From 93445438a5fed8ab49e33e70e55dd9606fd24826 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Wed, 19 Feb 2025 14:57:45 +0000 Subject: [PATCH 1/7] added links to routing --- .../tutorials/encrypt-network-flow-data.mdx | 2 +- src/content/docs/magic-transit/get-started.mdx | 2 +- src/content/docs/magic-transit/how-to/advertise-prefixes.mdx | 4 ++-- .../application-based-policies/breakout-traffic.mdx | 2 +- src/content/docs/magic-wan/index.mdx | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/content/docs/magic-network-monitoring/tutorials/encrypt-network-flow-data.mdx b/src/content/docs/magic-network-monitoring/tutorials/encrypt-network-flow-data.mdx index 13f72a40d879bb..1c6d4d22aacac8 100644 --- a/src/content/docs/magic-network-monitoring/tutorials/encrypt-network-flow-data.mdx +++ b/src/content/docs/magic-network-monitoring/tutorials/encrypt-network-flow-data.mdx @@ -9,7 +9,7 @@ head: content: Magic Network Monitoring encrypt network flow data --- -Customers can encrypt the network flow data sent from their router to Cloudflare by routing their network flow traffic through a device running the WARP client. Then, encrypted network flow traffic can be forwarded from the WARP enabled device to Cloudflare's network flow endpoints. +Customers can encrypt the network flow data sent from their router to Cloudflare by [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) their network flow traffic through a device running the WARP client. Then, encrypted network flow traffic can be forwarded from the WARP enabled device to Cloudflare's network flow endpoints. To learn more about the WARP client, and to install the WARP client on Linux, macOS, or Windows, you can visit the [WARP client documentation](/cloudflare-one/connections/connect-devices/warp/). diff --git a/src/content/docs/magic-transit/get-started.mdx b/src/content/docs/magic-transit/get-started.mdx index 02d8ff5e8b1449..ce75dc044c94c5 100644 --- a/src/content/docs/magic-transit/get-started.mdx +++ b/src/content/docs/magic-transit/get-started.mdx @@ -109,7 +109,7 @@ Once pre-flight checks are completed, Cloudflare will unlock your prefixLetters of Agency (LOA) must match the prefixes and originating prefixes you submit to Cloudflare. - When using contiguous prefixes, specify aggregate prefixes where possible. - When using Route Origin Authorizations (ROAs) to sign routes for [resource public key infrastructure (RPKI)](https://tools.ietf.org/html/rfc8210), the prefix and originating ASN must match the onboarding submission. @@ -96,7 +96,7 @@ If you use Direct CNI as a way to on-ramp your network traffic to Magic Transit, ### Regional settings -Magic Transit requires static routing to steer traffic from Cloudflare's network over one of your configured tunnel off-ramps (for GRE and IPsec tunnels). For CNI, both static routing and [BGP](/magic-transit/how-to/bgp-peering/) options are available. Currently, advertisement of routes for traffic engineering purposes is not supported. As a best practice to reduce last-hop latency, you should consider scoping your routes regionally. The default setting for static route regions is **All Regions**. Refer to [Configure static routes](/magic-transit/how-to/configure-static-routes/) for more information. +Magic Transit requires static [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) to steer traffic from Cloudflare's network over one of your configured tunnel off-ramps (for GRE and IPsec tunnels). For CNI, both static routing and [BGP](/magic-transit/how-to/bgp-peering/) options are available. Currently, advertisement of routes for traffic engineering purposes is not supported. As a best practice to reduce last-hop latency, you should consider scoping your routes regionally. The default setting for static route regions is **All Regions**. Refer to [Configure static routes](/magic-transit/how-to/configure-static-routes/) for more information. ## Example router configurations diff --git a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx index 0bd3d1c9c7c8d2..e25cb9e6200659 100644 --- a/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx +++ b/src/content/docs/magic-wan/configuration/connector/network-options/application-based-policies/breakout-traffic.mdx @@ -30,7 +30,7 @@ accTitle: In this example, the applications go directly to the Internet, skippin _In the graph above, Applications 