cloudflare · marciocloudflare · Feb 20, 2025 · Feb 19, 2025 · Feb 19, 2025 · Feb 19, 2025
@@ -9,7 +9,7 @@ head:
     content: Magic Network Monitoring encrypt network flow data
 ---
 
-Customers can encrypt the network flow data sent from their router to Cloudflare by routing their network flow traffic through a device running the WARP client. Then, encrypted network flow traffic can be forwarded from the WARP enabled device to Cloudflare's network flow endpoints.
+Customers can encrypt the network flow data sent from their router to Cloudflare by [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) their network flow traffic through a device running the WARP client. Then, encrypted network flow traffic can be forwarded from the WARP enabled device to Cloudflare's network flow endpoints.
 
 To learn more about the WARP client, and to install the WARP client on Linux, macOS, or Windows, you can visit the [WARP client documentation](/cloudflare-one/connections/connect-devices/warp/).
 

@@ -17,7 +17,7 @@ Magic Transit delivers its connectivity, security, and performance benefits by s
 
 The Cloudflare network uses [Border Gateway Protocol (BGP)](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/) to announce your company's IP address space, extending your network presence globally, and <GlossaryTooltip term="anycast" link="https://www.cloudflare.com/learning/cdn/glossary/anycast-network/">anycast</GlossaryTooltip> to ingest your traffic. Today, Cloudflare's anycast global network spans [hundreds of cities worldwide](https://www.cloudflare.com/network/).
 
-Once packets hit Cloudflare's network, traffic is inspected for attacks, filtered, <GlossaryTooltip term="traffic steering">steered</GlossaryTooltip>, accelerated, and sent onward to your origin. Magic Transit connects to your origin infrastructure using anycast <GlossaryTooltip term="GRE tunnel">Generic Routing Encapsulation (GRE)</GlossaryTooltip> tunnels over the Internet or, with [Cloudflare Network Interconnect (CNI)](/network-interconnect/), via physical or virtual interconnect.
+Once [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) hit Cloudflare's network, traffic is inspected for attacks, filtered, <GlossaryTooltip term="traffic steering">steered</GlossaryTooltip>, accelerated, and sent onward to your origin. Magic Transit connects to your origin infrastructure using anycast <GlossaryTooltip term="GRE tunnel">Generic Routing Encapsulation (GRE)</GlossaryTooltip> tunnels over the Internet or, with [Cloudflare Network Interconnect (CNI)](/network-interconnect/), via physical or virtual interconnect.
 
 Magic Transit users have two options for their implementation: ingress traffic or ingress and [egress traffic](/magic-transit/reference/egress/). Users with an egress implementation will need to set up <GlossaryTooltip term="policy-based routing">policy-based routing (PBR)</GlossaryTooltip> or ensure default routing on their end forwards traffic to Cloudflare via tunnels.
 

@@ -80,7 +80,7 @@ Refer to [Maximum transmission unit and maximum segment size](/magic-transit/ref
 
 #### Clear Do not fragment (DF)
 
-If you are unable to set the MSS on your physical interfaces to a value lower than 1500 bytes, you can choose to clear the `do not fragment` bit in the IP header. When this option is enabled, Cloudflare fragments packets greater than 1500 bytes, and the packets are reassembled on your infrastructure after decapsulation. In most environments, enabling this option does not have significant impact on traffic throughput.
+If you are unable to set the MSS on your physical interfaces to a value lower than 1500 bytes, you can choose to clear the `do not fragment` bit in the IP header. When this option is enabled, Cloudflare fragments [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) greater than 1500 bytes, and the packets are reassembled on your infrastructure after decapsulation. In most environments, enabling this option does not have significant impact on traffic throughput.
 
 To enable this option for your network, contact your account team.
 
@@ -109,7 +109,7 @@ Once pre-flight checks are completed, Cloudflare will unlock your <GlossaryToolt
 If you are using a Cloudflare IP, you do not need to advertise your prefixes.
 
