Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to the original filing and preliminary amendments of December, 31 2019. Claims 1-20 have been cancelled.  Claims 21-40 have been added.  Claims 21-40 are pending and have been considered below.  
Priority
16731167, filed 12/31/2019 is a continuation of 15639366, filed 06/30/2017, now U.S. Patent #10547644.

Drawings
The drawings filed on 07/14/2017 are accepted.

Specification
The specification filed on 12/31/2019 is accepted.

Information Disclosure Statement
The information disclosure statement (IDS) submitted 12/31/2019 and 09/09/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,547,644 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because Claims 21-40 of the present application contains every elements of claims 1-20 of U.S. 10,547,644 B2.
16,731,167
10,547,644
21. A device, comprising: 
a communication interface; 
and one or more processors to:
 receive network topology information associated with a network; 



identify a second application component as a virtual application component of the network based on the network topology information; 



identify a first application component as a physical application component of the network based on the network topology information; 




provide, to a virtual network device of the network, a first policy to permit the virtual network device to implement the first policy in association with network traffic transferred using the virtual application component, the first policy being provided to the virtual network device based on the virtual network device being a virtual device type and being connected to the virtual application component; and
 










provide, to a physical network device of the network, a second policy to permit the physical network device to implement the second policy in association with network traffic transferred using the physical application component, the second policy being provided to the physical network device based on the physical network device being a physical device type and being connected to the physical application component. 

22. The device of claim 21, where the one or more processors are further to: determine, using the network topology information, that the virtual application component is connected to the virtual network device; and where the one or more processors, when providing the first policy, are to: provide the first policy based on determining that the virtual application component is connected to the virtual network device. 

23. The device of claim 21, where the one or more processors are further to: determine, using the network topology information, that the physical application component is connected to the physical network device; and where the one or more processors, when providing the second policy, are to: provide the information associated with the second policy based on determining that the physical 
24. The device of claim 21, where the one or more processors are further to: determine, using the network topology information, that the virtual application component is a virtual device; and where the one or more processors, when generating the first policy, are to: generate the first policy based on determining that the virtual application component is the virtual device. 
25. The device of claim 21, where the physical network device is associated with a data center; and where the network topology information includes information that identifies one or more of: the physical network device, connections between the physical network device and one or more other physical network devices in the data center, locations of the physical network device and one or more other physical network devices in the data center, or network addresses of the physical network device and one or more other physical network devices in the data center. 
26. The device of claim 21, where the network topology information includes information that identifies one or more of: a set of data associated with the virtual network device, a set of files associated with the virtual network device, or a set of messages associated with the virtual network device. 
28. A non-transitory computer-readable medium storing instructions, the instructions comprising: 

 receive network topology information associated with a network; 
identify a first application component as a physical application component of the network based on the network topology information;
 identify a second application component as a virtual application component of the network based on the network topology information;
 




provide, to a virtual network device of the network, a first policy to permit the virtual network device to implement the first policy in association with network traffic transferred using the virtual application component, the first policy being provided to the virtual network device based on the virtual network device being a virtual device type and being connected to the virtual application component; and 
provide, to a physical network device of the network, a second policy to permit the physical network device to implement the second policy in association with network traffic transferred using the physical application component, the second policy 







29. The non-transitory computer-readable medium of claim 28, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: determine, using the network topology information, that the virtual application component is connected to the virtual network device; and where the one or more instructions, that cause the one or more processors to provide the first policy, cause the one or more processors to: provide the first policy based on determining that the virtual application component is connected to the virtual network device. 

30. The non-transitory computer-readable medium of claim 28, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: determine, using the network topology information, that the physical application component is connected 



one or more processors to:
 receive policy information associated with a first application group and a second application group, the first application group including a first set of virtual application components and a first set of physical application components, the second application group including a second set of virtual application components and a second set of physical application components; 
generate a logical group of virtual application components, the first set of virtual application components and the second set of virtual application components being included in the logical group of virtual application components based on the first 
generate a logical group of physical application components, the first set of physical application components and the second set of physical application components being included in the logical group of physical application components based on the first set of physical application components and the second set of physical application components being physical application components; 
receive network topology information associated with a network; 
generate a first policy, to be provided to a virtual network device of the network, based on the policy information, the logical group of virtual application components, and the network topology information, a virtual application component, of the first set of virtual application components, being connected to the virtual network device; 

