DETAILED ACTION
This Action is in response to application/ communications filed on 04/23/2019.
Claims 1-20 are presented for examination, claims 1, 19 and 20 are independent claims. 
Claims 1-20 remain pending in this application.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.

Claim Objections
Claim(s) 9 and 18 is/are objected to because of the following informalities:  
Claim 9 recites the limitation "a second specific of the second service device policy" in lines 5-6. Based on [0062] and claim 10, it should read "a second specificity …"
A series of singular dependent claims is permissible in which a dependent claim refers to a preceding claim which, in turn, refers to another preceding claim. However, a claim (claim 18) which depends from a dependent claim (claim 16) should not be separated therefrom by any claim (claim 17) which does not also depend from said "dependent claim" (claim 16). In general, applicant’s sequence should not be changed. See MPEP § 608.01(n).IV. When the application is ready for allowance, the examiner, if necessary, will renumber the claims consecutively in the order in which they appear or in such order as may have been requested by applicant. See MPEP § 608.01(j).
Appropriate correction is required.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claim(s) 1-2, 4-5, and 19-20 is/are rejected under 35 U.S.C. 102(a)(1) and 35 U.S.C. 102(a)(2) as being anticipated by Sharma et al. (hereinafter, Sharma, US 20180337849 A1).

Regarding claim 1, Sharma discloses a method for managing a network device fabric (see [0185]; an SDN controller operates to configure and manage the cloud system/ network), comprising: 
obtaining, from a service device (Fig.1: 134; also see [0057]: lines 20-28; also see last 9 lines of [0060] and [0061] in view of [0006]), a first service device policy (see Fig.1:180; also see [0058] lines 1-7; the SBC 134 is able to provide instructions to the SDN Controller regarding policy flow instructions; also see Fig.20E:2048 and [0206]; the SDN controller is operated to receive the instructions from the SBC); 
examining the first service device policy to identify a first set of qualifiers and a first traffic flow action (see [0019]; method including the steps of: … (iii) operating the SDN controller to receive the instructions for the media micro flow service from the SBC; (iv) operating the SDN controller to identify one or more SDN programmable switches on which to install the instructions for the media micro flow service; also see [0205]; SBC is operated to generate instructions that include information by which the first programmable switch can identify packets of the first media packet flow and an action/command for the first programmable switch; examiner articulates that identifying one or more SDN programmable ; 
deriving, from the first service device policy, a first network device rule (see [0060] lines 15-22; the SBC 134 then uses the SDN control plane interface to communicate one or more rules that the SBC 134 wants propagated into the network. The SDN controller 112 determines how to apply these rules and depending on the implementation may translate the rules into lower level primitives and install them into the programmable network switches, e.g., SDN OpenFlow switches) comprising the first set of qualifiers and the first traffic flow action (see last 2 lines of [0059]; SDN controller 112 dynamically programs flows in the SDN system 100; also see [0083]; the SDN switch 300 includes one or more components for implementing instructions received from an SDN controller, the instructions including for example identifying packets of a media packet flow and performing actions upon the packets of a media packet flow; In some embodiments, the instructions include matching a packet to a flow based on the contents of the IPv4 or IPv6 packet header and modifying the IP address, before forwarding); and 
making a first attempt at a fabric-wide deployment of the first network device rule, wherein, based on a success of the first attempt, enforcement of the first service device policy is offloaded onto the network device fabric (see Fig.1:182; also see last 4 lines of [0058]; the SDN controller dynamically sends policy enforcement instructions to the devices of the SDN network, e.g., SDN programmable switches, to enforce the policies; also see [0060] lines 15-22; the SBC 134 uses the SDN control plane interface to communicate one or more rules that the SBC 134 wants propagated into the network. The SDN controller 112 determines how to apply these rules and depending on the implementation may translate the rules into lower level primitives and install them into the programmable SDN OpenFlow switches; also see [0061]-[0063]; In the SDN network, media services are realized by rules or instructions programmed into the SDN programmable switches… Offloading relay aspects to a switch; SBC flows are realized from a network wide perspective using the underlying SDN aware network).
Regarding claim 2, Sharma discloses the method of claim 1, as set forth above. In addition, Sharma further discloses wherein the first set of qualifiers comprises an application- protocol qualifier (APQ) (see [0058]; Box 180 indicates that the SBC 134 is able to provide instructions to the SDN Controller regarding policy flow instructions, 5-tuple information (source transport number, source Internet Protocol address, destination transport number, destination Internet Protocol address, and Protocol type (e.g., UDP or TCP)), bandwidth, DSCP marking, and Network Address and Port Translation; examiner articulates that the “Protocol type” information within the policy flow instructions corresponds to an application- protocol qualifier).

Regarding claim 4, Sharma discloses the method of claim 1, as set forth above. In addition, Sharma further discloses wherein the first network device rule is directed to an offload network device rule subclass (see [0061]-[0063]; In the SDN network, media services are realized by rules or instructions programmed into the SDN programmable switches … Offloading relay aspects to a switch; SBC flows are realized from a network wide perspective using the underlying SDN aware network; examiner articulates that rules or instructions programmed into the SDN programmable switches that is used in offloading relay aspects to the SDN switch corresponds to an offload network device rule subclass).

Regarding claim 5, Sharma discloses the method of claim 1, as set forth above. In addition, Sharma further discloses wherein making the first attempt at the fabric-wide deployment of the first network device rule (see [0058]-[0063]), comprises: 
identifying a network device set that forms the network device fabric (see [0019]; method including the steps of: … (iii) operating the SDN controller to receive the instructions for the media micro flow service from the SBC; (iv) operating the SDN controller to identify one or more SDN programmable switches on which to install the instructions for the media micro flow service); 
generating a rule commit command using the first network device rule (see [0093]; SBC upon determining the type of microflow to be established from a media perspective for a call/media session exchanging and/or sending instructions, commands and/or information to the SDN controller which in turn programs, i.e., installs instructions for execution into the programmable switches to implement the policies and instructions provided by the SBC; examiner articulates that the program instructions generated by the SDN controller based on policies and instructions provided by the SBC for the programmable switches corresponds to rule commit command generated using the first network device rule); and 
transmitting the rule commit command to each network device of the network device set (see [0093]; SBC upon determining the type of microflow to be established from a media perspective for a call/media session realizes the SBC media services or redirection services required for the microflow by programming the underlying SDN network and in particular the programmable switches of the SDN network typically by exchanging and/or sending instructions, commands and/or information to the SDN controller which in turn programs, i.e., installs instructions for execution into the programmable switches to implement the policies and instructions provided by the SBC; also see [0218]; The SDN network then transmits the instructions generated in response to the SBC instructions/commands to a programmable SDN switch that will receive the first media packet flow from the ingress SDN switches).