1 and 2 are configured to bypass Cloudflare's security filtering, and go straight to the Internet_ :::note[A note on security] -We recommend routing all traffic through our global network for comprehensive security filtering and access controls. However, there may be specific cases where you want a subset of traffic to bypass Cloudflare's security filtering and route it directly to the Internet. You can scope this breakout traffic to specific applications from the Cloudflare dashboard. +We recommend [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) all traffic through our global network for comprehensive security filtering and access controls. However, there may be specific cases where you want a subset of traffic to bypass Cloudflare's security filtering and route it directly to the Internet. You can scope this breakout traffic to specific applications from the Cloudflare dashboard. Refer to [Traffic steering](/magic-wan/reference/traffic-steering/) to learn how Cloudflare routes traffic. ::: diff --git a/src/content/docs/magic-wan/index.mdx b/src/content/docs/magic-wan/index.mdx index 9eab27fa2ead77..0b4fa645c1a219 100644 --- a/src/content/docs/magic-wan/index.mdx +++ b/src/content/docs/magic-wan/index.mdx @@ -25,7 +25,7 @@ import { -Magic WAN provides secure, performant connectivity and routing for your entire corporate networking, reducing cost and operation complexity. [Magic Firewall](/magic-firewall/) integrates smoothly with Magic WAN, enabling you to enforce network firewall policies at Cloudflare's global network, across traffic from any entity within your network. +Magic WAN provides secure, performant connectivity and [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) for your entire corporate networking, reducing cost and operation complexity. [Magic Firewall](/magic-firewall/) integrates smoothly with Magic WAN, enabling you to enforce network firewall policies at Cloudflare's global network, across traffic from any entity within your network. With Magic WAN, you can securely connect any traffic source - data centers, offices, devices, cloud properties - to Cloudflare's network and configure routing policies to get the bits where they need to go, all within one SaaS solution. From dc7ac1dca94f852d121e603bed6ab1e11ac3f5d4 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Wed, 19 Feb 2025 15:03:52 +0000 Subject: [PATCH 2/7] added routing --- src/content/partials/magic-transit/mtu-mss/mtu-mss.mdx | 2 +- src/content/partials/magic-transit/static-routes.mdx | 2 +- .../magic-transit/tunnel-health/tunnel-health-checks.mdx | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/partials/magic-transit/mtu-mss/mtu-mss.mdx b/src/content/partials/magic-transit/mtu-mss/mtu-mss.mdx index f51fafcb006ce3..8f47f8e6228120 100644 --- a/src/content/partials/magic-transit/mtu-mss/mtu-mss.mdx +++ b/src/content/partials/magic-transit/mtu-mss/mtu-mss.mdx @@ -75,7 +75,7 @@ Cloudflare only recommends applying a MSS clamp to adjust the size of TCP packet { props.magicProduct === "Magic Transit" && ( <> -

Asymmetric routing is a common scenario especially with Magic Transit. Ingress traffic from the Internet enters the Cloudflare network, then traverses a GRE tunnel (MTU of 1,476 bytes), and egress traffic from the datacenter is sent via Direct Server Return (DSR) over the Internet (MTU of 1,500 bytes).

+

Asymmetric routing is a common scenario especially with Magic Transit. Ingress traffic from the Internet enters the Cloudflare network, then traverses a GRE tunnel (MTU of 1,476 bytes), and egress traffic from the datacenter is sent via Direct Server Return (DSR) over the Internet (MTU of 1,500 bytes).

In an asymmetric scenario, we want to reduce the MSS value of packets sent by Magic Transit users to the Internet in order to reduce the size of packets sent from the Internet towards their network. To accomplish this, the configuration must be done either on the customer's end-hosts or through an MSS clamp on an intermediary device on the egress path of traffic leaving their network. How MSS values affect payload sizes on both routing paths is detailed below.

A diagram showing how MSS works with Magic Transit and Direct Server Return.

Key takeaway from the chart above: MSS clamping affects TCP packet payload sizes flowing in the opposite direction vs. where the clamp is applied.

