DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to communication received on 02/27/2020. The applicant has submitted 20 claims for examination, all claims are currently pending. 

Claim Rejections - 35 USC § 102
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.



Claims 1-5, 7-14 and 16-20 are rejected under 35 U.S.C. 102a2 as being anticipated by Ruty US 2019/0079788.
Regarding claims 1 and 11, Ruty teaches a method and device manager implementing the method comprising: identifying a policy out of a set of predefined policies , the identified policy comprising rules which determine how the network device  should operate in the communication network 
["Leafs 204 can be responsible for routing and/or bridging tenant or customer packets and applying network policies or rules. Network policies and rules can be driven by one or more Controllers 216, and/or implemented or enforced by one or more devices, such as Leafs 204. Leafs 204 can connect other elements to the Fabric 220. For example, Leafs 204 can connect Servers 206, Hypervisors 208, Virtual Machines (VMs) 210, Applications 212, Network Device 214, etc., with Fabric 220. Such elements can reside in one or more logical or virtual layers or networks, such as an overlay network. In some cases, Leafs 204 can encapsulate and decapsulate packets to and from such elements (e.g., Servers 206) in order to enable communications throughout Network Environment 200 and Fabric 220. Leafs 204 can also provide any other devices, services, tenants, or workloads with access to Fabric 220. ", ¶33]
identifying program components required to fulfil the identified policy
["A system can determine whether a block of a container image used in running a container is present in local storage at a host. If the block of the container image is present in the local storage at the host, then the system can use the block in the local storage to run the container at the host..", ¶20]
[" Leafs 204 can be responsible for routing and/or bridging tenant or customer packets and applying network policies or rules. Network policies and rules can be driven by one or more Controllers 216, and/or implemented or enforced by one or more devices, such as Leafs 204. ", ¶33]
determining existing program components present in the network device  and 
[" A system can determine whether a block of a container image virtualized at a host and used in running a container is present in local storage at the host. If the block of the container image is present in the local storage at the host, then the system can use the block in the local storage to run the container at the host. If the system determines the block of the container image is absent from the local storage, the system can subsequently fetch the block of the container image for the host from a container image storage node where the container image resides in its entirety.", ¶21]
pushing to the network device one or more of the required program components absent in said existing program components in the network device .
["In predictively virtualizing a container image at the host 302, the predictive container image virtualization system 500 can predict portions of a virtualized container image to send to the host 302. The predictive container image virtualization system 500 can then send predicted portions of the virtualized container images to the host 302, as part of predictively virtualizing container images at the host 302. Additionally, as part of predictively virtualizing container images at the host 302, the predictive container image virtualization system 500 can predict portions of container image to send to the host 302 without receiving requests for the predicted portions of the container image. Subsequently, the predictive container image virtualization system 500 can send the predicted portions of the container image to the host 302 without receiving requests for the portions of the container image, e.g. as part of the container image virtualization system 500 prefetching the predicted portions for the host 302. ", ¶84]

Regarding claims 2 and 12, Ruty teaches wherein said one or more required program components absent in the existing program components are determined from a difference between the required program components and the existing program components.
[" A system can determine whether a block of a container image used in running a container is present in local storage at a host. If the block of the container image is present in the local storage at the host, then the system can use the block in the local storage to run the container at the host. If the system determines the block of the container image is absent from the local storage, then the system can fetch the block of the container image for the host from a container image storage node remote from the host where the container image resides in its entirety. The system can use the block of the container image fetched from the container image storage node to run the container. ", ¶20]
["Blocks, or otherwise portions, of a container image can include portions of data in a container image that can be used to run a container. Specifically, blocks of a container image can include an entire layer of a plurality of incremental layers of a contain image. For example, a block of a container image can include a first layer of 24 sequential layers of the container image used in beginning execution of a container using the container image. Additionally, blocks of a container image can include portions of a layer of a container image. For example, a block of a container image can include a portion of a layer of the container image used to resume execution of a container using the container image. ", ¶56]

Regarding claims 3 and 13, Ruty teaches wherein the method is performed when detecting that the network device  has joined the communication network , or when detecting that a policy affecting the network device  has been added, removed, or changed.
["In some cases, VMs 210 and/or Hypervisors 208 can be migrated to other Servers 206. Servers 206 can similarly be migrated to other locations in Network Environment 200. For example, a server connected to a specific leaf can be changed to connect to a different or additional leaf. Such configuration or deployment changes can involve modifications to settings, configurations and policies that are applied to the resources being migrated as well as other network components", ¶36]

Regarding claims 4 and 14, Ruty teaches wherein the added, removed, or changed policy is valid for any one or more of: an identity of the network device , a type of the network device , a model of the network device , and a manufacturer of the network device (policies are applied to a group of devices with the same profile/  application model , ¶40).
["ACI can provide an application-centric or policy-based solution through scalable distributed enforcement. ACI supports integration of physical and virtual environments under a declarative configuration model for networks, servers, services, security, requirements, etc. For example, the ACI framework implements EPGs, which can include a collection of endpoints or applications that share common configuration requirements, such as security, QoS, services, etc. Endpoints can be virtual/logical or physical devices, such as VMs, containers, hosts, or physical servers that are connected to Network Environment 200. Endpoints can have one or more attributes such as a VM name, guest OS name, a security tag, application profile, etc. Application configurations can be applied between EPGs, instead of endpoints directly, in the form of contracts. Leafs 204 can classify incoming traffic into different EPGs. The classification can be based on, for example, a network segment identifier such as a VLAN ID, VXLAN Network Identifier (VNID), NVGRE Virtual Subnet Identifier (VSID), MAC address, IP address, etc. ", ¶40]

