This guide is written to help others go through the process of configuring a system to connect to the Chicago Mercantile Exchange’s New Release environment over a self-hosted VPN connection. It’s meant not to be an in-depth explanation of all terms and concepts, but rather a guide/map to go from a new router to having a working connection for those with only a high level understanding of routers.

Step 1: Router

You will need a router with built-in ISAKMP and IPSEC capabilities. One of the low cost options is to go with an 800 series Cisco router such as the 871W which you can pick up on Ebay in the $50 to $60 range, and it includes 802.11 wireless capabilities. This guide is written using an 871W router.

  1. For those readers who are not networking experts or Cisco CCNAs, there are many acronyms that are used. A few of them are briefly explained here to help get you up to speed.

    • ISAKMP - This is part of the security mechanism and is a subset of IKE. http://networkengineering.stackexchange.com/questions/1/whats-the-difference-between-ike-and-isakmp

    • GRE - Generic Routing Encapsulation. This allows multicast traffic to be sent over the VPN tunnel. http://www.cisco.com/c/en/us/support/docs/ip/ip-multicast/43584-mcast-over-gre.html

    • PIM - Protocol Independent Multicast. You’ll need to "enable multicast routing" and "pim sparse-mode" on the router for the multicast traffic to work properly. http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/ip_multicast/White_papers/mcst_ovr.html

    • VLAN - Virtual LAN. Note that on the 871W, you can not assign a specific IP or DHCP group to the physical interfaces. You must assign the interfaces to be part of a VLAN and then the VLAN can be assigned a DHCP pool for IP assignment.

    • Advanced Security or Advanced IP - Cisco offers two flavors of software to run on their routers. The "PIM" capabilities are in the Advanced IP package, not the Advanced Security package despite the need for a VPN tunnel! Make sure you are running a package with the K9 designator because it has AES/3DES encryption.

    • ACL - Access Lists. These allow you to choose what traffic can and can not go through your router.

    • NAT - Network Address Translation. This is a technology that allows your router to create a sub network and, through the use of differing ports, pass the traffic through one (public) IP. "ip nat inside" tells the vlan to NAT ip that are connected to it, and "ip nat outside" tells the interface (you would execute this command on your WAN port) to NAT traffic to the outside world.

    • dot1Q - This is to tell your wireless interface to use a specific vlan. For example "encapsulation dot1Q 10 native" uses vlan 10.

Step 2: Hardware

In addition to the 800 series Router, to get started, you’ll need a so-called "Rollover Cable". http://www.ebay.com/sch/i.html?_nkw=cisco+rollover+usb&_sacat=0 This allows you to configure the router over a serial protocol. Use putty to connect, and choose Serial for the method. For my setup, it was COM3 and 9600 baud. To connect to CME you’ll need to have two physical interfaces available on your server. One for public IP traffic, and the other for CME New Release traffic.

Step 3: The Big Picture

A high level overview of how your network topology can look is as follows. You will have two separate networks (VLANs), one for public internet traffic, and the other specifically for CME NR traffic. The Vlan IDs (10 and 20, below) correspond to the sample configuration at the end.

You’ll create two VLANs, one for public IP traffic ("Vlan 10"), and the other for CME New Release traffic ("Vlan 20"). For wireless router models, you’ll add the wireless connection to be part of Vlan 10. Assign two of the fast ethernet ports to vlan 10 (FA0 and FA1), and the other two (FA2 and FA3) to Vlan 20. This will allow you to have two physical connections to public IP and two to New Release. You can always attach a networking switch to a vlan 10 port to expand internet access to other devices. To have the appropriate IPs assigned to each VLAN, you’ll create two DHCP pools for which IPs can come. On vlan 10, you can stay with the traditional 192.168.1.x range and on vlan 20, you must use the range that the CME assigns you.

Note for Wireless users: In order to get wireless working propertly, you’ll need to create a both a sub interface and a "bridge group". At a high level, a bridge group allows you to connect the physical interface with the wireless interface into the same group. This is important: you won’t assign an IP address range to vlan 10, just tell it to be part of the bridge group and with "no ip address". Then, in the bridge group configuration, you will assign the IP range for which the DHCP pool exits. However, for vlan 20 (because it’s not part of a bridge group with a wireless interface), you will assign an ip range that matches what CME tells you. This is evident in the sample configuration.

Step 4: Configure Router / "Cisco 101"

To connect to the router, you do not use the Netgear/Linksys approach of pointing your browser to 192.168.1.1. Instead, you need to connect via the serial "rollover" cable.

  1. Once you connect to the router, there will be a few key commands that you’ll use over and over:

    • "write erase" — This will erase the "running-config" and the "startup-config". These are the file names of the two configuration files on the router.

    • "copy running-config startup-config" — This will copy the configuration that you have created to be the one run when the router is rebooted.

    • "enable" — This will bring the router into priviledged mode so you can issue basic show commands.

