computer asset inventory

It is important to remember that computer asset inventory occurs after classification of the packet (in other words, set happens after the match criteria). Thus, if used on an output policy, the packet marking applied can be used by the next-hop node to classify the packet but cannot be used on this node for classification purposes. On the other hand, if class-based marking is used on an ingress interface as an input policy, the marking applied to the packet can be used on the same device on its egress interface for classification purposes

Another point to note for output policies is that both classification and marking can happen after tunnel encapsulation, depending on where the service policy is attached. Therefore, if a policy is attached to a GRE or IPSec tunnel interface, the marking is applied to the original inner packet header. In most cases, this marking automatically is copied to the tunnel header. On the other hand, if the policy is attached to the physical interface, only the tunnel header (the outer header) is marked and the inner computer asset inventory packet header is left unchanged