Regarding claim 19, Sharma discloses a system (see Fig.1:100; also see [0057]), comprising: 
a network device fabric comprising a plurality of interconnected network devices (see [0057] lines 1-10; system 100 includes IP Endpoints 102 and 104, and Enterprises 103 and 105 coupled to a SDN Network including Edge Switch 1 106 (e.g., an OpenFlow Access Switch), Core Switch 108 (e.g., an OpenFlow Core Switch), Edge Switch 2 110 (e.g., an OpenFlow Access Switch), a Layer 4+ Media Aware Device 107, SDN controller 112, and cloud service provider data center 114 connected via communications links 116, 117, 118, 120, 122, 124, 126, 128, 130, 132, 164, 166, 184, and 186; examiner articulates that a SDN Network corresponds to a network device fabric); 
a service device (Fig.1: 134; also see [0057]: lines 20-28; also see last 9 lines of [0060] and [0061] in view of [0006]) directly-connected to a network device (Fig.1:106) of the network device fabric (see [0057]; lines 40-45; Communications link 184 couples the edge switch 1 106 to the SBC 134. Communications link 186 couples the edge switch 2 110 to the SBC 134); and 
a control plane service (CPS) (Fig.1:112) operatively connected to the network device fabric (see [0057] lines 36-42; Communications link 124 couples/connects edge switch 1 to SDN controller 112. Communications link 126 couples/connects core switch 108 to SDN controller 112. Communications link 128 couples/connects edge switch 2 110 to SDN controller 112. Communications links 130 and 132 couples/connects the SDN controller 112 to the cloud service provider data center 114), and programmed to:
obtain, from the service device (Fig.1: 134; also see [0057]: lines 20-28; also see last 9 lines of [0060] and [0061] in view of [0006]), a service device policy (see Fig.1:180; also see [0058] lines 1-7; the SBC 134 is able to provide instructions to the SDN Controller regarding policy flow instructions; also see Fig.20E:2048 and [0206]; the SDN controller is operated to receive the instructions from the SBC); 
examine the service device policy to identify a set of qualifiers and a traffic flow action (see [0019]; method including the steps of: … (iii) operating the SDN controller to receive the instructions for the media micro flow service from the SBC; (iv) operating the SDN controller to identify one or more SDN programmable switches on which to install the instructions for the media micro flow service; also see [0205]; SBC is operated to generate instructions that include information by which the first programmable switch can identify packets of the first media packet flow and an action/command for the first programmable switch; examiner articulates that identifying one or more SDN programmable switches of the media packet flow based on policy instruction for the media micro flow service received from SBC imply examining the policy and identifying a set of qualifiers, and identifying instructions for the media micro flow service (i.e., action/command for the first programmable switch) imply identifying a traffic flow action); 
derive, from the service device policy, a network device rule (see [0060] lines 15-22; the SBC 134 then uses the SDN control plane interface to communicate one or more rules that the SBC 134 wants propagated into the network. The SDN controller 112 determines how to apply these rules and depending on the implementation may translate the rules into lower level primitives and install them into the programmable network switches, e.g., SDN OpenFlow switches) comprising the set of qualifiers and the traffic flow action (see last 2 lines of [0059]; SDN controller 112 dynamically programs flows in the SDN system 100; also see [0083]; the SDN switch 300 includes one or more components for implementing instructions received from an SDN controller, the instructions including for example identifying packets of a media packet flow and performing actions upon the packets of a media packet flow; In some embodiments, the instructions include matching a packet to a flow based on the contents of the IPv4 or IPv6 packet header and modifying the IP address, before forwarding); and 
make an attempt at a fabric-wide deployment of the network device rule, wherein, based on a success of the attempt, enforcement of the service device policy is offloaded onto the network device fabric (see Fig.1:182; also see last 4 lines of [0058]; the SDN controller dynamically sends policy enforcement instructions to the devices of the SDN network, e.g., SDN programmable switches, to enforce the policies; also see [0060] lines 15-22; the SBC 134 uses the SDN control plane interface to communicate one or more rules that the SBC 134 wants propagated into the network. The SDN controller 112 determines how to apply these rules and depending on the implementation may translate the rules into lower level primitives and install them into the programmable SDN OpenFlow switches; also see [0061]-[0063]; In the SDN network, media services are realized by rules or instructions programmed into the SDN programmable switches… Offloading relay aspects to a switch; SBC flows are realized from a network wide perspective using the underlying SDN aware network).

Regarding Claim 20, the claim list all the same limitations of claim 1 and/or 19, but as a non-transitory computer readable medium (CRM) comprising computer readable program code (see Sharma [0349]-[0350]), which when executed by a computer processor (see Sharma Fig.21:2106 and Fig.22:2206), enables the computer processor to carry out the corresponding steps, rather than the method form. Therefore, the supporting rationale of the rejection to claim 1 and/or 19 applies equally as well to Claim 20.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 3, and 9-10 Sharma et al. (hereinafter, Sharma, US 20180337849 A1) in view of Gupta et al. (hereinafter, Gupta, US 20160359913 A1).
Regarding claim 3, Sharma discloses the method of claim 2, as set forth above. Sharma does not explicitly disclose wherein the first set of qualifiers further comprises an intercept source qualifier (ISQ) reflecting an ANY state and an intercept destination qualifier (IDQ) reflecting the ANY state.
Gupta discloses wherein the first set of qualifiers (see Fig.3: 304 and 308) further comprises an intercept source qualifier (ISQ) reflecting an ANY state (see Fig.3: 304 for row 301f) and an intercept destination qualifier (IDQ) reflecting the ANY state (see Fig.3: 308 for row 301f; also see [0050]; Policy table 300 can include policies 301a-301f (collectively, "301") for enforcement in a network… in some example embodiments one or both of source and destination are not specified).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma so that the first set of qualifiers further comprises an intercept source qualifier (ISQ) reflecting an ANY state and an intercept destination qualifier (IDQ) reflecting the ANY state.
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).

