes to Xetra FFM2 via XQS bi-directional Issuer-Model TCP/IP
26050 to 26060
Destination Port Simulation Issuer sends quotes to Xetra FFM2 via XQS
bi-directional Issuer-Model TCP/IP
25600 to 25610
Destination Port Production Specialist sends quotes to CEF® via XQS bi-directional Funds-Model TCP/IP
26100 to 26110
Destination Port Simulation Specialist sends quotes to CEF® via XQS
bi-directional Funds-Model TCP/IP
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 58 of 76
V.10.03
9. Sample Router Configurations
Please ensure the configuration is saved and copied to the start-up configuration otherwise the configuration will be lost when the router is restarted. Routers connecting to the exchange must be configured for EIGRP.
9.1 General Setup
The following router configuration is mandatory and it should be entered in the enable mode.
Router Command Comments
Config terminal Enter configuration mode
no service config Don’t load configuration by tftp
no service finger Don’t allow the IP finger service
service password-encryption Don’t show passwords in plain text
hostname RXXXXXX Router name as defined by the Exchange
enable secret "enable-password" freely chosen enable password
ip subnet-zero
no ip classless Do not use the exchange as “default gateway”
interface Ethernet0/0 The interface ID can be different on a given router, i.e. 0/1, etc.
description "free text" Free description for interface (optional)
ip address a.b.c.d 255.255.255.0 a.b.c.d - IP address of MISS/Router LAN
line con 0 Console port of router
exec-timeout 120 0 Logout user if inactive for 120 seconds
password "login-password" Freely chosen password for console access
Login
line vty 0 4 Virtual port for telnet connections to router
exec-timeout 120 0 Logout user if inactive for 120 seconds
password "login-password" Freely chosen password for telnet access
Login
End Exit config mode
write Save configuration permanently (to retain after power off)
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 59 of 76
V.10.03
9.1.1 Ethernet Leased Lines - Xetra 1 Gbit/s
The following configuration is valid for Cisco routers
Router Command Comment
config terminal enter configuration mode
interface Fastethernet0/0 the interface names Fastethenet0/n may need to be
amended to reflect the actual name of the router interfaces
description “free text“ free description for interface, optional
ip address x.x.x.h 255.255.255.0 x.x.x.h=IP of MISS/Router LAN
255.255.255.0=subnet mask for network
interface FastEthernet0/1 the interface names Fastethenet0/n may need to be
amended to reflect the actual name of the router interfaces
duplex full
speed z
z = depending on the physical line speed provided by the
carrier. It may be necessary to set a speed of 10 for 10
Mbit/s circuits or instead a speed of 100. For 1 GBit/s
circuits the speed is set to 1000.
ip address Y.Y.Y.2 255.255.255.0 YYY.2 = IP address for Ethernet leased line to access
point provided by the Exchange
interface Tunnel1 GRE tunnel for network monitoring
no ip address no IP address, not used for data or routing
keepalive 5 3 handshaking setup
tunnel source Y.Y.Y.2 source is interface to Exchange
tunnel destination Y.Y.Y.1 destination is Exchange interface
router eigrp ZZ number provided by the Exchange
network 90.0.0.0 please take the number of interface used for IP connection
end exit config mode
write save configuration permanently (to retain after power off)
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 60 of 76
V.10.03
The tunnel interface is only necessary to provide end to end monitoring. No traffic is transported over this interface.
9.1.2 Ethernet Leased Lines - Enhanced Broadcast Solution+ Service A
The following configuration is valid for Cisco routers.
Router Command Comment
config terminal enter configuration mode
ip multicast-routing enable multicast on router
interface Fastethernet0/0 the interface names Fastethenet0/n may need to be
amended to reflect the actual name of the router interfaces
description “free text“ free description for interface, e.g. member LAN
ip address 90.x.x.21 255.255.255.0 90.x.x.21=IP of MISS/Router LAN
255.255.255.0=subnet mask for network
ip pim sparse-mode multicast mode
ip pim neighbor-filter DenyRtrB
ip igmp access-group EbsA multicast segregation of service A vs. service B
interface FastEthernet0/1 the interface names Fastethenet0/n may need to be
amended to reflect the actual name of the router interfaces
description “free text“ free description for the interface, e.g. to Deutsche Boerse
ip address 90.y.y.2 255.255.255.0 255.255.255.0=subnet mask for network
ip pim sparse-mode multicast mode
speed z
z = depending on the physical line speed provided by the
carrier. It may be necessary to set a speed of 10 for 10
Mbit/s circuits or instead a speed of 100.
