Service processing switch

What is claimed is: 1 . A method comprising: establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information; receiving a packet at an input port of a line interface module of the VR-based network device; the line interface module forwarding the packet to a virtual routing engine (VRE); performing, by the VRE, flow-based packet classification on the packet; attempting, by the VRE, to retrieve an entry of a plurality of entries of the flow cache based on a result of the flow-based packet classification; on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, one or more appropriate packet transformations for application to the packet and whether to process the packet with a virtual service engine (VSE) of the VR-based network device; on a flow cache miss, identifying the existence of a new VR flow and adding the new VR flow to the flow cache by performing flow learning; and wherein the one or more appropriate packet transformations are associated with Network Address Translation (NAT) and comprise replacing one or more of an original IP source address, an original IP destination address, an original Transmission Control Protocol (TCP) source port, an original TCP destination port, an original User Datagram Protocol (UDP) source port and an original UDP destination port specified within a header of the packet. 2 . The method of claim 1 , wherein the VSE comprises an Advanced Security Engine (ASE) and wherein the method further comprises responsive to receiving, by the ASE, the packet, performing one or more hardware-accelerated security services. 3 . The method of claim 2 , wherein the ASE includes an encryption accelerator chipset and wherein the one or more hardware-accelerated security services include encrypting the packet, by the encryption accelerator chipset, for IP Security (IPSec). 4 . The method of claim 2 , wherein the ASE includes a key accelerator and wherein the one or more hardware-accelerated security services include performing, by the key accelerator, hardware-assisted Internet Key Exchange (IKE) or hardware-assisted key generation. 5 . The method of claim 1 , wherein the one or more appropriate packet transformation include substituting a Layer 2 destination address of the packet with a next hop value, decrementing a Time-To-Live (TTL) field and updating an Internet Protocol (IP) header checksum of the packet. 6 . A method comprising: establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information; receiving a packet at an input port of a line interface module of the VR-based network device; the line interface module forwarding the packet to a virtual routing engine (VRE); performing, by the VRE, flow-based packet classification on the packet; attempting, by the VRE, to retrieve an entry of a plurality of entries of the flow cache based on a result of the flow-based packet classification; on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, one or more appropriate packet transformations for application to the packet and whether to process the packet with a virtual service engine (VSE) of the VR-based network device; on a flow cache miss, identifying the existence of a new VR flow and adding the new VR flow to the flow cache by performing flow learning; and wherein the one or more appropriate packet transformations comprise Differentiated Services (DiffServ) Type of Service (ToS) field marking; 7 . The method of claim 6 , wherein the VSE comprises an Advanced Security Engine (ASE) and wherein the method further comprises responsive to receiving, by the ASE, the packet, performing one or more hardware-accelerated security services. 8 . The method of claim 7 , wherein the ASE includes an encryption accelerator chipset and wherein the one or more hardware-accelerated security services include encrypting the packet, by the encryption accelerator chipset, for IP Security (IPSec). 9 . The method of claim 7 , wherein the ASE includes a key accelerator and wherein the one or more hardware-accelerated security services include performing, by the key accelerator, hardware-assisted Internet Key Exchange (IKE) or hardware-assisted key generation. 10 . The method of claim 6 , wherein the one or more appropriate packet transformation include substituting a Layer 2 destination address of the packet with a next hop value, decrementing a Time-To-Live (TTL) field and updating an Internet Protocol (IP) header checksum of the packet. 11 . A method comprising: establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information; receiving a packet at an input port of a line interface module of the VR-based network device; the line interface module forwarding the packet to a virtual routing engine (VRE); performing, by the VRE, flow-based packet classification on the packet; attempting, by the VRE, to retrieve an entry of a plurality of entries of the flow cache based on a result of the flow-based packet classification; on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, one or more appropriate packet transformations for application to the packet and whether to process the packet with a virtual service engine (VSE) of the VR-based network device; on a flow cache miss, identifying the existence of a new VR flow and adding the new VR flow to the flow cache by performing flow learning; and wherein the one or more appropriate packet transformations are associated with Generic Routing Encapsulation (GRE) tunneling and comprise encapsulation the packet within another packet. 12 . The method of claim 11 , wherein the VSE comprises an Advanced Security Engine (ASE) and wherein the method further comprises responsive to receiving, by the ASE, the packet, performing one or more hardware-accelerated security services. 13 . The method of claim 12 , wherein the ASE includes an encryption accelerator chipset and wherein the one or more hardware-accelerated security services include encrypting the packet, by the encryption accelerator chipset, for IP Security (IPSec). 14 . The method of claim 12 , wherein the ASE includes a key accelerator and wherein the one or more hardware-accelerated security services include performing, by the key accelerator, hardware-assisted Internet Key Exchange (IKE) or hardware-assisted key generation. 15 . The method of claim 11 , wherein the one or more appropriate packet transformation include substituting a Layer 2 destination address of the packet with a next hop value, decrementing a Time-To-Live (TTL) field and updating an Internet Protocol (IP) header checksum of the packet.