Regarding claim 9, Sharma discloses the method of claim 1, as set forth above. In addition, Sharma discloses the method further comprising prior to deriving the first network device rule (see [0169]-[0170] in view of Fig.10; the SDN switches are program by the SBC via the SDN controller; also [0173] in view of Fig.14:1426 and 1428; instructions are in the form of a flow table entries that are installed in one or more SDN switch(es) 1512, 1514, 1516, . . . , 1518 of the SDN network 1506 for the media flow from device E 1004 to device E 1010 illustrated by line 1836 on FIG. 18... Both switches 3 and N may and in some embodiments do have instructions TAG04 and 05 installed in them): 
obtaining, from the service device, a second service device policy (see [0167]; the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network 1006 that receive packets with the 6-tuple Src: Port_E, IP_E, MAC_E Dest: SBC_Port_J, SBC_IP_J, Also the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network 1006 to rewrite packets received with the 6-tuple Src: MID_Port_H2, MID_IP_H, MID_MAC_H Dest: SBC_Port_G2, SBC_IP_G, SBC_MAC_G to be rewritten to Src: SBC_Port_K, SBC_IP_K, SBC_MAC_K Dest: Port_F, IP_F, MAC_F and directed to communications device E 1010). 
Sharma does not explicitly disclose establishing a processing prioritization based on a first specificity of the first service device policy and a second specific of the second service device policy; and based on the processing prioritization: offloading enforcement of the second service device policy, prior to offloading enforcement of the first service device policy, onto the network device fabric.
Gupta discloses establishing a processing prioritization based on a first specificity of the first service device policy and a second specific of the second service device policy (see [0054]; a general policy may allow a certain communication while a more specific policy may block the communication. In some such example embodiments, various resolution techniques can be implemented; for example, the policies can be ordered according to importance and the first matching policy can be enforced with respect to the communication. In some example embodiments, the most specific policy can be implemented; specific meaning that the match is according to a high degree of granularity. For example, a policy (or EPG) that pertains to an IP address of 192.168.1.5 is more specific than a policy or EPG that pertains to an IP subnet of 192.168.1.0/24 because the former describes a single IP address instead of the latter, which is applicable to 254 IP addresses. Specificity can be determined by any of the packet attributes described in a policy, such as IP address, port, etc.; also see [0063] in view of Fig.6:610; the policy engine prioritizes enforcement based on granularity (or specificity); and 
based on the processing prioritization: offloading enforcement of the second service device policy, prior to offloading enforcement of the first service device policy, onto the network device fabric (see [0054]; also see [0062]-[0063] in view of Fig.6:610-614; network may be capable of resolving policy enforcing more specific policies before less specific policies; the policy engine prioritizes enforcement based on granularity (or specificity),… and add the one or more policies to the one or more policies to the policy table; also see [0068]; one of the policies in conflict can have an increased level of specificity in comparison to the other policies. A policy with increased specificity can be associated with a smaller collection of endpoints, ports, protocols, etc. Thus, the policy with increased specificity can be applied instead of the conflicting other policies. In some example embodiments, policies are applied in a sequential order even if they are in conflict).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma to obtain a second service device policy prior to deriving the first network device rule; establish a processing prioritization based on a first specificity of the first service device policy and a second specific of the second service device policy; and based on the processing prioritization: to offload enforcement of the second service device policy, prior to offloading enforcement of the first service device policy, onto the network device fabric.
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).

Regarding claim 10, Sharma (modified by Gupta) discloses the method of claim 9, as set forth above. In addition, Gupta further discloses wherein establishing the processing prioritization based on the first and second specificities (see [0054]; also see [0063] in view of Fig.6:610), comprises: 
examining the second service device policy (Fig.3:301) to identify at least a second set of qualifiers (Fig.3:304 and 308; also see [0050]; Policy table 300 can include policies 301a-301f (collectively, "301") for enforcement in a network… Each policy 301 can specify packet attributes 302 such as source 304, destination 308, and action 316 to be applied to a packet when the packet matches each of packet attributes 302… In some example embodiments, the source and destination are of different types (e.g., source is a MAC address while destination is an endpoint group) while in some example embodiments one or both of source and destination are not specified; also see [0054]; a policy (or EPG) that pertains to an IP address of 192.168.1.5 is more specific than a policy or EPG that pertains to an IP subnet of 192.168.1.0/24 because the former describes a single IP address instead of the latter, which is applicable to 254 IP addresses. Specificity can be determined by any of the packet attributes described in a policy, such as IP address, port, etc.; also see [0063] in view of Fig.6:610); 
measuring the first specificity based at least on a first cardinality of the first set of qualifiers (see Fig.3:304 and 308 for row 301a; also see [0050]; in some example embodiments one or both of source and destination are not specified; also see [0054]; Specificity can be determined by any of the packet attributes described in a policy, such as IP address, port, etc.; also see [0063] in view of Fig.6:610; also see Fig.5: 502 and 504 for row 501a); 
measuring the second specificity based at least on a second cardinality of the second set of qualifiers (see Fig.3:304 and 308 for row 301e; Fig.3:304 and 308; also see [0050]; In some example embodiments, the source and destination are of different types (e.g., source is a MAC address while destination is an endpoint group); also see [0054]; Specificity can be determined by any of the packet attributes described in a policy, such as IP address, port, etc.; also see [0063] in view of Fig.6:610; also see Fig.5: 502 and 504 for rows 501b and/or 501d); 
making a determination, based on the second specificity exceeding the first specificity, that the second service device policy is more specific than the first service device policy (see [0054]; a policy (or EPG) that pertains to an IP address of 192.168.1.5 is more specific than a policy or EPG that pertains to an IP subnet of 192.168.1.0/24 because the former describes a single IP address instead of the latter, which is applicable to 254 IP addresses; also see [0062]-[0063] in view of Fig.6:610-614; network may be capable of resolving policy conflicts, such as enforcing more specific policies before less specific policies; also see [0068]; one of the policies in conflict can have an increased level of specificity in comparison to the other policies); and 
establishing the processing prioritization based on the determination (see [0054]; the most specific policy can be implemented; specific meaning that the match is according to a high degree of granularity; also see [0062]-[0063] in view of Fig.6:610-614; network may be capable of resolving policy conflicts, such as enforcing more specific policies before less specific policies; the policy engine prioritizes enforcement based on granularity (or specificity); also see [0068]; one of the policies in conflict can have an increased level of specificity in comparison to the other policies. A policy with increased specificity can be associated with a smaller collection of endpoints, ports, protocols, etc. Thus, the policy with increased specificity can be applied instead of the conflicting other policies. In some example embodiments, policies are applied in a sequential order even if they are in conflict; also see claim 3; the one or more policies are prioritized over the one or more first policies based on the one or more policies corresponding to a higher level of specificity than the one or more first policies).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma so that establishing the processing prioritization based on the first and second specificities, comprises: examining the second service device policy to identify at least a second set of qualifiers; measuring the first specificity based at least on a first cardinality of the first set of qualifiers; measuring the second specificity based at least on a second cardinality of the second set of qualifiers; making a determination, based on the second specificity exceeding the first specificity, that the second service device policy is more specific than the first service device policy; and establishing the processing prioritization based on the determination.
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).