duplex full
interface Tunnel1 GRE tunnel for network monitoring
description “free text“ free description for interface, e.g. to Monitor Tunnel
no ip address no IP address, not used for data or routing
tunnel source 90.a.a.2 source is interface to Exchange, supplied by the Exchange
tunnel destination 90.a.a.1 destination is Exchange interface, supplied by the
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 61 of 76
V.10.03
Exchange
keepalive 5 3 handshaking setup
ip access-list standard DenyRtrB
deny any multicast segregation of service A vs. service B
ip pim rp-address 193.29.95.252 EbsA address of the multicast rendezvous point at the Exchange
ip access-list standard EbsA
permit 224.0.29.0 0.0.0.255
permit 233.49.81.0 0.0.0.127
deny any
multicast segregation of service A vs. service B
router eigrp 56 router protocol and group
network 90.0.0.0 physical connected network
end
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 62 of 76
V.10.03
9.1.3 Ethernet Leased Lines - Enhanced Broadcast Solution+ Service B
The following configuration is valid for Cisco routers.
Router Command Comment
config terminal enter configuration mode
ip multicast-routing enable multicast on router
interface Fastethernet0/0 the interface names Fastethenet0/n may need to be
amended to reflect the actual name of the router interfaces
description “free text“ free description for interface, e.g. member LAN
ip address 90.x.x.22 255.255.255.0 90.x.x.22=IP of MISS/Router LAN
255.255.255.0=subnet mask for network
ip pim sparse-mode multicast mode
ip pim neighbor-filter DenyRtrA
ip igmp access-group EbsB multicast segregation of service A vs. service B
interface FastEthernet0/1 the interface names FastEthernet0/n may need to be
amended to reflect the actual name of the router interfaces
description “free text“ free description for interface, e.g. to Deutsche Boerse
ip address 90.y.y.2 255.255.255.0 255.255.255.0=subnet mask for network
ip pim sparse-mode multicast mode
speed z
z = depending on the physical line speed provided by the
carrier. It may be necessary to set a speed of 10 for 10
Mbit/s circuits or instead a speed of 100.
duplex full
interface Tunnel1 GRE tunnel for network monitoring
description “free text“ free description for interface, e.g. to Monitor Tunnel
no ip address no IP address, not used for data or routing
tunnel source 90.a.a.2 source is interface to Exchange, supplied by the Exchange
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 63 of 76
V.10.03
tunnel destination 90.a.a.1 destination is Exchange interface, supplied by the
Exchange
keepalive 5 3 handshaking setup
ip access-list standard DenyRtrA
deny any multicast segregation of service A vs. service B
ip pim rp-address 193.29.95.253 EbsB address of the multicast rendezvous point at the Exchange
ip access-list standard EbsB
permit 224.0.30.0 0.0.0.255
permit 233.49.81.128. 0.0.0.127
deny any
multicast segregation of service A vs. service B
router eigrp 56 router protocol and group
network 90.0.0.0 physical connected network
end
9.1.4 Optional Shaping (QoS) for Enhanced Transaction Solution Simulation
If the desire is to limit the amount of bandwidth that the Enhanced Transaction Solution simulation can use then the following section can be configured (see end of configuration section 9.1.5.).
Router Command Comment
ip access-list extended AL_Eurex_Ets_Simu define access list
permit tcp any any eq 10145 applicable for ETS simulation port 10145
class-map match-all CM_Ets_Simu define class
match access-group name AL_Eurex_Ets_Simu criteria class
policy-map Ets_Out define policy
class CM_Ets_Simu criteria for policy
shape average 256000 the value 256 000 - can be changed as required
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 64 of 76
V.10.03
9.1.5 Ethernet Leased Lines for Enhanced Transaction Solution
The following configuration is valid for Cisco routers.