 :::caution[Important]
-You must [put the appropriate MSS clamps](#set-maximum-segment-size) in place before routing changes are made. Failure to apply an MSS clamp can result in dropped packets and hard-to-debug connectivity issues.
+You must [put the appropriate MSS clamps](#set-maximum-segment-size) in place before [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) changes are made. Failure to apply an MSS clamp can result in dropped packets and hard-to-debug connectivity issues.
 
 Also, when using [Cloudflare Network Interconnect](/magic-transit/network-interconnect/) with Magic Transit you must set the following MSS clamp sizes to accommodate additional overhead:
 

@@ -11,7 +11,7 @@ Cloudflare measures the Magic Transit <GlossaryTooltip term="prefix">prefix</Glo
 
 List all prefixes and the [autonomous systems (ASNs)](https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/) where they should originate. When specifying prefixes, observe these guidelines:
 
-- Prefixes must support at least 256 hosts (`/24` in classless inter-domain routing CIDR notation). Refer to [Use a Cloudflare IP](/magic-transit/cloudflare-ips/) if you do not meet the `/24` prefix length requirement.
+- Prefixes must support at least 256 hosts (`/24` in classless inter-domain [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) CIDR notation). Refer to [Use a Cloudflare IP](/magic-transit/cloudflare-ips/) if you do not meet the `/24` prefix length requirement.
 - Internet Routing Registry entries and <GlossaryTooltip term="letter of agency">Letters of Agency (LOA)</GlossaryTooltip> must match the prefixes and originating prefixes you submit to Cloudflare.
 - When using contiguous prefixes, specify aggregate prefixes where possible.
 - When using Route Origin Authorizations (ROAs) to sign routes for [resource public key infrastructure (RPKI)](https://tools.ietf.org/html/rfc8210), the prefix and originating ASN must match the onboarding submission.

@@ -6,7 +6,7 @@ title: Egress traffic
 
 If you have implemented Magic Transit with egress traffic, below is a list of technical aspects you need to consider to create a successful connection to Cloudflare.
 
-- The source IP for packets you send to Cloudflare in the egress direction must be sourced from your Magic Transit prefix. If you are a customer with Magic Transit [leased IPs](/magic-transit/cloudflare-ips/) or a customer with [BYOIP](/byoip/) prefixes, you can choose whether to implement a NAT on your edge device, or use the prefix as a routed LAN interface on your side.
+- The source IP for [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) you send to Cloudflare in the egress direction must be sourced from your Magic Transit prefix. If you are a customer with Magic Transit [leased IPs](/magic-transit/cloudflare-ips/) or a customer with [BYOIP](/byoip/) prefixes, you can choose whether to implement a NAT on your edge device, or use the prefix as a routed LAN interface on your side.
 - Cloudflare recommends that you create policy-based routing (PBR) rules to ensure that only traffic sourced from your BYOIP prefixes or Magic Transit leased IP addresses is sent via your GRE/IPsec tunnels to Cloudflare for egress to the Internet. Cloudflare will only accept egress traffic sourced from authorized prefixes. As such, your PBR policies need to align with this.
   If implementing PBR is not feasible and you need to implement a default-route via the Magic Transit tunnels, ensure the routes for your tunnel destination anycast IP's are routed via your underlay transit path.
 - You need a tunnel failure detection mechanism to re-route your PBR traffic. This is to ensure packets are re-routed if there is a failure in the upstream channel to Cloudflare. For example, you might configure your device to ping the other side of the tunnel or send a probe to an Internet website. When the probe returns with a failure response, you want your device to deprecate the PBR forwarding-path, and switch to a backup tunnel. Refer to your equipment's configuration guide to learn how to implement this.

@@ -11,7 +11,7 @@ head:
 
 import { GlossaryTooltip, Render } from "~/components"
 
-Magic WAN customers can view their real-time and historical network data in Network Analytics. Customers can see their network data in a time series that shows Magic WAN traffic (in <GlossaryTooltip term="data packet">packets</GlossaryTooltip> or bytes) over time, and can filter the time series data by different types of packet characteristics.
+Magic WAN customers can view their real-time and historical network data in Network Analytics. Customers can see their network data in a time series that shows Magic WAN traffic (in <GlossaryTooltip term="data packet">packets</GlossaryTooltip> or bytes) over time, and can filter the time series data by different types of [packet](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) characteristics.
 