diff --git a/src/content/partials/magic-transit/static-routes.mdx b/src/content/partials/magic-transit/static-routes.mdx index 1403f00bd01240..9036c0e4571daa 100644 --- a/src/content/partials/magic-transit/static-routes.mdx +++ b/src/content/partials/magic-transit/static-routes.mdx @@ -14,7 +14,7 @@ params: import { GlossaryTooltip, Markdown, AnchorHeading, Render, TabItem, Tabs } from "~/components"; :::note -If you are connecting to Cloudflare via a [Direct CNI connection](/network-interconnect/express-cni/), refer to BGP peering to learn how to take advantage of this routing protocol. If not, continue reading. +If you are connecting to Cloudflare via a [Direct CNI connection](/network-interconnect/express-cni/), refer to BGP peering to learn how to take advantage of this [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) protocol. If not, continue reading. ::: {props.productName} uses a static configuration to route your traffic through anycast tunnels from Cloudflare's global network to your locations. diff --git a/src/content/partials/magic-transit/tunnel-health/tunnel-health-checks.mdx b/src/content/partials/magic-transit/tunnel-health/tunnel-health-checks.mdx index 2739b4cd4c002c..d32b120b9c2536 100644 --- a/src/content/partials/magic-transit/tunnel-health/tunnel-health-checks.mdx +++ b/src/content/partials/magic-transit/tunnel-health/tunnel-health-checks.mdx @@ -28,7 +28,7 @@ A tunnel health check probe can have two possible directions — unidirectional #### Unidirectional -A unidirectional health check probe stays encapsulated in one direction and comes into the origin via the tunnel (from Cloudflare to the origin). The response comes back to Cloudflare unencapsulated and is routed outside of the tunnel following standard Internet routing. +A unidirectional health check probe stays encapsulated in one direction and comes into the origin via the tunnel (from Cloudflare to the origin). The response comes back to Cloudflare unencapsulated and is routed outside of the tunnel following standard Internet [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/). The target defaults to the publicly routable origin specified as the `customer_endpoint` on the tunnel, if present. Otherwise, you can use a custom target. From b87909b50489d24f08a7873a467e4ea3fc3a30bf Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Wed, 19 Feb 2025 15:06:09 +0000 Subject: [PATCH 3/7] added packets --- src/content/docs/magic-transit/about.mdx | 2 +- src/content/docs/magic-transit/get-started.mdx | 2 +- src/content/docs/magic-transit/reference/egress.mdx | 2 +- src/content/docs/magic-wan/analytics/network-analytics.mdx | 2 +- .../configuration/connector/network-options/routed-subnets.mdx | 2 +- .../docs/magic-wan/configuration/connector/reference.mdx | 2 +- src/content/docs/magic-wan/get-started.mdx | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/magic-transit/about.mdx b/src/content/docs/magic-transit/about.mdx index 7645fdab521c6d..554de1b9254e79 100644 --- a/src/content/docs/magic-transit/about.mdx +++ b/src/content/docs/magic-transit/about.mdx @@ -17,7 +17,7 @@ Magic Transit delivers its connectivity, security, and performance benefits by s The Cloudflare network uses [Border Gateway Protocol (BGP)](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/) to announce your company's IP address space, extending your network presence globally, and anycast to ingest your traffic. Today, Cloudflare's anycast global network spans [hundreds of cities worldwide](https://www.cloudflare.com/network/). -Once packets hit Cloudflare's network, traffic is inspected for attacks, filtered, steered, accelerated, and sent onward to your origin. Magic Transit connects to your origin infrastructure using anycast Generic Routing Encapsulation (GRE) tunnels over the Internet or, with [Cloudflare Network Interconnect (CNI)](/network-interconnect/), via physical or virtual interconnect. +Once [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) hit Cloudflare's network, traffic is inspected for attacks, filtered, steered, accelerated, and sent onward to your origin. Magic Transit connects to your origin infrastructure using anycast Generic Routing Encapsulation (GRE) tunnels over the Internet or, with [Cloudflare Network Interconnect (CNI)](/network-interconnect/), via physical or virtual interconnect. Magic Transit users have two options for their implementation: ingress traffic or ingress and [egress traffic](/magic-transit/reference/egress/). Users with an egress implementation will need to set up policy-based routing (PBR) or ensure default routing on their end forwards traffic to Cloudflare via tunnels. diff --git a/src/content/docs/magic-transit/get-started.mdx