Egress packet processing using a modified packet header separate from a stored payload

What is claimed is: 1. A method for processing packets in a network device, the method comprising: receiving, at the network device, a packet from a network; storing, with the network device, at least a payload of the packet in a packet memory of the network device; processing, with a packet processor of the network device, the packet, the processing including at least i) determining at least one egress port via which the packet is to be transmitted by the network device, ii) modifying one or more fields in a header of the packet to generate a modified header that is indicative of an access control policy applying to the packet, and iii) determining, based at least in part on application of the access control policy indicated by the one or more modified fields of the header, whether the packet a) is to be transmitted by the network device or b) is to be discarded by the network device; and in response to determining, based at least in part on the application of the access control policy indicated by the one or more modified fields of the header, that the packet is to be transmitted by the network device and not to be discarded by the network device: retrieving, with the network device, the at least the payload of the packet from the packet memory, generating, with the network device, a transmit packet at least by combining the at least the payload of the packet with the modified header, and transmitting the transmit packet via the determined at least one egress port of the network device. 2. The method of claim 1 , further comprising, after generating the modified header, storing, with the packet processor, the modified header in the packet memory. 3. The method of claim 2 , wherein: storing the at least the payload of the packet in the packet memory comprises storing the at least the payload of the packet at a first memory location in the packet memory, and storing the modified header in the packet memory comprises storing the modified header at a second memory location, separate from the first memory location, in the packet memory. 4. The method of claim 3 , wherein: processing the packet comprises processing the packet using a packet descriptor associated with the packet, and the method further comprises, after processing the packet using the packet descriptor, generating an egress packet descriptor corresponding to the packet, the egress packet descriptor being smaller than the packet descriptor used for processing of the packet, and in response to determining that the packet is to be transmitted from the network device, enqueueing the egress packet descriptor in an egress queue for subsequent transmission of the transmit packet via the determined at least one egress port. 5. The method of claim 4 , wherein generating the egress packet descriptor comprises generating the egress packet descriptor to include at least memory location information, the memory location information indicating i) the first memory location at which the at least the payload of the packet is stored in the memory and ii) the second memory location at which the modified header is stored in the packet memory. 6. The method of claim 5 , wherein: the method further comprises, when the egress packet descriptor is dequeued from the egress queue, retrieving, based on the memory location information in the egress packet descriptor, the at least the payload of the packet from the first memory location in the packet memory and the modified header from the second memory location in the packet memory, and generating the transmit packet includes combining the at least the payload of the packet retrieved from the first memory location in the packet memory with the modified header retrieved from the second memory location in the packet memory. 7. The method of claim 5 , further comprising, i) in response to determining that the packet is to be transmitted from the network device and ii) prior to retrieving the at least the payload of the packet from the packet memory, triggering mirroring of the packet, the mirroring including generating, with the packet processor, a copy of the egress packet descriptor, and enqueuing the copy of the egress packet descriptor in an additional egress queue for mirroring of the packet to a destination other than the determined at least one egress port. 8. The method of claim 7 , further comprising, when the copy of the egress packet descriptor is dequeued from the additional egress queue, retrieving, based on the memory location information in the copy of the egress packet descriptor, the at least the payload of the packet from the first memory location in the packet memory and the modified header from the second memory location in the packet memory, generating a mirrored packet at least by combining the at least the payload of the payload retrieved, based on the memory location information in the copy of the egress packet descriptor, from the first memory location in the packet memory and the modified header retrieved, based on the memory location information in the copy of the egress packet descriptor, from the second memory location in the packet memory, and transmitting the mirrored packet to the destination other than the determined at least one egress port. 9. The method of claim 1 , further comprising, in response to determining that the packet is to be discarded by the network device, i) discarding the packet at the network device and ii) not triggering mirroring of the packet by the network device. 10. The method of claim 1 , further comprising performing, based at least in part on the modified header, egress classification of the packet, wherein determining whether the packet a) is to be transmitted by the network device or b) is to be discarded by the network device is performed as part of the egress classification of the packet. 11. A network device, comprising: a receive processor configured to receive a packet from a network, and store at least a payload of the packet in a packet memory; a packet processor configured to process the packet, the packet processor being configured to at least i) determine at least one egress port via which the packet is to be transmitted by the network device, ii) modifying one or more fields in a header of the packet to generate a modified header that is indicative of an access control policy applying to the packet, and iii) determining, based at least in part on application of the access control policy indicated by the one or more modified fields of the header, whether the packet a) is to be transmitted by the network device or b) is to be discarded by the network device; and a transmit processor configured to, in response to the determination, made by the packet processor based at least in part on the application of the access control policy indicated by the one or more modified fields of the header, that the packet is to be transmitted by the network device and not to be discarded by the network device, retrieve the at least the payload of the packet from the packet memory, generate a transmit packet at least by combining the at least the payload of the packet with the modified header, and transmit the transmit packet via the determined at least one egress port of the network device. 12. The network device of claim 11 , wherein the packet processor is further configured to, after generating the modified header, store the modified header in the packet memory. 13. The network device of claim 12 , wherein the packet processor is configured to: store the at least the payload of the packet at a first memory location in the packet memory, and store the modified header at a second memory