Deployment Example

In the following, we describe a typical small deployment scenario, where an ISP operates two CORE appliances (as described in Deployment Example) and additionally two GATE instances.

This GATE setup is a best practice because it increases the redundancy for residential customers. Further, it allows the ISP to perform maintenance on one of the GATE appliances without causing a service interruption.



Our target topology contains the following elements:

  • ISP 1 deploys two CORE appliances, s01.chzrh1.isp1 and s01.chbrn1.isp1, that are connected via the internal network

  • ISP 1 deploys two GATE appliances, s02.chzrh1.isp1 and s02.chbrn1.isp1, that are connected via the internal network to the CORE appliances. The two GATE appliances are both connected to the BGP network of the ISP via a BGP peering (using the and networks).

  • Residential customers, which belong to the BGP network of ISP 1.

  • gate-customer-1 and gate-customer-2 which are two organizations that are connected to the SCION Internet using an Anapaya EDGE appliance. They are customers of the Anapaya GATE solution of ISP 1, through which they allow their employees to access critical services.

    • gate-customer-1 exposes services, namely a VPN server, in the range.

    • gate-customer-2 exposes services in the range.

We will now configure the GATE appliances step-by-step to implement the above scenario.

Network Interface Configuration

First, we will look at the configuration for the network interfaces. In the setup, there are two physical network interfaces - one for the internal network lan and one for the BGP peering to the ISP’s BGP network bgp.

Please refer to the Network Interface Configuration for guidance on how to configure network interfaces, to Network Interfaces for the full documentation on network interface configuration and to Network for troubleshooting network configuration issues.

BGP Configuration

GATE appliances are connected to the BGP network of the ISP. Over these BGP peerings, the GATE announces reachable remote prefixes into the ISP’s internal BGP network and reannounces BGP announcements received from the ISP’s BGP routers to remote SCION ASes. Therefore, each GATE appliance needs to set up at least one BGP session to a BGP router of the ISP.

In the example the following sessions are configured:

  • s02.chzrh1.isp1 with local IP has a BGP session with the BGP router of the ISP with peer IP

  • s02.chbrn1.isp1 with local IP has a BGP session with the BGP router of the ISP with peer IP


For the peering a private BGP AS number is used on the GATE appliance. The BGP router of the ISP can use its usual public BGP AS number or use a private AS number as well.

The full documentation on the BGP configuration can be found in Border Gateway Protocol (BGP).

SCION Configuration

Next, we will take a look at the SCION configuration. The SCION section contains the configuration of the SCION protocol and AS. For GATE appliances, we only need the general AS configuration section.

General AS Configuration

Each SCION AS has several general AS configuration options such as the ISD-AS identifier, the AS forwarding secret key, and a human-readable description of the AS. For the full list of the general AS configuration options, please refer to General AS Configuration.

For the configuration of a GATE appliances, we need the following fields:

  • isd_as

  • scion_mtu

Please refer to General AS Configuration for details, since the values for the CORE appliances are equal to the values of the GATE appliances.

Cluster Configuration

The GATE appliances are deployed in a sharded manner as part of a cluster together with the CORE appliances. The GATE appliances exchange topology information with the CORE appliances.

The cluster configuration includes the local cluster endpoint and the list of peers that are part of the cluster. For CORE and GATE deployments we recommend to use automatic topology synchronization (see Cluster for more details).

For GATE appliances to be integrated into the existing cluster of CORE appliances, they need to be added to the cluster/peers section of the CORE appliances.

SCION Tunneling Configuration

The SCION tunneling configuration enables the IP-in-SCION tunneling module of the appliance and can be used to configure IP tunnels towards customers of the GATE.

The full documentation on the IP-in-SCION tunneling configuration can be found in IP-in-SCION Tunneling.

In this example, we configure both GATE appliances for two customers gate-customer-1 and gate-customer-2.

  • gate-customer-1 owns the SCION AS with ISD-AS number 1-ff00:1:234. This SCION AS announces the IP prefix to the GATE instances via the SCION Gateway Routing Protocol (SGRP).

  • gate-customer-2 owns the SCION AS with ISD-AS number 1-ff00:2:5b. This SCION AS announces the IP prefix to the GATE instances.

For both customers we create a domain configuration which contains:

  • prefixes.accept_filter to filter the prefixes which the GATE receives from the customer,

  • prefixes.announce_filter to filter the prefixes which the GATE announces to the customer,

  • remote_isd_ases to list the SCION ISD-AS numbers of the customer,

  • traffic_policies to influence what paths are chosen towards the customer. For simplicity, we configure the a default traffic policy that allows the GATE to choose any SCION path to the remote destination for any kind of traffic. Refer to IP-in-SCION Tunneling for much more details on how to configure traffic policies.