b/src/content/docs/magic-transit/get-started.mdx index ce75dc044c94c5..3cd48f4ef20b2b 100644 --- a/src/content/docs/magic-transit/get-started.mdx +++ b/src/content/docs/magic-transit/get-started.mdx @@ -80,7 +80,7 @@ Refer to [Maximum transmission unit and maximum segment size](/magic-transit/ref #### Clear Do not fragment (DF) -If you are unable to set the MSS on your physical interfaces to a value lower than 1500 bytes, you can choose to clear the `do not fragment` bit in the IP header. When this option is enabled, Cloudflare fragments packets greater than 1500 bytes, and the packets are reassembled on your infrastructure after decapsulation. In most environments, enabling this option does not have significant impact on traffic throughput. +If you are unable to set the MSS on your physical interfaces to a value lower than 1500 bytes, you can choose to clear the `do not fragment` bit in the IP header. When this option is enabled, Cloudflare fragments [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) greater than 1500 bytes, and the packets are reassembled on your infrastructure after decapsulation. In most environments, enabling this option does not have significant impact on traffic throughput. To enable this option for your network, contact your account team. diff --git a/src/content/docs/magic-transit/reference/egress.mdx b/src/content/docs/magic-transit/reference/egress.mdx index 48eb38223e6543..522d33f801f6b8 100644 --- a/src/content/docs/magic-transit/reference/egress.mdx +++ b/src/content/docs/magic-transit/reference/egress.mdx @@ -6,7 +6,7 @@ title: Egress traffic If you have implemented Magic Transit with egress traffic, below is a list of technical aspects you need to consider to create a successful connection to Cloudflare. -- The source IP for packets you send to Cloudflare in the egress direction must be sourced from your Magic Transit prefix. If you are a customer with Magic Transit [leased IPs](/magic-transit/cloudflare-ips/) or a customer with [BYOIP](/byoip/) prefixes, you can choose whether to implement a NAT on your edge device, or use the prefix as a routed LAN interface on your side. +- The source IP for [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) you send to Cloudflare in the egress direction must be sourced from your Magic Transit prefix. If you are a customer with Magic Transit [leased IPs](/magic-transit/cloudflare-ips/) or a customer with [BYOIP](/byoip/) prefixes, you can choose whether to implement a NAT on your edge device, or use the prefix as a routed LAN interface on your side. - Cloudflare recommends that you create policy-based routing (PBR) rules to ensure that only traffic sourced from your BYOIP prefixes or Magic Transit leased IP addresses is sent via your GRE/IPsec tunnels to Cloudflare for egress to the Internet. Cloudflare will only accept egress traffic sourced from authorized prefixes. As such, your PBR policies need to align with this. If implementing PBR is not feasible and you need to implement a default-route via the Magic Transit tunnels, ensure the routes for your tunnel destination anycast IP's are routed via your underlay transit path. - You need a tunnel failure detection mechanism to re-route your PBR traffic. This is to ensure packets are re-routed if there is a failure in the upstream channel to Cloudflare. For example, you might configure your device to ping the other side of the tunnel or send a probe to an Internet website. When the probe returns with a failure response, you want your device to deprecate the PBR forwarding-path, and switch to a backup tunnel. Refer to your equipment's configuration guide to learn how to implement this. diff --git a/src/content/docs/magic-wan/analytics/network-analytics.mdx b/src/content/docs/magic-wan/analytics/network-analytics.mdx index 4164309bd07fed..b589267013f576 100644 --- a/src/content/docs/magic-wan/analytics/network-analytics.mdx +++ b/src/content/docs/magic-wan/analytics/network-analytics.mdx @@ -11,7 +11,7 @@ head: import { GlossaryTooltip, Render } from "~/components" -Magic WAN customers can view their real-time and historical network data in Network Analytics. Customers can see their network data in a time series that shows Magic WAN traffic (in packets or bytes) over time, and can filter the time series data by different types of packet characteristics. +Magic WAN customers can view their real-time and historical network data in Network Analytics. Customers can see their network data in a time series that shows Magic WAN traffic (in packets or bytes) over time, and can filter the time series data by different types of [packet](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) characteristics. To