Claim(s) 6-8Sharma et al. (hereinafter, Sharma, US 20180337849 A1) in view of Ashley et al. (hereinafter, Ashley, US 20170155681 A1).
Regarding claim 6, Sharma discloses the method of claim 5, as set forth above. Although, and as forth above, Sharma discloses transmitting the rule commit command (see [0093]; also see [0218]), Sharma does not explicitly disclose wherein the success of the first attempt, comprises: in response to transmitting the rule commit command: receiving a rule commit report from each network device of the network device set, wherein all rule commit reports indicate a successful commit of the first network device rule.
Ashley discloses wherein the success of the first attempt, comprises: 
in response to transmitting the rule commit command (also see [0038] in view of Fig.10:1020; the network flow controller, based on the new network flow information, sends deployment commands to policy enforcement points affected by the new network flow): 
receiving a rule commit report from each network device of the network device set (see [0038] in view of Fig.10:1030-1040; the network flow controller waits for an acknowledgement form the affected policy enforcement points… the network flow controller receives an acknowledgement from the enforcement points; also see [0040] in view of Fig.11:1120-1150; If the policies were successfully loaded, then the operation proceeds to step 1150 where the enforcement point notifies the network flow controller about the successful policy loading), 
wherein all rule commit reports indicate a successful commit of the first network device rule (see [0038] in view of Fig.10:1030-1040; the network flow controller receives an acknowledgement from the enforcement points; also see [0040] in view of Fig.11:1120-1150; If the policies were successfully loaded, then the operation proceeds to step 1150 where the enforcement point notifies the network flow controller about the successful policy loading).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Ashley with Sharma so that the success of the first attempt, comprises: in response to transmitting the rule commit command: receiving a rule commit report from each network device of the network device set, wherein all rule commit reports indicate a successful commit of the first network device rule.


Regarding claim 7, Sharma discloses the method of claim 1, as set forth above. In addition, Sharma discloses the method further comprising:
obtaining, from the service device, a second service device policy (see [0167]; the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network 1006 that receive packets with the 6-tuple Src: Port_E, IP_E, MAC_E Dest: SBC_Port_J, SBC_IP_J, SBC_MAC_J are rewritten to Src: SBC_Port_G1, SBC_IP_G, SBC_MAC_G Dest: MID_Port_H1, MID_IP_H, MID_MAC_H and directed to the media interworking device in the SDN network having address MID_Port_H1, MID_IP_H and MID_MAC_H for receiving media packets. Also the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network 1006 to rewrite packets received with the 6-tuple Src: MID_Port_H2, MID_IP_H, MID_MAC_H Dest: SBC_Port_G2, SBC_IP_G, SBC_MAC_G to be rewritten to Src: SBC_Port_K, SBC_IP_K, SBC_MAC_K Dest: Port_F, IP_F, MAC_F and directed to communications device E 1010); 
examining the second service device policy to identify a second set of qualifiers and a second traffic flow action (see [0019]; method including the steps of: … (iii) operating the SDN controller to receive the instructions for the media micro flow service from the SBC; (iv) operating the SDN controller to identify one or more SDN programmable switches on which to install the instructions for the media micro flow service; also see [0205]; SBC is operated to generate instructions that include information by which the first programmable switch can identify packets of the first media packet flow and an action/command for the first programmable switch; examiner articulates that identifying one or more SDN programmable switches of the media packet flow based on second policy instruction for the media micro flow service received from SBC imply examining the second policy and identifying a second set of ; 
deriving, from the second service device policy, a second network device rule (see [0060] lines 15-22; the SBC 134 then uses the SDN control plane interface to communicate one or more rules that the SBC 134 wants propagated into the network. The SDN controller 112 determines how to apply these rules and depending on the implementation may translate the rules into lower level primitives and install them into the programmable network switches, e.g., SDN OpenFlow switches) comprising the second set of qualifiers and the second traffic flow action (see last 2 lines of [0059]; SDN controller 112 dynamically programs flows in the SDN system 100; also see [0083]; the SDN switch 300 includes one or more components for implementing instructions received from an SDN controller, the instructions including for example identifying packets of a media packet flow and performing actions upon the packets of a media packet flow; In some embodiments, the instructions include matching a packet to a flow based on the contents of the IPv4 or IPv6 packet header and modifying the IP address, before forwarding).
Sharma does not explicitly disclose making a second attempt at the fabric-wide deployment of the second network device rule, wherein the second attempt fails.
Ashley discloses making a second attempt at the fabric-wide deployment of the second network device rule (also see [0038] in view of Fig.10:1020; the network flow controller, based on the new network flow information, sends deployment commands to policy enforcement points affected by the new network flow), wherein the second attempt fails (see [0038] in view of Fig.10:1030-1050; enforcement point fails to load the appropriate policies).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Ashley with Sharma in order to make a second attempt at the fabric-wide deployment of the second network device rule, wherein the second attempt fails.
One of ordinary skill in the art would have been motivated to facilitate resending the notification to the affected endpoints so that the network flow controller can direct the new flow to the next hop if the 