Router Command Comment
******** Configure IP SLA to keep the IPSEC tunnel alive ********
ip sla monitor 12
type tcpConnect dest-ipaddr 193.29.94.n dest-port 10045 source-ipaddr
a.b.c.d. source-port 58418 control disable
a.b.c.d. - IP address assigned by the exchange
ip sla monitor schedule 12 life forever start-time now start ip sla
******** RSA Key generation ********
Before generating the RSA Keys ensure that the time on the router is correct and that the ip domain-name has been configured!
ip domain name <fqdn> <fully qualified domain name>
crypto key generate rsa
Enter 1024 to the question <How many bits in the modules [512]:>
******** End of RSA Key generation. ********
crypto isakmp policy 10
encr aes 256
group 5
configure isakmp setting
crypto pki trustpoint TP_dbs_subca1
enrollment url http://193.29.95.250:80
subject-name OU=ETS
revocation-check none
auto-enroll 90 regenerate
configure certificate authority
crypto isakmp identity dn
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set TS_dbsset_Ets esp-aes 256 esp-sha-hmac
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 65 of 76
V.10.03
ip access-list extended AL_dbs_Ets
5 permit tcp 90.201.11.0 0.0.0.255 193.29.94.0 0.0.0.127 configure access list for encryption
crypto map CM_dbs_Ets 10 ipsec-isakmp configure crypto map
set peer 193.29.95.224 primary peer
set peer 193.29.95.225 backup peer
set security-association lifetime seconds 28800
set transform-set TS_dbsset_Ets
set pfs group5
match address AL_dbs_Ets
qos pre-classify
interface fastethernet0/1
the interface names FastEthernet0/n may need to
be amended to reflect the actual name of the
router interfaces
speed 100 physical line speed provided by the carrier.
duplex full
description To Deutsche Boerse
ip address a.b.c.d 255.255.255.0 a.b.c.d. - IP address assigned by the exchange
!ntp broadcast client optional when member has no ntp server (see
9.1.6).
crypto map CM_dbs_ets required for ETS encryption
! service-policy output Ets_Out !optional for simulation shapingoj (see 9.1.4)
9.1.6 Optional NTP Server for Enhanced Transaction Solution
To allow Enhanced Transaction Solution member routers to use the exchange routers as ntp servers following command could be applied optional in the configuration above. The correct clock time is crucial for IPSec encryption.
Router Command Comment
ntp broadcast client see end of configuration in section 9.1.5.
time zone -> in all cases the CET time zone.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 66 of 76
V.10.03
9.2 Adding Support for iAccess
Member routers connecting to the exchange via the Internet must be configured for IPSec. Members are responsible for the secure configuration of their router(s). The following security configurations, e.g. access lists, are recommendations only which have to be customized according to the specific requirements. The basic part of the configuration may be entered at any time; the installation of the certificate must be conducted interactively together with the exchange.
9.2.1 Network Time Protocol for iAccess Connections
The router must be configured with the correct time in order to check the validity of the certificate. A connection to the exchange will only be possible if the current time on the router is within the valid time frame of the certificate. The simplest solution is to request the time from the Internet (UTC), however any means of time settings for the router will work.
The commands listed below are used to synchronize the router's time with an NTP server on the Internet. Please note, that using symbolic server names necessitates the configuration of IP address resolution. Commands should be entered in the Enable mode.
Router Command Comments
config terminal Enter configuration mode
clock timezone CET Time zone: CET for Europe, CST for the US
clock calendar-valid
ntp update-calendar
scheduler interval 300
ntp server ″server name″ first place to look for network time provider (see explanation)
ntp server ″server name″ Second place to look for network time provider
- and so on -
Any known network time providers may be entered as the “servername” in the above. Internet Service Providers may provide one or more network time providers as DNS-names. The exchange has no control over the availability, reliability or access policy of Internet network time providers. A list of such providers may be found at http://support.ntp.org/bin/view/Servers/WebHome. Some of these providers are shown below:
• clock.isc.org • clock.via.net • ntp1.fau.de • ptbtime2.ptb.de • bernina.ethz.ch • ntp.univ-lyon1.fr
• ntp2a.mcc.ac.uk
Use the “show clock“ command to check the current time of the router.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 67 of 76
V.10.03
9.2.2 Setting the Time Manually
If it is necessary to set the time manually because an NTP server is not reachable, then the following Cisco command can be used in the Enable mode.