    • "config t" — This will bring the router into global configuration mode where you can actually change settings.

    • "exit" — Go back up one "level" in your configuration. For example if you are configuring a sub-interface and want to return back to the interface level, just type exit.

    • "shut" — Brings down an interface.

    • "no XXXX" — Removes or takes away a command. For example, if you type "no shut", then it will bring UP an interface. Likewise, "no ip pim sparse-mode" will REMOVE the "ip pim sparse-mode" from the configuration.

    • "switchport access" — This tells the router to associate a physical interface to a particular vlan.

A couple notes on wifi connection: You’ll notice there exists an entry "interface Dot11Radio0.10". This means you are creating a sub-interface off the 802.11 wireless interface (that’s where the ".10" comes in). The number after the period is for the vlan number for which the subinterface should be part of. You also use this vlan number with your dot1Q encapulation command. See the sample configuration. "guest mode" means that the SSID is broadcast (you’ll pick it up on your access point list on your laptop/phone).

To get started, connect to the router through putty, and follow these instructions:

  1. Execute "write erase" first (to restore factory configuration).

  2. Next, "enable" to go into priviledged mode.

  3. Then, "show running-config" to see what the initial configuration looks like.

  4. Lastly, "config t" so you can start changing settings (you should see the '#' prompt which means you can now issue commands).

Once you are in this mode, type in the commands from the attached configuration file. Replace the XXX.XXX.XXX.XXX IPs with those provided by CME.

Step 5: Configure Linux

In order to get this to work properly, you will need to: 1. diable RP filtering, 2. configure your firewall properly (or just turn it off), and 3. add the appropriate routing table entries so that traffic to CME goes to the correct interface. On the commands that follow, the interface for CME is enp3s0 (change it to match yours).

Routing table: route add -net XXX.YYY.ZZZ.0 netmask 255.255.255.0 gw AAA.BBB.CCC.1 dev enp3s0 (Change the X,Y,Z, and A,B,C to the IP range assignedby CME).

Also add the route for multicast traffic to the appropriate interface: sudo route add -net 224.0.0.0/8 dev enp3s0

To join a multicast group on ip 224.0.28.1:14310, you can use the command: iperf -s -u -B 224.0.28.1 -i 1 -p 14310

To see if multicast traffic is coming in on the interface: tcpdump -i enp3s0 -s0 -vv net 224.0.28.0/24

Note, on Centos 7, the commands to change your interfaces have changed. Here is a helpful cheat-sheet for relevant commands: https://access.redhat.com/sites/default/files/attachments/rh_ip_command_cheatsheet_1214_jcs_print.pdf

Useful Links:

http://stevehardie.com/2013/05/cisco-877w-configure-wireless-and-wired-on-single-subnet/ https://supportforums.cisco.com/discussion/11801006/does-configuring-two-vlans-cisco-871-router-divides-bandwidth-internet-half https://supportforums.cisco.com/discussion/10567086/change-ip-router-cisco-871

Sample Router Configuration

Current configuration : 4011 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.32 192.168.1.255
!
ip dhcp pool vlan20pool
network XXX.XXX.XXX.0 255.255.255.0
default-router XXX.XXX.XXX.1
dns-server 8.8.8.8
!
ip dhcp pool vlan10pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
!
ip multicast-routing
!
!
!
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
crypto isakmp key SECRET_KEY address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set cmevpn esp-3des esp-md5-hmac
!
crypto map cmevpn 1 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set cmevpn
match address 100
!
bridge irb
!
!
!
interface Tunnel0
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip pim sparse-mode
tunnel source XXX.XXX.XXX.XXX
tunnel destination XXX.XXX.XXX.1
!
interface Loopback0
ip address XXX.XXX.XXX.XXX 255.255.255.255
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
switchport access vlan 20
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map cmevpn
!
interface Dot11Radio0
no ip address
!
broadcast-key vlan 10 change 45
!
!
encryption vlan 10 mode ciphers tkip
!
ssid YOUR_SSID_NETWORK_NAME
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 YOUR_SSID_PASSWORD
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip access-group 102 in
shutdown
!
interface Vlan10
no ip address
ip access-group 102 in
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan20
ip address XXX.XXX.XXX.1 255.255.255.0
ip pim sparse-mode
ip nat inside
ip virtual-reassembly
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route XXX.XXX.XXX.1 255.255.255.255 FastEthernet4
ip route XXX.XXX.XXX.0 255.255.255.128 Tunnel0
ip route XXX.XXX.XXX.128 255.255.255.128 FastEthernet4
ip route XXX.XXX.XXX.255 255.255.255.255 Tunnel0
!
!
no ip http server
no ip http secure-server
ip pim rp-address XXX.XXX.XXX.254
ip mroute XXX.XXX.XXX.0 255.255.255.128 Tunnel0
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 102 permit ip any any
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
end

Spread the word