Regarding claim 8, Sharma (modified by Ashley) discloses the method of claim 7, as set forth above. In addition, Sharma further discloses the attempt comprising:
identifying a network device set that forms the network device fabric (see [0019]; method including the steps of: … (iii) operating the SDN controller to receive the instructions for the media micro flow service from the SBC; (iv) operating the SDN controller to identify one or more SDN programmable switches on which to install the instructions for the media micro flow service); 
generating a rule commit command using the second network device rule (see [0093]; SBC upon determining the type of microflow to be established from a media perspective for a call/media session realizes the SBC media services or redirection services required for the microflow by programming the underlying SDN network and in particular the programmable switches of the SDN network typically by exchanging and/or sending instructions, commands and/or information to the SDN controller which in turn programs, i.e., installs instructions for execution into the programmable switches to implement the policies and instructions provided by the SBC; examiner articulates that the program instructions generated by the SDN controller based on policies and instructions provided by the SBC for the programmable switches corresponds to rule commit command generated using the first network device rule); and 
transmitting the rule commit command to each network device of the network device set (see [0093]; SBC upon determining the type of microflow to be established from a media perspective for a call/media session realizes the SBC media services or redirection services required for the microflow by programming the underlying SDN network and in particular the programmable switches of the SDN network typically by exchanging and/or sending instructions, commands and/or information to the SDN controller which in turn programs, i.e., installs instructions for execution into the programmable switches to implement the policies and instructions provided by the SBC; also see [0218]; The SDN network then transmits the instructions generated in response to the SBC instructions/commands to a programmable SDN switch that will receive the first media packet flow from the ingress SDN switches).
Sharma does not explicitly disclose making a second attempt. Sharma also does not explicitly teach in response to transmitting the rule commit command: receiving a rule commit report from each network device of the network device set, wherein at least one rule commit report indicates a failed commit of the second network device rule.
However, Ashley discloses wherein the failure of the second attempt (see [0038] in view of Fig.10:1030-1050), comprises: 
identifying a network device set that forms the network device fabric (see [0038] in view of Fig.10:1020; the network flow controller, based on the new network flow information, sends deployment commands to corresponding policy enforcement points affected by the new network flow; examiner articulates that sending deployment commands to corresponding policy enforcement points affected by the new network flow involves identifying the corresponding policy enforcement points of the network that are affected by the new network flow); 
generating a rule commit command using the second network device rule (see [0038] in view of Fig.10:1020; the network flow controller, based on the new network flow information, sends deployment commands to corresponding policy enforcement points affected by the new network flow; examiner articulates that deployment commands based on the new network flow information correspond to a rule commit command generated using the second network device rule); 
transmitting the rule commit command to each network device of the network device set (see [0038] in view of Fig.10:1020; the network flow controller, based on the new network flow information, sends deployment commands to corresponding policy enforcement points affected by the new network flow); and 
in response to transmitting the rule commit command (see [0038] in view of Fig.10:1020; the network flow controller, based on the new network flow information, sends deployment commands to policy enforcement points affected by the new network flow): 
receiving a rule commit report from each network device of the network device set (see [0038] in view of Fig.10:1030-1040; the network flow controller waits for an acknowledgement form the affected policy enforcement points… the network flow controller receives an acknowledgement from the enforcement points; also see [0040] in view of Fig.11:1120-1140; If an error occurred, then the operation proceeds to step 1140 where the enforcement point notifies the network flow controller about the failure of policy loading), wherein at least one rule commit report indicates a failed commit of the second network device rule (see [0040] in view of Fig.11:1120-1140; If an error occurred, then the operation proceeds to step 1140 where the enforcement point notifies the network flow controller about the failure of policy loading).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Ashley with Sharma to receive a rule commit report from each network device of the network device set, wherein at least one rule commit report indicates a failed commit of the second network device rule, in response to transmitting the rule commit command.
One of ordinary skill in the art would have been motivated to facilitate resending the notification to the affected endpoints so that the network flow controller can direct the new flow to the next hop if the network flow controller receives an acknowledgement from the enforcement points, or drop/ remove the new network flow from the policy enforcement operation (Ashley: [0038]-[0039]).

Claim(s) 11, 15-16 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharma et al. (hereinafter, Sharma, US 20180337849 A1) in view of Jain et al. (hereinafter, Jain, US 20140376367 A1).