start using Network Analytics: diff --git a/src/content/docs/magic-wan/configuration/connector/network-options/routed-subnets.mdx b/src/content/docs/magic-wan/configuration/connector/network-options/routed-subnets.mdx index 87e77732d300cc..b093b49578be03 100644 --- a/src/content/docs/magic-wan/configuration/connector/network-options/routed-subnets.mdx +++ b/src/content/docs/magic-wan/configuration/connector/network-options/routed-subnets.mdx @@ -45,7 +45,7 @@ classDef red fill:#ff6900,color: black To add a routed subnet to your LAN, you need: -- **A prefix**: The subnet's CIDR prefix; Cloudflare will automatically install static routes to this prefix in our global network (to forward packets for this subnet to the right Connector), and in your Connector (to forward packets for this subnet to the right LAN interface). In the figure above, the routed subnet in the center has the prefix `192.168.200.0/24`. +- **A prefix**: The subnet's CIDR prefix; Cloudflare will automatically install static routes to this prefix in our global network (to forward [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) for this subnet to the right Connector), and in your Connector (to forward packets for this subnet to the right LAN interface). In the figure above, the routed subnet in the center has the prefix `192.168.200.0/24`. - **A next-hop address**: The address of the L3 router to which the Connector should forward packets for this subnet. In the figure, the routed subnet in the center has the next-hop address `192.168.100.10`. Optionally, you can also [enable NAT for a subnet](/magic-wan/configuration/connector/network-options/nat-subnet/) by providing a static overlay prefix. diff --git a/src/content/docs/magic-wan/configuration/connector/reference.mdx b/src/content/docs/magic-wan/configuration/connector/reference.mdx index e9267e30d31ce8..78f569965cc513 100644 --- a/src/content/docs/magic-wan/configuration/connector/reference.mdx +++ b/src/content/docs/magic-wan/configuration/connector/reference.mdx @@ -27,7 +27,7 @@ Magic WAN Connector software is certified for use on the [Dell Networking Virtua ## VLAN ID -This feature allows you to have multiple [virtual LANs](https://www.cloudflare.com/learning/network-layer/what-is-a-lan/) (VLANs) configured over the same physical port on your Magic WAN Connector. VLAN tagging adds an extra header to packets in order to identify which VLAN the packet belongs to and to route it appropriately. This effectively allows you to run multiple networks over the same physical port. +This feature allows you to have multiple [virtual LANs](https://www.cloudflare.com/learning/network-layer/what-is-a-lan/) (VLANs) configured over the same physical port on your Magic WAN Connector. VLAN tagging adds an extra header to [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) in order to identify which VLAN the packet belongs to and to route it appropriately. This effectively allows you to run multiple networks over the same physical port. A non-zero value set up for the VLAN ID field in your WAN/LAN is used to handle VLAN-tagged traffic. Cloudflare uses the VLAN ID to handle traffic coming into your Magic WAN Connector device, and applies a VLAN tag with the configured VLAN ID for traffic going out of your Connector through WAN/LAN. diff --git a/src/content/docs/magic-wan/get-started.mdx b/src/content/docs/magic-wan/get-started.mdx index 076b319c528e8c..7657153d3a02f7 100644 --- a/src/content/docs/magic-wan/get-started.mdx +++ b/src/content/docs/magic-wan/get-started.mdx @@ -38,7 +38,7 @@ The list of prerequisites below is only for customers planning to connect manual ### Use compatible tunnel endpoint routers -Magic WAN relies on GRE and IPsec tunnels to transmit packets from Cloudflare's global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must: +Magic WAN relies on GRE and IPsec tunnels to transmit [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) from Cloudflare's global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must: - Allow configuration of at least one tunnel per Internet service provider (ISP). - Support maximum segment size (MSS) clamping. From 29cb99f2d8e6ea31aad62eb2fdad48bdd090c52e Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Wed, 19 Feb 2025 15:08:54 +0000 Subject: [PATCH 4/7] added packets --- .../classic-cni/set-up/configure-bgp-bfd.