Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

DC Flow Analyzer

The DC Flow Analyzer (DFA) feature provides dynamic, hardware-assisted, per‑flow visibility on the switch. The DFA also helps track RDMA ROCEv2 flow destination queue pair information in Junos OS Evolved and other AI DC workloads. The DFA learns flows over time based on a pre-defined tuple (source address, destination address, IP protocol version, ingress interface, Layer 4 source port, Layer 4 destination port, EtherType, and destination queue pair). This feature also tracks counters for each learned flow.

Overview

You define a DFA profile with the pre-defined flow tuple and aging timer. You use firewall filter terms for family inet or family inet6 to match the traffic of interest and then apply the flow-analyzer action using the profile name. The default action of the flow analyzer profile is count. Flow learning occurs at existing ingress filter bind points.

Each unique tuple match is learned as an individual flow with its own counter. Flows age out based on the global aging timer.

To enable this feature, you configure the flow analyzer statement at the [edit] hierarchy level, and specify the flow analyzer profile name as an action for a configured firewall filter. You also need to reserve space in the unified forwarding table (UFT) with the forwarding-profile flow-profile statement at the [edit packet-forwarding-options hierarchy level. To view information about the learned flows, use the show flow table command.

Benefits

  • Per-flow visibility on the switch for IPv4 and IPv6 traffic, including both forwarded and dropped flows, to speed troubleshooting and incident triage.

  • Configurable aging time that automatically removes inactive flows and keeps the flow database current without manual cleanups.

  • In AI-ML training networks, most traffic uses Remote Direct Memory Access (RDMA) over Converged Ethernet version 2 (RoCEv2) for transport. In a network that uses RoCEv2 for application traffic transport, an RDMA connection sends traffic on a send queue and receives traffic on a receive queue. These queues form the RDMA connection. Together, the send queue and receive queue are referred to as a queue pair. Each queue pair has an identifiable prefix. ROCEv2 uses the destination queue pair as the flow identification field. Using the DFA, you can verify the destination queue pairs for an AI workload at line rate, instead of using sFlow or port mirroring.

Limitations and Caveats

The DFA feature has the following limitations and caveats:

  • The DFA feature only works with the flow-profile forwarding profile. This profile reserves half of the UFT banks. Therefore, longest prefix match (LPM) and route scale are heavily impacted.

  • Enabling flow-profile also allocates flex counters (for example, per-pipe reservations). This reservation can reduce counter availability for other features that share flex counters.

  • 8000 flows is the maximum number of flows that the software can learn across 2 pipes. All 8000 flows can be learned on one pipe; if this occurs, ports on the other pipe cannot learn flows.

  • Flows are learned regardless of whether they are forwarded or dropped.

  • Because filter-based forwarding (FBF) is used for DFA, all of the limitations and caveats for FBF also apply to DFA.

  • Because the counter is allocated only after a flow is learned, packets received during the initial learning burst are not accounted for. As a result, the counter value may reflect fewer packets than the actual number transmitted.

  • Default aging time is 60 seconds with a tolerance of up to 5 seconds. Therefore, flows age out between 60 to 65 secs after becoming inactive. If you change the aging time after the flow is learned, the new value applies to both new and existing flows.

  • DFA supports only IPv4 and IPv6 traffic. Therefore, you cannot use any firewall filters with family ethernet-switching to supply packets to DFA.

  • Flow learning statistics are only available through the show flow table command.

  • DFA learns flows over time based on a pre-defined tuple (source address, destination address, IP protocol version, ingress interface, Layer 4 source port, Layer 4 destination port, EtherType, and destination queue pair). The default action of the firewall filter is count. You cannot change this tuple or firewall filter action.

Configure DFA

In this sample configuration, you:

  • Learn per-flow state for traffic that matches the default qualifier (standard five-tuple plus ingress interface, EtherType and destination queue pair).

  • Count packets and bytes per learned flow for on-box visibility and troubleshooting.

  • Apply learning only to traffic that matches your filter criteria (for example, UDP destination port 4791).

Note: Flows are learned regardless of whether they are forwarded or dropped.

This example:

  1. Enables the flow-profile forwarding profile to allocate the minimum UFT banks required by Flow Analyzer.

  2. Creates a DFA profile (p1) that uses the default qualifier and counter action.

  3. Sets a global flow aging time of 60 seconds.

  4. Configures an IPv4 firewall filter that matches UDP destination port 4791 and applies the flow-analyzer action with profile p1.

  5. Applies the filter to the input direction of selected interfaces.

Note: Default aging time is 60 seconds with a tolerance of up to 5 seconds. Therefore, flows age out between 60 to 65 secs after becoming inactive. If you change the aging time, the new value applies to both new and existing flows.
Note:

Because the counter is allocated only after a flow is learned, packets received during the initial learning burst are not accounted for. As a result, the counter value may reflect fewer packets than the actual number transmitted.

Before you begin, make sure that:

  • The device supports DFA and the flow-profile forwarding profile.

  • You have access permission to configure forwarding profiles, firewall filters, and interfaces.

  • Interface names used in this example (for example, et-0/0/0 through et-0/0/3) exist on your device, or you can substitute interface names that match your hardware.

Note: DFA reserves shared resources when you enable flow-profile. This reservation can reduce route and host scales and consume flex counters that other features might need to use.
  1. Enable the flow-profile forwarding profile.

    Enabling flow-profile reserves UFT banks for DFA and allocates flex counters (for example, per-pipe reservations). This reservation can reduce counter availability for other features that share flex counters.

  2. Create a DFA profile that uses the default qualifier and counter action.
  3. Set the global aging time for learned flows.
  4. Create an IPv4 firewall filter that matches UDP destination port 4791 and applies the flow-analyzer action.
  5. Apply the filter to selected interfaces in the input direction.
  6. Commit the configuration.
  7. Confirm the configuration.

    From operational mode, use the show configuration command to view the configuration. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Verify DFA Operation

  1. Run the show flow table terse command to see the number of learned flows per profile and IP version.
  2. Run the show flow table brief command to see per‑flow entries.
  3. Run the show flow table detail command to view per‑flow counters, learn time, and destination queue pair (QPair).
    Note:

    Because the counter is allocated only after a flow is learned, packets received during the initial learning burst are not accounted for. As a result, the counter value may reflect fewer packets than the actual number transmitted.
  4. Optionally, view firewall filter counters for traffic that matches the filter.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
25.2X100-D20
We've introduced support for DC Flow Analyzer (DFA) on supported QFX Series switches.