Regarding claim 11, Sharma discloses the method of claim 1, as set forth above. In addition, Sharma discloses the method further comprising:
obtaining, from the service device, a second service device policy (see [0167]; the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network 1006 that receive packets with the 6-tuple Src: Port_E, IP_E, MAC_E Dest: SBC_Port_J, SBC_IP_J, SBC_MAC_J are rewritten to Src: SBC_Port_G1, SBC_IP_G, SBC_MAC_G Dest: MID_Port_H1, MID_IP_H, MID_MAC_H and directed to the media interworking device in the SDN network having address MID_Port_H1, MID_IP_H and MID_MAC_H for receiving media packets. Also the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network 1006 to rewrite packets received with the 6-tuple Src: MID_Port_H2, MID_IP_H, MID_MAC_H Dest: SBC_Port_G2, SBC_IP_G, SBC_MAC_G to be rewritten to Src: SBC_Port_K, SBC_IP_K, SBC_MAC_K Dest: Port_F, IP_F, MAC_F and directed to communications device E 1010). 
examining the second service device policy to identify a second set of qualifiers and a second traffic flow action (see [0019]; method including the steps of: … (iii) operating the SDN controller to receive the instructions for the media micro flow service from the SBC; (iv) operating the SDN controller to identify one or more SDN programmable switches on which to install the instructions for the media micro flow service; also see [0205]; SBC is operated to generate instructions that include information by which the first programmable switch can identify packets of the first media packet flow and an action/command for the first programmable switch; examiner articulates that identifying one or more SDN programmable switches of the media packet flow based on policy instruction for the media micro flow service received from SBC imply examining the second policy and identifying a second set of qualifiers, and identifying instructions for the media micro flow service (i.e., action/command for the first programmable switch) imply identifying a second traffic flow action).
Sharma does not explicitly disclose performing a lookup on a group assignment table using the second set of qualifiers, to identify a set of groups; deriving, from the second service device policy, a second network device rule comprising the set of groups; and making a second attempt at the fabric-wide deployment of the second network device rule.
performing a lookup on a group assignment table using the second set of qualifiers, to identify a set of groups (see [0029] in view of Fig.4A:406; in response to identifying the policy being triggered, the system determines the traffic parameters of the flow at the next or previous hop (operation 406). Note that, if the traffic flow direction is going into the network, the edge node determines the traffic parameters of the flow at the next hop node by performing a reverse route lookup; also see [0011]; when a traffic flow that traverses one or more network address translation (NAT) layers is initiated, a reverse NAT lookup and/or routing lookup is performed, and the edge policy is pushed up to the PEP node that is closest to the origination or destination of the traffic flow; also see [0018] and [0026]; a reverse source route lookup is performed by edge device 302 to determine the source route of the flow. In some embodiments, the reverse source route lookup may involve a reverse NAT lookup, such as lookup of a NAT rule in the NAT translation table; examiner articulates that the source and/or destination IP address extracted from the current traffic flow policy corresponds to a second set of qualifiers identified; examiner also articulates that performing a reverse NAT lookup in the NAT translation table (and/or routing lookup) to determine the next or previous hop (source route of the flow) that is closest to the origination or destination of the traffic flow implies performing a lookup on a group assignment table using the second set of qualifiers to identify a set of groups); 
deriving, from the second service device policy, a second network device rule comprising the set of groups (see [0029] in view of Fig.4A:408; Based on the determined traffic parameters, the edge node translates the policy statement; also see [0026]; Using the same NAT rule, edge device 302 can translate the policy statement. The translated policy statement is now relevant to the source address of the flow at IN 304; examiner articulates that translating the policy statement to generate a translated policy statement corresponds to deriving a second network device rule from the second service device policy); and 
making a second attempt at the fabric-wide deployment of the second network device rule (see [0026]; Edge device 302 further sends the translated policy statement to IN 304 to allow IN 304 to enforce the policy to the flow accordingly. IN 304 may choose to enforce the policy based on the offloading policy enforcement tasks to intermediate nodes; also see [0029] in view of Fig.4A:410).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Jain with Sharma to perform a lookup on a group assignment table using the second set of qualifiers, to identify a set of groups; derive, from the second service device policy, a second network device rule comprising the set of groups; and make a second attempt at the fabric-wide deployment of the second network device rule.
One of ordinary skill in the art would have been motivated to significantly improve throughput at edge device by enforcing policy at a point closest to the traffic originating point (Jain: [0026] last 7 lines).

Regarding claim 15, Sharma (modified by Jain) discloses the method of claim 11, as set forth above. In addition, Jain further discloses wherein the second network device rule is directed to a redirect network device rule subclass (see [0016]; distributed Policy Enforcement Point (PEP) offloads the processing of the edge policies to multiple PEP nodes within the tenant network. In some embodiments, the edge policy is enforced at a PEP node that is closest to the traffic destination/origination point within the tenant network. Given the dynamic nature of traffic and the various network elements (such as load balancers or switches that perform NAT) that may alter the traffic parameters (such as source/destination address and port), expressions of the edge policy (such as firewall rules, which are often implemented using IP-address/port based traffic filters) also need to be dynamically adjusted).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Jain with Sharma so that the second network device rule is directed to a redirect network device rule subclass.
One of ordinary skill in the art would have been motivated to significantly improve throughput at edge device by enforcing policy at a point closest to the traffic originating point (Jain: [0026] last 7 lines).

Regarding claim 16, Sharma (modified by Jain) discloses the method of claim 11, as set forth above. In addition, Jain further discloses: 
making a determination that the second attempt had succeeded (see [0030] in view of Fig.4B:420-422; the intermediate node receives a policy statement associated with a flow, and determines whether to apply the policy locally; examiner articulates that determining whether to apply the received policy locally encompasses determining that the deployed/ offloaded network policy rule was successful received, i.e. the attempt at deployment of rule had succeeded); 
deriving, from the second service device policy and based on the determination (see [0030] in view of Fig.4B:420-422), a third network device rule comprising the set of groups and the second traffic flow action (see [0030] in view of 426-428; the intermediate node determines traffic parameters of the flow at the next or previous hop (operation 426), translates the received policy statement based on the determined traffic parameters (operation 428), and forwards the translated policy statement to the next/previous hop; also see [0027]; translation of a triggered policy reflect any possible changes in traffic parameters, such as modified destination address of the flow; also see [0018]; policy checking mechanism determines whether the incoming/outgoing traffic flow triggers a policy. For example, a firewall rule stored in policy database 206 may state that any incoming (going into the tenant network) traffic flow with a destination IP address of 192.168.0.x should be dropped, or any incoming traffic flow with a destination IP address of 192.168.0.y should be allowed. In another example, a firewall rule may state that any outgoing traffic that has a source IP address of 10.10.1.x should be allowed. As a result, if a received initial packet of the traffic flow has a destination address of 192.168.0.x, 192.168.0.y, or 10.10.1.x, security-policy checking mechanism 204 will determine that a security rule has been triggered and identify the corresponding firewall rule; examiner articulates that firewall rule for dropping or allowing traffic flow based on destination IP address of 192.168.0.x imply third network device rule comprising the set of groups and the second traffic flow action); and 
making a third attempt at the fabric-wide deployment of the third network device rule (see [0030] in view of Fig.4B:430; intermediate node determines traffic parameters of the flow at the next or forwards the translated policy statement to the next/previous hop; also see [0026]; Edge device 302 further sends the translated policy statement to IN 304 to allow IN 304 to enforce the policy to the flow accordingly. IN 304 may choose to enforce the policy based on the translated policy statement or continue to push the enforcement of the policy upstream to its previous hop… offloading policy enforcement tasks to intermediate nodes; also see [0021]; translated policy statement now states that traffic flow with a destination IP address of 10.10.1.x should be dropped. Policy-forwarding mechanism 212 then forwards the translated policy statement to the next hop, thus allowing the next hop node to enforce the policy using the translated policy statement…The process of forwarding translated policy statements may be a cascaded process where each node translates the policy statement and forwards the translated policy statement to its next hop).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Jain with Sharma to make a determination that the second attempt had succeeded; derive, from the second service device policy and based on the determination, a third network device rule comprising the set of groups and the second traffic flow action; and make a third attempt at the fabric-wide deployment of the third network device rule.
One of ordinary skill in the art would have been motivated to significantly improve throughput at edge device by enforcing policy at a point closest to the traffic originating point (Jain: [0026] last 7 lines).