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/network-interconnect/classic-cni/set-up/configure-bgp-bfd.mdx b/src/content/docs/network-interconnect/classic-cni/set-up/configure-bgp-bfd.mdx index 6ef59ef9590787..04bbbac2058ce3 100644 --- a/src/content/docs/network-interconnect/classic-cni/set-up/configure-bgp-bfd.mdx +++ b/src/content/docs/network-interconnect/classic-cni/set-up/configure-bgp-bfd.mdx @@ -28,7 +28,7 @@ Cloudflare v6: 2001:db8:12:3::7ac2:d64a/127 Acme: 2001:db8:12:3::7ac2:d64b/127 ``` -Assign the set of IPs to your connection. Next, perform a series of ping tests to ensure the connection is established. Although you may see the green connection from [configuring the cross-connect](/network-interconnect/classic-cni/set-up/configure-cross-connect/), the ping tests confirm packets are flowing over the link. +Assign the set of IPs to your connection. Next, perform a series of ping tests to ensure the connection is established. Although you may see the green connection from [configuring the cross-connect](/network-interconnect/classic-cni/set-up/configure-cross-connect/), the ping tests confirm [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) are flowing over the link. If you have a virtual link via Megaport, the IP provisioning may fail if you have not configured the VLAN with the VLAN provided by your Customer Success Manager. From 2102134cc9afd9f86c2292629e29d7401e55ab47 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Wed, 19 Feb 2025 15:10:56 +0000 Subject: [PATCH 5/7] added packets --- src/content/partials/magic-transit/legacy-hc-system.mdx | 2 +- .../partials/magic-transit/mtu-mss/mss-clamping-ipsec.mdx | 2 +- src/content/partials/magic-transit/mtu-mss/mtu-mss.mdx | 2 +- .../magic-transit/prerequisites/maximum-segment-size.mdx | 2 +- src/content/partials/magic-transit/traffic-steering.mdx | 2 +- .../magic-transit/tunnel-endpoints/bi-uni-health-checks.mdx | 2 +- .../magic-transit/tunnel-health/tunnel-health-checks.mdx | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/partials/magic-transit/legacy-hc-system.mdx b/src/content/partials/magic-transit/legacy-hc-system.mdx index fd8729843f5f51..76fff130e42da1 100644 --- a/src/content/partials/magic-transit/legacy-hc-system.mdx +++ b/src/content/partials/magic-transit/legacy-hc-system.mdx @@ -6,4 +6,4 @@ For customers using the legacy health check system with a public IP range, Cloudflare recommends: - Configuring the tunnel health check target IP address to one within the `172.64.240.252/30` prefix range. -- Applying a policy-based route that matches packets with a source IP address equal to the configured tunnel health check target (for example `172.64.240.253/32`), and route them over the tunnel back to Cloudflare. +- Applying a policy-based route that matches [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) with a source IP address equal to the configured tunnel health check target (for example `172.64.240.253/32`), and route them over the tunnel back to Cloudflare. diff --git a/src/content/partials/magic-transit/mtu-mss/mss-clamping-ipsec.mdx b/src/content/partials/magic-transit/mtu-mss/mss-clamping-ipsec.mdx index d05f89e39ef2f0..06eaefc758ee20 100644 --- a/src/content/partials/magic-transit/mtu-mss/mss-clamping-ipsec.mdx +++ b/src/content/partials/magic-transit/mtu-mss/mss-clamping-ipsec.mdx @@ -2,7 +2,7 @@ {} --- -For IPsec tunnels, the value you need to specify depends on how your network is set up. The MSS clamping value will be lower than for GRE tunnels, however, since the physical interface will see IPsec-encrypted packets, not TCP packets, and MSS clamping will not apply to those. +For IPsec tunnels, the value you need to specify depends on how your network is set up. The MSS clamping value will be lower than for GRE tunnels, however, since the physical interface will see IPsec-encrypted [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/), not TCP packets, and MSS clamping will not apply to those. - **Magic Transit ingress-only traffic (DSR):** diff --git a/src/content/partials/magic-transit/mtu-mss/mtu-mss.mdx b/src/content/partials/magic-transit/mtu-mss/mtu-mss.mdx index 8f47f8e6228120..326aa2ce3ce857 100644 --- a/src/content/partials/magic-transit/mtu-mss/mtu-mss.mdx +++ b/src/content/partials/magic-transit/mtu-mss/mtu-mss.mdx @@ -10,7 +10,7 @@ import dsr from "~/assets/images/magic-transit/mtu-mss/dsr.png" import tunnel from "~/assets/images/magic-transit/mtu-mss/tcp-mss.png" import mss_ipsec from "~/assets/images/magic-transit/mtu-mss/ipsec-mss.png" -{props.productName} has operation requirements that customers should know about to make sure their network works as intended. Customers should pay particular attention to the maximum transmission unit (MTU) and maximum segment size (MSS) values. The incorrect configuration of these values might lead to loss of performance or inability to deliver data packets. +{props.productName} has operation requirements that customers should know about to make sure their network