 To start using Network Analytics:
 

@@ -30,7 +30,7 @@ accTitle: In this example, the applications go directly to the Internet, skippin
 _In the graph above, Applications 1 and 2 are configured to bypass Cloudflare's security filtering, and go straight to the Internet_
 
 :::note[A note on security]
-We recommend routing all traffic through our global network for comprehensive security filtering and access controls. However, there may be specific cases where you want a subset of traffic to bypass Cloudflare's security filtering and route it directly to the Internet. You can scope this breakout traffic to specific applications from the Cloudflare dashboard.
+We recommend [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) all traffic through our global network for comprehensive security filtering and access controls. However, there may be specific cases where you want a subset of traffic to bypass Cloudflare's security filtering and route it directly to the Internet. You can scope this breakout traffic to specific applications from the Cloudflare dashboard.
 
 Refer to [Traffic steering](/magic-wan/reference/traffic-steering/) to learn how Cloudflare routes traffic.
 :::

@@ -45,7 +45,7 @@ classDef red fill:#ff6900,color: black
 
 To add a routed subnet to your LAN, you need:
 
-- **A prefix**: The subnet's CIDR prefix; Cloudflare will automatically install static routes to this prefix in our global network (to forward packets for this subnet to the right Connector), and in your Connector (to forward packets for this subnet to the right LAN interface). In the figure above, the routed subnet in the center has the prefix `192.168.200.0/24`.
+- **A prefix**: The subnet's CIDR prefix; Cloudflare will automatically install static routes to this prefix in our global network (to forward [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) for this subnet to the right Connector), and in your Connector (to forward packets for this subnet to the right LAN interface). In the figure above, the routed subnet in the center has the prefix `192.168.200.0/24`.
 - **A next-hop address**: The address of the L3 router to which the Connector should forward packets for this subnet. In the figure, the routed subnet in the center has the next-hop address `192.168.100.10`.
 
 Optionally, you can also [enable NAT for a subnet](/magic-wan/configuration/connector/network-options/nat-subnet/) by providing a static overlay prefix.

@@ -27,7 +27,7 @@ Magic WAN Connector software is certified for use on the [Dell Networking Virtua
 
 ## VLAN ID
 
-This feature allows you to have multiple [virtual LANs](https://www.cloudflare.com/learning/network-layer/what-is-a-lan/) (VLANs) configured over the same physical port on your Magic WAN Connector. VLAN tagging adds an extra header to packets in order to identify which VLAN the packet belongs to and to route it appropriately. This effectively allows you to run multiple networks over the same physical port.
+This feature allows you to have multiple [virtual LANs](https://www.cloudflare.com/learning/network-layer/what-is-a-lan/) (VLANs) configured over the same physical port on your Magic WAN Connector. VLAN tagging adds an extra header to [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) in order to identify which VLAN the packet belongs to and to route it appropriately. This effectively allows you to run multiple networks over the same physical port.
 
 A non-zero value set up for the VLAN ID field in your WAN/LAN is used to handle VLAN-tagged traffic. Cloudflare uses the VLAN ID to handle traffic coming into your Magic WAN Connector device, and applies a VLAN tag with the configured VLAN ID for traffic going out of your Connector through WAN/LAN.
 

@@ -38,7 +38,7 @@ The list of prerequisites below is only for customers planning to connect manual
 
 ### Use compatible tunnel endpoint routers
 
-Magic WAN relies on <GlossaryTooltip term="GRE tunnel" link="/magic-wan/reference/tunnels/">GRE</GlossaryTooltip> and <GlossaryTooltip term="IPsec tunnel" link="/magic-wan/reference/tunnels/#ipsec-tunnels">IPsec tunnels</GlossaryTooltip> to transmit packets from Cloudflare's global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must:
+Magic WAN relies on <GlossaryTooltip term="GRE tunnel" link="/magic-wan/reference/tunnels/">GRE</GlossaryTooltip> and <GlossaryTooltip term="IPsec tunnel" link="/magic-wan/reference/tunnels/#ipsec-tunnels">IPsec tunnels</GlossaryTooltip> to transmit [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) from Cloudflare's global network to your origin network. To ensure compatibility with Magic WAN, the routers at your tunnel endpoints must:
 
 - Allow configuration of at least one tunnel per Internet service provider (ISP).
 - Support <GlossaryTooltip term="maximum segment size (MSS)">maximum segment size (MSS)</GlossaryTooltip> clamping.