Router Command Comment
clock set hh:mm:ss dd mmm yyyy Example: clock set 11:33:00 29 JUL 2003 (UTC)
9.2.3 IPSec Configuration for iAccess
Router Command Comment
config terminal Enter configuration mode
service compress-config
ip domain-name <customer.ext> Customer domain and extension, for example: ABCFR.DE
hostname <Router Name> Router name as defined on configuration sheet
ip domain-lookup Enable domain lookup
ip name-server <Name Server IP> DNS address (obtained from ISP). Several DNS IPs are entered repeating the same command with the different IP
ip subnet-zero
no ip source-route
no ip finger
crypto pki trustpoint baltimore Name of exchange certification authority
revocation-check none
enrollment retry count 100
enrollment mode ra
enrollment url http://193.29.78.191:10081/cgi-bin/pkiclient.exe Path for CEPT negotiation
crl optional optional -> the router only uses the crl if it gets them
crypto isakmp policy 1 ISAKAMP policy
crypto IPSec transform-set <Name_Transformset> esp-3des esp-sha-hmac
IPSec policy
crypto map <Crypto_Name> 1 IPSec-isakmp Definition of first Crypto Map
set peer <iAccess Point Router 1> IP-Address of first iAccess Point Router according to configuration sheet
set transform-set <Name_Transformset>
match address 1XX Specifies the list (1XX) for the traffic to encrypt
crypto map <Crypto_Name> 2 IPSec-isakmp Definition of second Crypto Map
set peer <iAccess Point Router 2> IP-Address of second iAccess Point Router according to the information from the exchange
set transform-set <Name_Transformset>
match address 1YY Specifies the list (1YY) for the traffic to encrypt
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 68 of 76
V.10.03
interface Tunnel 1 Definition of first Tunnel interface
ip address 90.XXX.XXX.XXX 255.255.255.0 According to configuration sheet
no ip direct-broadcast
no ip route-cache
no ip mroute-cache
tunnel source <Router Internet IP-Address> Customer Router Internet IP-Address, assigned by ISP
tunnel destination <iAccess Point Router 1> According to configuration sheet
crypto map <Name_Crypto_Map> Activate crypto map for this interface
interface Tunnel2 Definition of second Tunnel interface
ip address 90.YYY.YYY.YYY 255.255.255.0 According to configuration sheet
no ip direct-broadcast
no ip route-cache
no ip mroute-cache
tunnel source <Router Internet IP-Address> Customer Router Internet IP-Address
tunnel destination <iAccess Point Router 2> According to configuration sheet
crypto map <Name_Crypto_Map> Activate crypto map for this interface
Interface <INTERNET> Interface with Internet address
ip address <Router Internet IP Address> <Internet Subnet-Mask>
bandwidth XX XX 1024 for Eurex trading and 512 for Xetra
ip access-group 1ZZ in General access list, see access lists below
no ip route cache
no ip mroute-cache
no ip unreachable
no cdp enable
crypto map <Name_Crypto_Map> Activate crypto map for this interface
Interface <LAN> Interface to connect to Customer LAN
ip address <Router LAN IP Address> <LAN Subnet-Mask>
no ip route cache
no ip mroute-cache
router eigrp ZZ ZZ is the EIGRP number as defined on the config sheet
network A.0.0.0 Where A is the first octet of the MISS/Router LAN
no auto-summary
no ip classless
ip route 0.0.0.0 0.0.0.0 <Default-Route> Set the default gateway (normally the ISP’s router)
no ip http server
ip access-list extended 1ZZ Recommended general access list
permit gre host <iAccess Point Router 1> any Allow VPN protocol
permit gre host <iAccess Point Router 2> any Allow VPN protocol
permit icmp any any echo Allow PING request
permit icmp any any echo-reply Allow PING reply
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 69 of 76
V.10.03
permit udp any any eq isakmp Allow VPN protocol
permit udp host <NTP Srv Address>any eq ntp Allow time synchronization protocol
permit eigrp any any Allow EIGRP
permit esp host <iAccess Point Router 1> any Allow VPN protocol
permit esp host <iAccess Point Router 2> any Allow VPN protocol
deny ip any any log Deny everything else
ip access-list extended 1XX
permit ip gre host <Router Internet IP-Address> host <iAccess Router 1>
Example: permit gre host 212.69.76.5 host 193.29.78.1
ip access-list extended 1YY permit ip gre host <Router Internet IP-Address> host <iAccess Router 2>
Example: permit ip gre host 212.69.76.5 host 193.29.78.2
