This document describes, among other things, a router providing service-enabled multicast forwarding for a flow-based architecture. Services are enabled using inbound/outbound policies from Access Control Lists (ACLs). In a first mode, per-flow services are not enabled, and flows are aggregated for efficiency. In a second mode, per-flow services are enabled, and control information for an outbound interface (OIF) is shared across all multicast flows that do not have per-flow service enabled. A flow management scheme for these modes allows dynamic multicast membership updates while reducing disruption of active flows. This supports a large multicast OIF list and a high rate of multicast "Joins" and "Leaves". This provides scalability and performance, such as desired for deploying multicast for broadband subscriber applications.

Passive replication methods and systems to facilitate fault tolerance in a network routing system are provided. In one embodiment, a fault associated with a processing engine (PE) of a network routing system is detected by monitoring the health of the network routing system PEs. Responsive to detecting a fault (e.g., a link failure, a failure of a virtual router (VR) or a failure of the PE): VRs that were operating on the PE prior to detection of the fault are identified; configuration information (e.g., a set of command lines in a configuration file) associated with the identified VRs is identified; and the identified VRs are dynamically recreated on a new PE based on the configuration information. For example, a command line interface engine may replay the command line set with a new slot ID and a PE ID of the new PE to recreate the VRs on the new PE.

Methods and systems are provided for routing traffic through a virtual router-based network switch. According to one embodiment, a method for routing packets in a router includes establishing a flow data structure, which identifies a packet flow through a virtual router in the router. When a packet is received, a comparison is performed between a subset of at least one packet header associated with the packet and a subset of the flow data structure. If the subset of the packet header matches the subset of the flow data structure, then the packet can be hardware accelerated to a network interface. Otherwise, the packet may be either dropped or forwarded to a general purpose processor for processing.

Methods are provided for discovering nodes participating in a ring network. According to one embodiment, a ring controller receives a packet containing an arbitration token. If the arbitration token does not arrive within a preselected network timeout period, then the ring controller generates an arbitration token. If the packet contains an arbitration token, then the ring controller checks to see if it was modified by a higher priority node and if not, sets itself as the master node. For each discovery marker in the packet, the ring controller saves topology information associated with the discovery marker. The ring controller adds to the packet a first discovery marker when the packet does not contain a first discovery maker, wherein the first discovery marker includes topology information associated with the node. Finally, the ring controller sends the packet to a next node in the network.