Verify IRR entries
Verify your Internet Routing Registry (IRR) entries to ensure that the IP prefixes Cloudflare advertises for you match the correct autonomous system numbers (ASNs).
Each IRR entry record must include the following information:
- Route: Each IP prefix Cloudflare advertises for you.
- Origin ASN: Your ASN, or if you do not have your own ASN, the Cloudflare ASN (AS209242).
- Source: The name of the routing registry, for example, AFRINIC, APNIC, ARIN, RADB, RIPE, or NTT.
Add or update IRR entries
- The entry is missing.
- The entry is incomplete or inaccurate — for example, when the route object does not show the correct origin.
- The entry is complete but requires updating — for example, when they correspond to supernets but need to correspond to subnets used in Magic Transit.
Verify IRR entries for exact prefixes
You are strongly encouraged to verify IRR entries for the exact prefixes you’ll be onboarding with Cloudflare. However, IRR entries for less specific prefixes are acceptable as long as you understand and accept the following risk: if you modify your IRR entries in the future (for example, by changing your ASN) and the IRR entry for the supernet no longer matches the prefix/origin mapping in your Magic Transit configuration, the prefix will have reduced reachability due to networks Cloudflare peers with automatically filtering the prefix. Having more-specific IRR entries helps minimize (but not entirely remove) this risk.
IRR entry verification methods
To verify your prefix and ASN route, use the tools and methods outlined in this table:
|Data to verify||Tool||Method||Output|
|Subnet prefix IP|
for the ASN
|IRR Explorer||Search for the subnet prefix IP, for example, 22.214.171.124/24.||List of ASN numbers, source (route registry), and any associated errors.|
|ASN for the|
|IRR Explorer||Search for the ASN, for example AS209242.||List of prefixes, source, and any associated errors.|
|Your origin ASN|
and routing data
In a terminal, use this
|IRR route, origin, and source information.|
WHOIS output example
<IRR entry section> in the WHOIS output shows the correct IRR entry information for the specified network. In this example, the network prefix is 126.96.36.199/24, and the output includes the route, origin ASN, and route registry, which in this example is APNIC:
[email protected] conduit-qs-config % whois -h rr.ntt.net 188.8.131.52/24route: 184.108.40.206/24<RPKI section>descr: RPKI ROA for 220.127.116.11/24remarks: This route object represents routing data retrieved from the RPKIremarks: The original data can be found here: https://rpki.gin.ntt.net/r/AS13335/18.104.22.168/24remarks: This route object is the result of an automated RPKI-to-IRR conversion process.remarks: maxLength 24origin: AS13335mnt-by: MAINT-NTTCOM-RPKIchanged: [email protected] 20200913source: RPKI # Trust Anchor: apnic<IRR entry section>route: 22.214.171.124/24origin: AS13335descr: APNIC Research and Development6 Cordelia Stmnt-by: MAINT-AU-APNIC-GM85-APlast-modified: 2018-03-16T16:58:06Zsource: APNIC