9.2.4 IPSec Configuration for Combined Access
Router Command Comment
service compress-config
ip domain-name <customer.ext> Customer’s domain and extension
hostname <Router Name> Router name as defined on configuration sheet
ip domain-lookup Enable domain lookup
ip name-server <Name Server IP-Address> Name server
ip subnet-zero
no ip source-route
no ip finger
crypto pki trustpoint baltimore Name of exchange certification authority
revocation-check none
enrollment retry count 100
enrollment mode ra
enrollment url http://193.29.78.191:10081/cgi-bin/pkiclient.exe Path for CEPT negotiation
crl optional optional -> the router only uses the crl if it gets them
crypto isakmp policy 1 ISAKAMP policy
crypto IPSec transform-set <Name_Transformset> esp-3des esp-sha- hmac
IPSEC policy
crypto map <Crypto_Name> 1 IPSec-isakmp Definition of first Crypto Map
set peer <iAccess Point Router> IP-Address of first iAccess Point Router according to configuration sheet
set transform-set <Name_Transformset>
match address 1XX Specifies the list (1XX) of traffic to encrypt (see below)
interface Tunnel 1 Definition of first Tunnel interface
ip address 90.XXX.XXX.XXX 255.255.255.0 according to configuration sheet
no ip direct-broadcast
no ip route-cache
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 70 of 76
V.10.03
no ip mroute-cache
tunnel source <Router Internet IP-Address> Customer Router Internet IP-Address
tunnel destination <iAccess Point Router 1> according to configuration sheet
crypto map <Crypto_Name> Activate crypto map for this interface
interface <INTERNET> Interface with Internet address
ip address <Router Internet IP Address> <Internet Subnet-Mask>
bandwidth <XX> XX 1024 for Eurex trading and of 512 for Xetra
no ip route-cache
no ip mroute-cache
ip access-group 1ZZ in General access list
no ip redirects
no ip unreachable
no cdp enable
crypto map <Crypto_Name> Activate crypto map for this interface
interface <LAN> Interface to connect to Customer LAN
ip address <Router LAN IP Address> <LAN Subnet-Mask>
no ip route-cache
no ip mroute-cache
router eigrp ZZ ZZ is the EIGRP number for leased line as defined on configuration sheet
network 90.0.0.0
no auto-summary
router eigrp YY EIGRP number for Internet as defined on configuration sheet
network 90.0.0.0
no auto-summary
no ip classless
ip route 0.0.0.0 0.0.0.0 <Default-Route> Set the default gateway (normally the ISP’s router)
no ip http server
ip access-list extended 1ZZ Recommended general access list
permit gre host <iAccess Point Router 1> any
permit icmp any any echo
permit icmp any any echo-reply
permit udp any any eq isakmp
permit udp host <NTP Server Address>any eq ntp Time server IP address
permit eigrp any any
permit esp host <iAccess Point Router 1> any
deny ip any any log
ip access-list extended 1XX
permit ip gre host <Router Internet IP-Address> host <iAccess Router>
Example permit gre host 212.69.76.5 host 193.29.78.1
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 71 of 76
V.10.03
9.2.5 Router Clock Verification
The certificates used are valid for a defined timeframe of 36 months only. The local clock of the member router is used to check against the validity of the certificate.
9.2.6 Enrolment
Enrolment is the authentication and installation process of the certificates on the member router. The process is conducted interactively between member and the exchange. The member must have access to the router during the enrolment. The steps for the enrolment are shown in the following paragraphs. Please make sure that the clock is set correctly before starting enrolment. Neither the crypto map nor the access list should be bound on the interface for enrolment.
9.2.7 Password for Member Verification
The exchange issues a password for authorization of the member. This password is distributed to the member by mail. During the setup the exchange requests the password to authenticate the member.
9.2.8 Trusted Peer Verification
To verify that the requested certificate originates from the exchange, enter the following commands on the router:
Router Command Comment
config terminal
crypto ca authenticate exchangeCA request authorization
End exit config mode
The shown fingerprint must be compared to the one shown on the exchange side. The exchange’s view of the fingerprint will be available via phone or mail.