@@ -25,7 +25,7 @@ import {
 
 <Plan type="enterprise" />
 
-Magic WAN provides secure, performant connectivity and routing for your entire corporate networking, reducing cost and operation complexity. [Magic Firewall](/magic-firewall/) integrates smoothly with Magic WAN, enabling you to enforce network firewall policies at Cloudflare's global network, across traffic from any entity within your network.
+Magic WAN provides secure, performant connectivity and [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) for your entire corporate networking, reducing cost and operation complexity. [Magic Firewall](/magic-firewall/) integrates smoothly with Magic WAN, enabling you to enforce network firewall policies at Cloudflare's global network, across traffic from any entity within your network.
 
 With Magic WAN, you can securely connect any traffic source - data centers, offices, devices, cloud properties - to Cloudflare's network and configure routing policies to get the bits where they need to go, all within one SaaS solution.
 

@@ -28,7 +28,7 @@ Cloudflare v6: 2001:db8:12:3::7ac2:d64a/127
 Acme: 2001:db8:12:3::7ac2:d64b/127
 ```
 
-Assign the set of IPs to your connection. Next, perform a series of ping tests to ensure the connection is established. Although you may see the green connection from [configuring the cross-connect](/network-interconnect/classic-cni/set-up/configure-cross-connect/), the ping tests confirm packets are flowing over the link.
+Assign the set of IPs to your connection. Next, perform a series of ping tests to ensure the connection is established. Although you may see the green connection from [configuring the cross-connect](/network-interconnect/classic-cni/set-up/configure-cross-connect/), the ping tests confirm [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) are flowing over the link.
 
 If you have a virtual link via Megaport, the IP provisioning may fail if you have not configured the VLAN with the VLAN provided by your Customer Success Manager.
 

@@ -6,4 +6,4 @@
 For customers using the legacy health check system with a public IP range, Cloudflare recommends:
 
 - Configuring the tunnel health check target IP address to one within the `172.64.240.252/30` prefix range.
-- Applying a policy-based route that matches packets with a source IP address equal to the configured tunnel health check target (for example `172.64.240.253/32`), and route them over the tunnel back to Cloudflare.
+- Applying a policy-based route that matches [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) with a source IP address equal to the configured tunnel health check target (for example `172.64.240.253/32`), and route them over the tunnel back to Cloudflare.
@@ -2,7 +2,7 @@
 {}
 ---
 
-For IPsec tunnels, the value you need to specify depends on how your network is set up. The MSS clamping value will be lower than for GRE tunnels, however, since the physical interface will see IPsec-encrypted packets, not TCP packets, and MSS clamping will not apply to those.
+For IPsec tunnels, the value you need to specify depends on how your network is set up. The MSS clamping value will be lower than for GRE tunnels, however, since the physical interface will see IPsec-encrypted [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/), not TCP packets, and MSS clamping will not apply to those.
 
 - **Magic Transit ingress-only traffic (DSR):**
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,7 +2,7 @@ @@
     {}
     ---
-    For IPsec tunnels, the value you need to specify depends on how your network is set up. The MSS clamping value will be lower than for GRE tunnels, however, since the physical interface will see IPsec-encrypted packets, not TCP packets, and MSS clamping will not apply to those.
+    For IPsec tunnels, the value you need to specify depends on how your network is set up. The MSS clamping value will be lower than for GRE tunnels, however, since the physical interface will see IPsec-encrypted [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/), not TCP packets, and MSS clamping will not apply to those.
     - **Magic Transit ingress-only traffic (DSR):**
@@ Expand Down @@