works as intended. Customers should pay particular attention to the maximum transmission unit (MTU) and maximum segment size (MSS) values. The incorrect configuration of these values might lead to loss of performance or inability to deliver data [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/). ## MTU and MSS diff --git a/src/content/partials/magic-transit/prerequisites/maximum-segment-size.mdx b/src/content/partials/magic-transit/prerequisites/maximum-segment-size.mdx index 8ee354edf39852..faf0b52e5961bc 100644 --- a/src/content/partials/magic-transit/prerequisites/maximum-segment-size.mdx +++ b/src/content/partials/magic-transit/prerequisites/maximum-segment-size.mdx @@ -5,4 +5,4 @@ params: import { Markdown, Render } from "~/components"; -Cloudflare {props.productName} uses tunnels to deliver packets from our global network to your data centers. Cloudflare encapsulates these packets adding new headers. You must account for the space consumed by these headers when configuring the maximum transmission unit (MTU) and maximum segment size (MSS) values for your network. +Cloudflare {props.productName} uses tunnels to deliver [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) from our global network to your data centers. Cloudflare encapsulates these packets adding new headers. You must account for the space consumed by these headers when configuring the maximum transmission unit (MTU) and maximum segment size (MSS) values for your network. diff --git a/src/content/partials/magic-transit/traffic-steering.mdx b/src/content/partials/magic-transit/traffic-steering.mdx index a960b3f51387d1..747a1463088068 100644 --- a/src/content/partials/magic-transit/traffic-steering.mdx +++ b/src/content/partials/magic-transit/traffic-steering.mdx @@ -40,7 +40,7 @@ The use of ECMP routing provides load balancing across tunnels with routes of th ## Equal-cost multi-path routing -Equal-cost multi-path routing uses hashes calculated from packet data to determine the route chosen. The hash always uses the source and destination IP addresses. For TCP and UDP packets, the hash includes the source and destination ports as well. The ECMP algorithm divides the hash for each packet by the number of equal-cost next hops. The modulus (remainder) determines the route the packet takes. +Equal-cost multi-path routing uses hashes calculated from [packet](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) data to determine the route chosen. The hash always uses the source and destination IP addresses. For TCP and UDP packets, the hash includes the source and destination ports as well. The ECMP algorithm divides the hash for each packet by the number of equal-cost next hops. The modulus (remainder) determines the route the packet takes. Using ECMP has a number of consequences: diff --git a/src/content/partials/magic-transit/tunnel-endpoints/bi-uni-health-checks.mdx b/src/content/partials/magic-transit/tunnel-endpoints/bi-uni-health-checks.mdx index 514b65eb2ec5b1..123b0c35dbb9cb 100644 --- a/src/content/partials/magic-transit/tunnel-endpoints/bi-uni-health-checks.mdx +++ b/src/content/partials/magic-transit/tunnel-endpoints/bi-uni-health-checks.mdx @@ -5,6 +5,6 @@ params: import { Markdown } from "~/components"; -To check for tunnel health, Cloudflare sends a health check probe consisting of ICMP (Internet Control Message Protocol) reply packets to your network. Cloudflare needs to receive these probes to know if your tunnel is healthy. +To check for tunnel health, Cloudflare sends a health check probe consisting of ICMP (Internet Control Message Protocol) reply [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) to your network. Cloudflare needs to receive these probes to know if your tunnel is healthy. Cloudflare defaults to bidirectional health checks for Magic WAN, and unidirectional health checks for Magic Transit (direct server return). However, routing unidirectional ICMP reply packets over the Internet to Cloudflare is sometimes subject to drops by intermediate network devices, such as stateful firewalls. Magic Transit customers with egress traffic can modify this setting to bidirectional. diff --git a/src/content/partials/magic-transit/tunnel-health/tunnel-health-checks.mdx b/src/content/partials/magic-transit/tunnel-health/tunnel-health-checks.mdx index d32b120b9c2536..6d389fee22aaed 100644 --- a/src/content/partials/magic-transit/tunnel-health/tunnel-health-checks.mdx +++ b/src/content/partials/magic-transit/tunnel-health/tunnel-health-checks.mdx @@ -10,7 +10,7 @@ params: import { Render } from "~/components"; -A tunnel health check probe consists of an [ICMP (Internet Control Message