generate a second policy, to be provided to a physical network device of the network, based on the policy information, the logical group of physical application components, and the network topology information, a physical application component, of the first set of physical application components, being connected to the physical network device; 
provide, to the virtual network device of the network, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the virtual application component, 
provide, to the physical network device, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the physical application component, of the first set of physical application components, and another physical application component of the second set of physical application components, the second policy being provided to the physical network device based on the physical network device being a physical device type. 
    2. The device of claim 1, where the one or more processors are further to: determine, using the network topology information, that the virtual application component is connected to the virtual network device; and where the one or more processors, when providing the information associated with the first policy, are to: provide the information associated with the first policy based on determining that the virtual application component is connected to the virtual network device. 
    3. The device of claim 1, where the one or more processors are further to: determine, using the network topology information, that the physical application component is connected to the physical network device; and where the one or more processors, when providing the information associated with the second policy, are to: provide the information associated with the second policy based on determining that the physical 
    4. The device of claim 1, where the one or more processors are further to: determine, using the network topology information, that the virtual application component is a virtual device; and where the one or more processors, when generating the first policy, are to: generate the first policy based on determining that the virtual application component is the virtual device. 
    6. The device of claim 1, where the physical network device is associated with a data center; and where the network topology information includes information that identifies one or more of: the physical network device, connections between the physical network device and one or more other physical network devices in the data center, locations of the physical network device and one or more other physical network devices in the data center, or network addresses of the physical network device and one or more other physical network devices in the data center. 
    7. The device of claim 1, where the network topology information includes information that identifies one or more of: a set of data associated with the virtual network device, a set of files associated with the virtual network device, or a set of messages associated with the virtual network device. 
    8. A non-transitory computer-readable medium storing instructions, the instructions comprising:

 receive policy information associated with a first application group and a second application group;
 generate a logical group of virtual application components, a set of virtual application components being included in the logical group of virtual application components based on the set of virtual application components being virtual application components;
 generate a logical group of physical application components, a set of physical application components being included in the logical group of physical application components based on the set of physical application components being physical application components; 
receive network topology information associated with a network; 
generate a first policy, to be provided to a virtual network device of the network, based on the policy information, the logical group of virtual application components, and the network topology information; 


generate a second policy, to be provided to a physical network device of the network, based on the policy information, the logical group of physical application components, and the network topology information, the first policy being different than the second policy; provide, to the virtual network device, 
    9. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: determine, using the network topology information, that a virtual application component of the first application group is connected to the virtual network device; and where the one or more instructions, that cause the one or more processors to provide the information associated with the first policy, cause the one or more processors to: provide the information associated with the first policy based on determining that the virtual application component is connected to the virtual network device. 
    10. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: determine, using the network topology information, that a physical application component of the first . 
   