9.2.9 Load Certificate
After establishing a trusted peer the certificate can be requested from the exchange:
Router Command Comment
config terminal
crypto ca enrol exchangeCA request certificate
Respond to the questions as explained below
end exit config mode
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 72 of 76
V.10.03
The router will request the following information:
• Challenge password -- to be used for identification • If the router serial number is to be included in the subject name; enter NO • If an IP-Address is to be included in the subject name; enter NO • If the certificate is to be requested; enter YES
The command “show cr ca cert“ allows the process of loading the certificate to be verified. The status will be pending until the exchange responds to the request. The status will then change to “available”.
9.3 Router for Workstations in a Remote LAN
It is the member’s responsibility to select, install and configure routers for connecting workstations in a remote LAN to the MISS/Workstation LAN. By default, there is no transmission of multicasts across routers. The use of protocols, for example PIM (Protocol Independent Multicast), makes it possible to configure routers to forward multicasts. All interconnecting components must be able to transport multicasts.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 73 of 76
V.10.03
10. Terms and Abbreviations
3DES A method to encrypt data by applying DES 3 times.
AP Access Point - Within this document the Access Point’s key function is to route data transactions to and from the Exchange’s Back-Ends.
API Application Programming Interface is the specific method prescribed by a computer operating system or by another application program by which an application program can make requests of the operating system or another application. In the context of exchange applications, the VALUES API is supported.
BALUN A BALUN (BALanced-UNbalanced) is an adapter to match the impedance of a leased line with the impedance of a router interface (e.g. to match a 75 Ohms leased line impedance to 120 Ohms interface impedance and vice versa).
BESS Back-End Specific Subsystems are needed to access the exchange-specific Back-End. BESSes are available for Xetra Frankfurt, Xetra Vienna, Eurex and CCP.
CCP The Central Counter Party is an intermediary which guarantees delivery of trades in selected equities by mediating between the buying and the selling party.
CEF® Real-time data feed operated by Deutsche Börse AG
Combined Access Connection alternative using a leased line connection together with an iAccess connection (backup) to connect to the Back-End.
CS Communications Server
DES Digital Encryption Standard. A classical symmetric encryption algorithm. Symmetry means, the same key is used for encryption and decryption.
EEX European Energy Exchange
EIGRP Enhanced Interior Gateway Routing Protocol. An advanced version of the IGRP router-to-router protocol developed by Cisco. Provides superior convergence properties and operating efficiency and combines the advantages of link state protocols with those of distance vector protocols.
Enhanced Broadcast Solution
The Eurex/Xetra Enhanced Broadcast Solution data stream is propagated in a “live-live” concept by disseminating two services, A and B. Both services contain the same streams but utilize different Multicast groups.
Enhanced Risk Solution
A Eurex Clearing AG service (optional) providing members near-time risk data
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 74 of 76
V.10.03
Enhanced Transaction Solution
The Eurex/Xetra Enhanced Transaction Solution is an asynchronous message-based interface.. The Enhanced Transaction Solution is session-oriented whereby the session is the basic context of the interaction with the respective Back-End system.
Environment Environments are: Production, Simulation or Advanced Simulation
Eurex Eurex is a derivatives Exchange. The Eurex system provides functions for trading/clearing, trading/clearing support and security. The Eurex platform also supports trading and clearing for the derivatives side of the European Energy Exchange (EEX).
Eurex (VALUES) MISS-based Eurex connection
Exchange In this documentation the term “Exchange” refers to these Exchanges the IT Branch of Group Deutsche Börse provides the network access to the respective markets and services for.
FTP File Transfer Protocol – description of a method of transferring files between computers.
GATE Generic Access To Exchanges is a common Front-End architecture software component for all MISS-based exchange applications. GATE provides common execution and operations services to all exchange applications (Eurex, Xetra, CCP and others).
GRE Generic Routing Encapsulation – Standard for tunnelling IP and other network protocols- described in the RFCs 1701 and 1702.
HTML Hypertext Mark-up Language is the set of mark-up symbols or codes inserted into a text file intended for display on a World Wide Web browser page.
HTTP Hypertext Transfer Protocol is the underlying protocol used by the World Wide Web to transfer hypertext requests and information between servers and browsers.