Protocol)](https://www.cloudflare.com/learning/ddos/glossary/internet-control-message-protocol-icmp/) payload encapsulated in the protocol of the tunnel the probe is being conducted for. For example, if the tunnel is an IPsec tunnel, the ICMP packet is encrypted within the Encapsulating Security Payload (ESP) packet of the tunnel. +A tunnel health check probe consists of an [ICMP (Internet Control Message Protocol)](https://www.cloudflare.com/learning/ddos/glossary/internet-control-message-protocol-icmp/) payload encapsulated in the protocol of the tunnel the probe is being conducted for. For example, if the tunnel is an IPsec tunnel, the ICMP [packet](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) is encrypted within the Encapsulating Security Payload (ESP) packet of the tunnel. A tunnel health check probe comes from Cloudflare to the tunnel origin, then returns a response to Cloudflare. This response is used to determine the outcome of the probe, which is used to calculate the state of the tunnel (this is explained in greater detail below). From 3cf4ab7dd8fa866783fe4bff9a0ba46d082bf3a4 Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Wed, 19 Feb 2025 15:52:05 +0000 Subject: [PATCH 6/7] links to packets --- src/content/partials/magic-wan/analytics/traceroutes.mdx | 2 +- src/content/partials/magic-wan/anti-replay-protection.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/partials/magic-wan/analytics/traceroutes.mdx b/src/content/partials/magic-wan/analytics/traceroutes.mdx index dd028cdeed63f1..08d49129f605ca 100644 --- a/src/content/partials/magic-wan/analytics/traceroutes.mdx +++ b/src/content/partials/magic-wan/analytics/traceroutes.mdx @@ -18,6 +18,6 @@ You can access detailed data from the traceroute, including: - TTL Host - AS Number -- Packets sent in the traceroute +- [Packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) sent in the traceroute - Average, minimum, and maximum latency - Standard deviation of latency diff --git a/src/content/partials/magic-wan/anti-replay-protection.mdx b/src/content/partials/magic-wan/anti-replay-protection.mdx index e8b6ce10dd6678..c03be9dcdde570 100644 --- a/src/content/partials/magic-wan/anti-replay-protection.mdx +++ b/src/content/partials/magic-wan/anti-replay-protection.mdx @@ -12,7 +12,7 @@ Refer to Add tunnels to learn how to set up repl ## Replay attacks -Replay attacks occur when a malicious actor intercepts and records a packet, and later sends the recorded packet to the target network again with an intent that benefits the attacker. +Replay attacks occur when a malicious actor intercepts and records a [packet](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/), and later sends the recorded packet to the target network again with an intent that benefits the attacker. ### Example From 2e65e06818c223492948c36cdb545ee50d7c10ca Mon Sep 17 00:00:00 2001 From: marciocloudflare Date: Wed, 19 Feb 2025 15:56:36 +0000 Subject: [PATCH 7/7] removed extra link --- src/content/docs/magic-transit/how-to/advertise-prefixes.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx b/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx index 78731acdcd6c54..c6ccf3ad1a4907 100644 --- a/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx +++ b/src/content/docs/magic-transit/how-to/advertise-prefixes.mdx @@ -96,7 +96,7 @@ If you use Direct CNI as a way to on-ramp your network traffic to Magic Transit, ### Regional settings -Magic Transit requires static [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) to steer traffic from Cloudflare's network over one of your configured tunnel off-ramps (for GRE and IPsec tunnels). For CNI, both static routing and [BGP](/magic-transit/how-to/bgp-peering/) options are available. Currently, advertisement of routes for traffic engineering purposes is not supported. As a best practice to reduce last-hop latency, you should consider scoping your routes regionally. The default setting for static route regions is **All Regions**. Refer to [Configure static routes](/magic-transit/how-to/configure-static-routes/) for more information. +Magic Transit requires static routing to steer traffic from Cloudflare's network over one of your configured tunnel off-ramps (for GRE and IPsec tunnels). For CNI, both static routing and [BGP](/magic-transit/how-to/bgp-peering/) options are available. Currently, advertisement of routes for traffic engineering purposes is not supported. As a best practice to reduce last-hop latency, you should consider scoping your routes regionally. The default setting for static route regions is **All Regions**. Refer to [Configure static routes](/magic-transit/how-to/configure-static-routes/) for more information. ## Example router configurations