Regarding claim 18, Sharma (modified by Jain) discloses the method of claim 16, as set forth above. In addition, Jain further discloses wherein the third network device rule is directed to a fail- close network device rule subclass (see [0018]; policy checking mechanism determines whether the incoming/outgoing traffic flow triggers a policy. For example, a firewall rule stored in policy database 206 may state that any incoming (going into the tenant network) traffic flow with a destination IP address of 192.168.0.x should be dropped; also see [0021]; translated policy statement now states that traffic flow with a destination IP address of 10.10.1.x should be dropped. Policy-forwarding mechanism 212 then forwards the translated policy statement to the next hop, thus allowing the next hop node to enforce the policy using the translated policy statement; examiner articulates that a network device rule directed to the dropping (or discarding) of intercept network traffic flows corresponds to fail- close network device rule subclass).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Jain with Sharma so that the third network device rule is directed to a fail-close network device rule subclass.
One of ordinary skill in the art would have been motivated to enhance the effectiveness of a firewall (denied traffic flow will be dropped immediately after its initiation) and ultimately increase traffic throughput (Jain: [0022] last 4 lines).

Claim(s) 12-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharma et al. (hereinafter, Sharma, US 20180337849 A1) in view of Jain et al. (hereinafter, Jain, US 20140376367 A1) and in view of Gupta et al. (hereinafter, Gupta, US 20160359913 A1).

Regarding claim 12, Sharma (modified by Jain) discloses the method of claim 11, as set forth above. Sharma (modified by Jain) does not disclose wherein the second set of qualifiers comprises an intercept source qualifier (ISQ) reflecting a LISTED state and an intercept destination qualifier (IDQ) reflecting an ANY state, wherein the set of groups comprises at least one source group.
Gupta discloses wherein the second set of qualifiers (see Fig.3:304 and 308) comprises an intercept source qualifier (ISQ) (see Fig.3:304) reflecting a LISTED state (see Fig.3:304 at rows 301a-d that list the source address/ ID) and an intercept destination qualifier (IDQ) (see Fig.3:308) reflecting an ANY state (see Fig.3:308 at row 301f), wherein the set of groups comprises at least one source group (see Fig.3:304; also see [0050]; Each policy 301 can specify packet attributes 302 such as source 304, destination 308, and action 316 to be applied to a packet when the packet matches each of packet attributes 302; in some example embodiments one or both of source and destination are not specified).

One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).

Regarding claim 13, Sharma (modified by Jain) discloses the method of claim 11, as set forth above. Sharma (modified by Jain) does not disclose wherein the second set of qualifiers comprises an intercept source qualifier (ISQ) reflecting an ANY state and an intercept destination qualifier (IDQ) reflecting a LISTED state, wherein the set of groups comprises at least one destination group.
Gupta discloses wherein the second set of qualifiers (see Fig.3:304 and 308) comprises an intercept source qualifier (ISQ) (see Fig.3:304) reflecting an ANY state (see Fig.3:304 at rows 301e-f) and an intercept destination qualifier (IDQ) (see Fig.3:308) reflecting a LISTED state (see Fig.3:308 at rows 301a-e that list the destination address/ ID), wherein the set of groups comprises at least one destination group (see Fig.3:308; also see [0050]; Each policy 301 can specify packet attributes 302 such as source 304, destination 308, and action 316 to be applied to a packet when the packet matches each of packet attributes 302; in some example embodiments one or both of source and destination are not specified).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma and Jain so that the second set of qualifiers comprises an intercept source qualifier (ISQ) reflecting an ANY state and an intercept destination qualifier (IDQ) reflecting a LISTED state, wherein the set of groups comprises at least one destination group.


Regarding claim 14, Sharma (modified by Jain) discloses the method of claim 11, as set forth above. Sharma (modified by Jain) does not disclose wherein the second set of qualifiers comprises an intercept source qualifier (ISQ) reflecting a LISTED state and an intercept destination qualifier (IDQ) reflecting the LISTED state, wherein the set of groups comprises at least one source group and at least one destination group.
Gupta discloses wherein the second set of qualifiers (see Fig.3:304 and 308) comprises an intercept source qualifier (ISQ) (see Fig.3:304) reflecting a LISTED state (see Fig.3:304 at rows 301a-d that list the source address/ ID) and an intercept destination qualifier (IDQ) (see Fig.3:308) reflecting the LISTED state (see Fig.3:308 at rows 301a-e that list the destination address/ ID), wherein the set of groups comprises at least one source group and at least one destination group (see Fig.3:304; also see [0050]; Each policy 301 can specify packet attributes 302 such as source 304, destination 308, and action 316 to be applied to a packet when the packet matches each of packet attributes 302; In some example embodiments, the source and destination are of different types (e.g., source is a MAC address while destination is an endpoint group) while in some example embodiments one or both of source and destination are not specified).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma and Jain so that the second set of qualifiers comprises an intercept source qualifier (ISQ) reflecting a LISTED state and an intercept destination qualifier (IDQ) reflecting the LISTED state, wherein the set of groups comprises at least one source group and at least one destination group.
.

