You must meet the following onboarding requirements before using Magic Transit.
Use compatible tunnel endpoint routers
Magic Transit relies on Generic Routing Encapsulation (GRE) tunnels to transmit packets from Cloudflare’s edge to your origin network.
The routers at your GRE tunnel endpoints must meet the following requirements to ensure compatibility with Magic Transit.
- Support GRE tunneling.
- Allow configuration of at least one tunnel per Internet service provider (ISP).
- Support maximum segment size (MSS) clamping.
Draft Letter of Authorization
Draft a that identifies the prefixes you want to advertise and gives Cloudflare permission to announce them. The LOA is required by Cloudflare's transit providers so they can accept the routes Cloudflare advertises on your behalf. See this for an example.
Verify Internet Routing Registry entries
Verify your Internet Routing Registry (IRR) entries match corresponding origin autonomous system numbers (ASNs) to ensure Magic Transit routes traffic to the correct autonomous systems (AS). For guidance, refer to .
Set maximum segment size
The SYN-ACK packet sent to the client during TCP handshake encodes the value for maximum segment size (MSS). Egress packets are routed via your ISP interface, and each packet must comply with the standard Internet routable maximum transmission unit (MTU), which is 1500 bytes.
Cloudflare uses GRE tunnels to deliver packets from our edge to your data centers, while Cloudflare Magic Transit encapsulates these packets, adding a new IP header and GRE protocol header.
You must set the MSS value to 1436 bytes at your physical egress interfaces — not the GRE tunnel interfaces — to accommodate the additional header data. If you are using IPsec inside GRE, you will need to lower your MSS value to 1360 bytes or lower at your physical egress interfaces.
|Standard Internet routable MTU||1500 bytes|
|-||Original IP header||20 bytes|
|-||Original protocol header (TCP)||20 bytes|
|-||New IP header||20 bytes|
|-||New protocol header (GRE)||4 bytes|
|=||Maximum segment size (MSS)||1436 bytes|
Unless you apply these MSS settings at the origin, client machines do not know that they must use an MSS of 1436 bytes when sending packets to your origin.
Follow router vendor guidelines
Instructions to adjust MSS by applying MSS clamps vary depending on the vendor of your router.
The following table lists several commonly used router vendors with links to MSS clamping instructions:
Verify MSS settings at your origin
Run the following command on the servers egressing the prefixes you want to add to Magic Transit to verify that your routers have the correct MSS setting (1436 bytes) at your origin.
$ curl 220.127.116.11:8080
You should see the following result:
Local: 18.104.22.168:8080Remote: 22.214.171.124:44108Local MSS: 1436Remote MSS: 1436