HTTPS Hypertext Transfer Protocol over Secure Socket Layer is a Web protocol similar to HTTP. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server.
iAccess Connection alternative "iAccess" is a permanent point-to-point VPN Internet connection between a member router and an Access Point to connect to the Back-End. A tunnel through the Internet is established by employing IPSec.
IANA Internet Assigned Numbers Authority
ICMP Internet Control Message Protocol - an extension to the Internet Protocol defined by RFC 792. ICMP supports packets containing error, control, and informational messages.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 75 of 76
V.10.03
IOS Cisco system software that provides common functionality, scalability and security for all products under the Cisco Fusion architecture. Cisco IOS allows centralized, integrated and automated installation and management of interconnected networks, while ensuring support for a wide variety of protocols, media, services and platforms.
IP multicast IP multicasting is a bandwidth conserving technology that reduces network traffic by simultaneously delivering a single stream of information to computers in a network configured with the same multicast address.
IPSec IP Security protocol. An Internet Engineering Task Force (IETF) specification for IP network layer security supporting end-to-end encryption and authentication for secure communication in public and private networks.
Irish - SE Irish Stock Exchange
ISP Internet Service Provider
LAN Local Area Network connects computers in a workgroup, department or building.
Leased Line Within this document the wording “leased line” is synonymous with the wording “bandwidth on leased line”.
Market Trading or clearing market of a platform. Whereas a platform is the application CCP, Eurex or Xetra.
MD Member Device. The term “member device” is used to describe any generic server.
MISS Member Integrated System Server (the Front-End server) is an MD running an Exchange application allowing members to access to the trading system. The MISS can either run as a stand-alone machine on which the entire set of Front-End applications is available or as a server for additional workstations.
Redundancy Redundancy refers to is the duplication of critical components of a system with the intention of increasing reliability of the system.
Platform Trading or Clearing application serving one or several markets (e.g. Eurex, Xetra etc.)
Proximity Services Services offered by Deutsche Börse Systems, the IT branch of Deutsche Börse. The services address market demand for ultra low latency by placing member trading engines physically close to the exchange Back-End.
Proximity Location Partner data centers in Frankfurt co-operating with Deutsche Börse Systems
RSA An asymmetric encryption algorithm invented by Ramir, Shamir and Adleman. Asymmetry means that a different key is used for decryption and encryption. The quality of encryption is measured in terms of bit length of the private key.
Deutsche Börse Group
Network Access To Exchange Applications
06.04.10
Page 76 of 76
V.10.03
SSL Secure Socket Layer is a protocol to exchange messages in confidentiality and integrity. i.e. messages are exchanged encrypted, missing or replaced messages are detected and the authenticity of the communication partners can be established.
Standard Access Connection alternative using 2 leased lines to connect to the Back-End
TCP/IP Transmission Control Protocol/Internet Protocol is a method (protocol) used to send data in the form of message units between computers over a LAN/WAN. TCP guarantees the messages are delivered uncorrupted, lossless and in sequence.
UDP User Datagram Protocol is a method of communication between computers in a network using the Internet Protocol (IP). UDP guarantees messages are delivered uncorrupted. However, contrary to TCP, UDP does not employ any mechanisms to ensure lossless and sequential message transmission.
USIM A file used as a token to prove a MISS is permitted to connect to a specific Back-End.
VALUES Virtual Access Link Using Exchange Services is an exchange developed and supported API, enabling members to interface their own applications to the exchange.
VPN Virtual Private Networks use advanced encryption and tunnelling to permit organizations to establish secure end-to-end, private network connections over third-party networks, such as the Internet or Frame Relay networks.
WAN Wide Area Network is a geographically dispersed telecommunications network and the term distinguishes a broader telecommunication structure from a LAN.
WBAG Wiener Börse AG / Vienna Stock Exchange
Xetra EXchange Electronic TRAding, the electronic stock trading system of Deutsche Börse AG. The Xetra platform supports the spot markets of the Exchanges: Wiener Börse AG (Vienna Stock Exchange), Irish Stock Exchange, European Energy Exchange (EEX), Eurex Bonds, Bulgarian Stock Exchange, Xetra Frankfurt, Xetra Frankfurt 2 and Xetra International Market.
Xetra Frankfurt 2 pan European multi-market venue
XQS The product Xentric Quote Source (XQS) supports the centralized processing and administration of quotes.