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 21-40 are rejected under 35 U.S.C. 103 as being unpatentable over Woodward U.S. 9,560,081 in view of Jain et al U.S. 2017/0339188 A1.
Claims 21, 28 and 35: Woolward teaches a device, a method and a non-transitory computer-readable medium storing instructions, the instructions comprising: one or more instructions that, when executed by one or more processors, cause the one or more processors to, comprising: 
a communication interface (col.5, lines33-50, Container engine 330 can create a network interface that allows the container to communicate with hardware); and
one or more processors (Fig.9, item 910) to: 
receive network topology information associated with a network (col.10, lines 30-55, enforcement point 250 programs overflow rules and/or deploys a Linux bridge topology into virtual switch 240. As described above in relation to FIG. 2, enforcement point 250 can control network traffic to and from containers 340.sub.1-340.sub.z, for example, using a rule set);
 identify a first application component as a physical application component of the network based on the network topology information (col.3, lines 40-55, physical hosts 160.sub.1, 1-160.sub.x, y comprise physical servers performing the operations described herein, which can be referred to as a bare- server environment); 
a second application component as a virtual application component of the network based on the network topology information(col.3, lines 55-67, Environment 200 includes hardware 210, host operating system (OS) 220, hypervisor 230, and virtual machines (VMs) 260.sub.1-260.sub.V.)
provide, to a virtual network device of the network, a first policy to permit the virtual network device to implement the first policy in association with network traffic transferred using the virtual application component, the first policy being provided to the virtual network device based on the virtual network device being a virtual device type and being connected to the virtual application component(col.11 line .64 - col.12  line.21, step 750 in Fig.7: "For example, the enforcement point (e.a.. of enforcement points 2501-250V (FIG. 2) and/or 250 (FIGS. 3 and 4)) can program virtual switch 240 (FIG. 2 and FIG. 3) such that communications (e.g., network packets such as IP packets) are forwarded to their respective destination, dropped, or forwarded to an alternative destination (e.g., honeypot, tarpit, canary trap, etc.) Application of the firewall rule set as described above can be used to microsegment a data network. In other words, entities on the data network (e.g., physical servers, VMs, containers, etc.) can be grouped into segments, where communications among entities within a group are permitted and optionally limited by such characteristics as source/ destination ports, protocols used, applications used, the like, and combinations thereof. Communications among entities in different groups can be restricted, for example, not permitted at all and/or limited by a more restrictive set of characteristics than are generally permitted within a group. Since an enforcement point can be provisioned for each network switch and each entity on the network communicates through the network switch, the segmentation of the network (e.g., division effectively into groups of any size) can be highly granular. Hence the data network can be said to be microsegmented”; see, also, claim 2); and 
Woolward fails to teach, however Jain et al in the same field of endeavor teaches 
provide, to a physical network device of the network, a second policy to permit the physical network device to implement the second policy in association with network traffic transferred using the physical application component, the second policy being provided to the physical network device based on the physical network device being a physical device type and being connected to the physical application component (par.39, For example, SDN.sub.B can use endpoint groups (EPGs) to implement microsegmentation. EPGs can include a collection of endpoints that share common policy requirements, such as security, QoS, services, etc. Endpoints can be virtual or Physical devices such VMs 136-140, and bare-metal server 118, in the network 100. EPGs can have various attributes such as VM name, guest OS name, security tag, etc. Application policies can be applied between EPGs, which allows enforcement of policies for groups of endpoints as opposed to individual endpoints. In the fabric 102, leaf switches 106 can classify incoming traffic into different EPGs. This classification can be based on a network segment identifier (e.g., VLAN ID, VxLAN Network Identifier, NVGRE Virtual Subnet Identifier, etc.) or a network address (e.g., media access control address, IP address, etc.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Woolward with the additional features of Jain et al in order to provide the ability to control a network breach to be contained into a small fault domain and to protect the integrity of the rest of the data center, as suggested Jain et al par.2.
Claims 22, 29 and 36: the combination teaches where the one or more processors are further to: 
determine, using the network topology information, that the virtual application component is connected to the virtual network device(Woolward Figs. 6, 8, col.6, lines 35-45, col.8, line 11-14, col.11, line 64 to col.12 line 21); and 
where the one or more processors, when providing the first policy, are to: provide the first policy based on determining that the virtual application component is connected to the virtual network device(Woolward Figs. 6, 8, col.6, lines 35-45, col.8, line 11-14col.11, line 64 to col.12 line 21, Fig.7, step 750 in reference to Figs. 2 and 3). 
Claims 23, 30 and 37: the combination teaches where the one or more processors are further to: 
determine, using the network topology information, that the physical application component is connected to the physical network device (Woolward col.8, line 11-14, Jain et al, par.23-24); and 
where the one or more processors, when providing the second policy, are to: provide the information associated with the second policy based on determining that the physical application component is connected to the physical network device (Woolward col.8, line 11-14, Jain et al par.23-24, 39). 
Claims 24, 31 and 38: the combination teaches where the one or more processors are further to: 
Woolward col.8, lines 1-35, col.11, line 57 to col.12 line 5, Fig.7, step 740); and 
where the one or more processors, when generating the first policy, are to: generate the first policy based on determining that the virtual application component is the virtual device (Woolward col.8, lines 1-35, col.11, line 57 to col.12 line 5, Fig.7, step 740). 
Claims 25, 32 and 39: the combination teaches 
where the physical network device is associated with a data center (Woolward, col.12, lines 28-55); and 
where the network topology information includes information that identifies one or more of: the physical network device, connections between the physical network device and one or more other physical network devices in the data center, locations of the physical network device and one or more other physical network devices in the data center, or network addresses of the physical network device and one or more other physical network devices in the data center (Woolward, col.12, lines 28-55). 
Claims 26, 33 and 40: the combination teaches
Woolward, col3, lines 40-55). 
Claims 27, and 34: the combination teaches, where the one or more processors are further to: 
generate a logical group of virtual application components of the network, the first policy being provided to the virtual network device based on the logical group of virtual application components; and generate a logical group of physical application components of the network, the second policy being provided to the physical network device based on the logical group of physical application components (Woolward, col.12, lines 5-15, 28-39, Fig.8,). 

The following patents are cited to further show the state of the art at the time of applicant’s invention.
Hamou et al U.S. 2017/0374106 A1 teaches a method involves obtaining application implementation information associated with multiple applications implemented by multiple virtualized computing instances, where multiple virtualized computing instances are supported by multiple hosts. Micro-segments are detected by clustering multiple virtualized computing 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






Saturday, February 13, 2021

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436