Regarding claims 5 and 15, Ruty teaches wherein the identified policy is valid for one or more of: an identity of the network device , a type of the network device , a model of the network device , and a manufacturer of the network device(policies are applied to a group of devices with the same profile/  application model , ¶40).
["ACI can provide an application-centric or policy-based solution through scalable distributed enforcement. ACI supports integration of physical and virtual environments under a declarative configuration model for networks, servers, services, security, requirements, etc. For example, the ACI framework implements EPGs, which can include a collection of endpoints or applications that share common configuration requirements, such as security, QoS, services, etc. Endpoints can be virtual/logical or physical devices, such as VMs, containers, hosts, or physical servers that are connected to Network Environment 200. Endpoints can have one or more attributes such as a VM name, guest OS name, a security tag, application profile, etc. Application configurations can be applied between EPGs, instead of endpoints directly, in the form of contracts. Leafs 204 can classify incoming traffic into different EPGs. The classification can be based on, for example, a network segment identifier such as a VLAN ID, VXLAN Network Identifier (VNID), NVGRE Virtual Subnet Identifier (VSID), MAC address, IP address, etc. ", ¶40]
	
Regarding claims 7 and 17, Ruty teaches wherein determining the existing program components comprises querying  the network device  to identify its existing program components or retrieving information on the existing program components from a data storage .
["A system can determine whether a block of a container image used in running a container is present in local storage at a host. If the block of the container image is present in the local storage at the host, then the system can use the block in the local storage to run the container at the host..", ¶20]

Regarding claims 8 and 18, Ruty teaches, wherein the required program components are to be executed in a dataplane of the network device to perform operations related to any one or more of: switching, forwarding, routing, firewalling, caching, and packet inspection.
["Such configurations can define rules, policies, priorities, protocols, attributes, objects, etc., for routing and/or classifying traffic in Network Environment 100. For example, such configurations can define attributes and objects for classifying and processing traffic based on Endpoint Groups (EPGs), Security Groups (SGs), VM types, bridge domains (BDs), virtual routing and forwarding instances (VRFs), tenants, priorities, firewall rules, etc.", ¶39]
["Controllers 216 can provide centralized access to fabric information, application configuration, resource configuration, application-level configuration modeling for a software-defined network (SDN) infrastructure, integration with management systems or servers, etc. Controllers 216 can form a control plane that interfaces with an application plane via northbound APIs and a data plane via southbound APIs. ", ¶44]

Regarding claims 9 and 19, Ruty teaches, wherein the communication network  is a Software Defined Network, SDN (SDN).
["Returning now to FIG. 2A, Network Environment 200 can deploy different hosts via Leafs 204, Servers 206, Hypervisors 208, VMs 210, Applications 212, and Controllers 216, such as VMWARE ESXi hosts, WINDOWS HYPER-V hosts, bare metal physical hosts, etc. Network Environment 200 may interoperate with a variety of Hypervisors 208, Servers 206 (e.g., physical and/or virtual servers), SDN orchestration platforms, etc. Network Environment 200 may implement a declarative model to allow its integration with application design and holistic network policy. ", ¶44]

Regarding claims 10 and 20, Ruty teaches wherein the device manager obtains from a program component provider any required program component or components that need to be pushed to the network device.
["More specifically, the container image virtualization system 300 can send a request for the portion of the virtualized container image layers 310 to a node or a controller of a node where the portion resides, e.g. in the container image layers 316 of the container image 314 stored at the container image storage node 304. In response to a request for the portion of the virtualized container image layers 310, the container image virtualization system 300 can retrieve the portion of the virtualized container image layers 310 from the container image layers 316 of the container image 314 stored at the container image storage node 304. The container image virtualization system 300 can then provide the retrieved portion of the virtualized container image layers 310 to the host 302, where it can be used to execute the container 306 at the host 302. ", ¶72]



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Ruty  as applied to claims 1 and 11 above, and further in view of Assadzadeh US 2010/0257264.
Regarding claims 6 and 16, Ruty does not teach wherein the policies in the set of predefined policies have priorities so that a policy with a first priority overrides a conflicting policy with a second priority lower than the first priority. Assadzadeh in the same area of policy enforcement in computing networks teaches a method for policy interpretation. Assadzadeh teaches wherein the policies in the set of predefined policies have priorities so that a policy with a first priority overrides a conflicting policy with a second priority lower than the first priority.
["As can be seen from this example, each PR includes a condition and an action. In PR1, the condition is FTP traffic and the action is rate limit to 64 kbps. In PR2, the condition is video teleconferencing traffic and the action is forward. When traffic satisfies or matches conditions of more than one policy, one policy has a higher priority (lower precedence number) than the other matching policies and the actions cannot be combined, then the other matching policies are said to be eclipsed or overridden by the policy with the higher priority. ", ¶48]

It would have been obvious to a person of ordinary skill in the art at the time of the filing to modify Ruty with overriding by a higher precedence policy over a lower precedence policy as taught by  Assadzadeh . The reason for this modification would be to determine which policy is applied when conflicting policies exist for a device.






Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TOM Y. CHANG whose telephone number is (571)270-5938.  The examiner can normally be reached on Monday - Thursday from 9am to 5pm.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Philip Chea , can be reached on (571)272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through 
Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/TOM Y CHANG/
Primary Examiner, Art Unit 2456