Traffic flow statistics are used in many network services and functions such as traffic engineering, network monitoring and traffic visualization, network anomaly detection and protection. Flow statistics may be measured through access control list (ACL) rules programmed into ternary content addressable memory (TCAM) banks of network routers. Each ACL rule counts the packets and/or bytes matching a predefined traffic flow specification, which may include source and/or destination internet protocol (IP), source and destination user datagram protocol (UDP), or transmission control protocol (TCP) flow.
One constraint of router hardware is that within each TCAM bank, a packet can only increment the counter of a single ACL rule, although it may match multiple ACL rules. Thus to collect statistics of flows that overlap and match a common subset of packets, a simple technique is to program ACL rules for such flows into different TCAM banks. This technique has very limited scalability as the number of TCAM banks is typically very small in router hardware.