Claim 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharma et al. (hereinafter, Sharma, US 20180337849 A1) in view of Jain et al. (hereinafter, Jain, US 20140376367 A1) and in view of Ashley et al. (hereinafter, Ashley, US 20170155681 A1).
Regarding claim 17, Sharma (modified by Jain) discloses the method of claim 11, as set forth above. Sharma (modified by Jain) does not disclose prior to examining the second service device policy: obtaining a service device unreachability semantic; and prior to making the second attempt: making a determination that the service device unreachability semantic is a fail-close unreachability semantic; deriving, from the second service device policy and based on the determination, a third network device rule comprising the set of groups; and making a third attempt at the fabric-wide deployment of the third network device rule.
Ashley discloses prior to examining the second service device policy (see [0040] in view of Fig.11:1110; operation returns to step 1110 to await further communication from the network flow controller… policy enforcement point awaiting a policy deployment command which is provided by the network flow controller; examiner articulates that returning to step 1110 to wait for new policy deployment command from the network flow controller implies that the network flow controller hasn’t examined and provided new policy deployment command): 
obtaining a service device unreachability semantic (see [0040] in view of Fig.11:1140; enforcement point notifies the network flow controller about the failure of policy loading; also see [0038-[0039] in view of Fig.10:1030-1050; if the network flow controller determines that a timeout occurs and/or an enforcement point fails to load the appropriate policies, the then operation proceeds to step 1050; also see [0019]; the network flow controller has knowledge of any networks associated with the controller, has knowledge of any endpoints operationally coupled to the networks and has knowledge of the policy that is appropriate to each endpoint, … when a policy is no longer needed when an endpoint is moved or removed/ destroyed; examiner articulates that the network flow controller knowing when an endpoint has been moved or removed/ destroyed, such as via timeout notifications, corresponds to the network flow controller obtaining a service device unreachability semantic); and 
prior to making the second attempt (see [0040] in view of Fig.11:1110; operation returns to step 1110 to await further communication from the network flow controller… policy enforcement point awaiting a policy deployment command which is provided by the network flow controller; examiner articulates that returning to step 1110 to wait for new policy deployment command from the network flow controller implies that the network flow controller hasn’t made new attempt for policy deployment): 
making a determination that the service device unreachability semantic is a fail-close unreachability semantic (see [0040] in view of Fig.11:1140; enforcement point notifies the network flow controller about the failure of policy loading; also see [0038-[0039] in view of Fig.10:1030-1050; if the network flow controller determines that a timeout occurs and/or an enforcement point fails to load the appropriate policies, the then operation proceeds to step 1050; also see [0019]; the network flow controller has knowledge of any networks associated with the controller, has knowledge of any endpoints operationally coupled to the networks and has knowledge of the policy that is appropriate to each endpoint, … when a policy is no longer needed when an endpoint is moved or removed/ destroyed; examiner articulates that the network flow controller knowing when an endpoint has been moved or removed/ destroyed, such as via timeout notifications, corresponds to the network flow controller determining that the service device unreachability semantic is a fail-close unreachability semantic); 
deriving, from the second service device policy and based on the determination, a third network device rule comprising the set of groups (see [0038]-[0039] in view of 1040-1050; if the network flow controller determines that a timeout occurs and/or an enforcement point fails to load the appropriate policies, the then operation proceeds to step 1050… At step 1050, the network based upon the policy. More specifically, the network flow controller can resend the notification to the affected endpoints. The network flow controller can also remove the new network flow from the policy enforcement operation. The network flow controller can also direct the new network flow to a future hop (i.e., to a next processor in a series of processors); also see claim 3; responsive to detecting a time out, performing an action selected from a group consisting of resending a notification, dropping a new flow, and rerouting the network flow; also see [0019]; the network flow controller notifies enforcement points of the policy that is appropriate for any newly added endpoint or environment, directs traffic to the enforcement points after validating that an appropriate policy has been loaded and notifies enforcement points when a policy is no longer needed when an endpoint is moved or removed/ destroyed; examiner articulates that the new command to notify enforcement points when a policy is no longer needed when an endpoint is moved or removed/ destroyed (command to remove the network flow from the policy enforcement operation) corresponds to a third network device rule regarding the endpoint derived from the policy that is no longer needed); and 
making a third attempt at the fabric-wide deployment of the third network device rule (see [0038]-[0039] in view of 1040-1050; also see [0019]; the network flow controller notifies enforcement points of the policy that is appropriate for any newly added endpoint or environment, directs traffic to the enforcement points after validating that an appropriate policy has been loaded and notifies enforcement points when a policy is no longer needed when an endpoint is moved or removed/ destroyed; examiner articulates that the new command to notify enforcement points when a policy is no longer needed when an endpoint is moved or removed/ destroyed (command sent to remove the network flow from the policy enforcement operation) imply deployment of the third network device rule).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Ashley with Sharma to obtain a service 
One of ordinary skill in the art would have been motivated to facilitate resending the notification to the affected endpoints so that the network flow controller can direct the new flow to the next hop if the network flow controller receives an acknowledgement from the enforcement points, or drop/ remove the new network flow from the policy enforcement operation (Ashley: [0038]-[0039]).

Additional References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Hu et al. (US 20090228954 A1) discloses local policy engine that offloads policy enforcement from a centralized policy enforcement engine.
Stiekes (US 20130212641 A1) teaches an optimized platform to allow distributed policy enforcement for network instrumentation.
Non-Patent Literature to Klaedtke et al. (“Towards an access control scheme for accessing flows in SDN”, 2015, IEEE) teaches the installation, modification, and deletion of an entry in a flow table is done by sending an OpenFlow message of type OFPT FLOW MOD from the controller to the switches.
Sharma et al. (US 20170331739 A1) discloses that a firewall can offload some of the ACL policy enforcement to a switch that directs traffic towards the firewall.
Chen et al. (US 20190075133 A1) teaches an SDN application can provide the control policy (directly or by way of the SDN controller) to allow for policy enforcement.
Yoakum et al. (US 20140095724 A1) teaches distributed policy enforcement agent to enforce enterprise policies at an endpoint within the enterprise network.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANDARVA KHANAL whose telephone number is (571)272-8107.  The examiner can normally be reached on MON-FRI, 0800-1700.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on 571-272-5863.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/SANDARVA KHANAL/Examiner, Art Unit 2453                                                                                                                                                                                                        
/KAMAL B DIVECHA/Supervisory Patent Examiner, Art Unit 2453