DETAILED ACTION
The amendment to Application Ser. No. 16/135,839 filed on October 12, 2021, has been entered. Claims 1, 13 and 17 are currently amended. Claims 1-20 are pending and are examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Arguments
The amendment to Claim 1 has overcome the objection to the claims for minor informalities set forth in the Final Office Action mailed August 23, 2021. The objection to the claims for minor informalities is hereby withdrawn.

The amendment to Claims 1, 13 and 17 has overcome the rejection of Claims 1-20 under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or joint inventor regards as the invention set forth in the Final Office Action mailed August 23, 2021. Outstanding issues under 35 U.S.C. 112(b) are addressed by the Examiner' s Amendment set forth below.

The amendment to Claims 1, 13 and 17 has overcome the rejection of Claims 1-20 under 35 U.S.C. 103 set forth in the Final Office Action mailed August 23, 2021. The rejection of Claims 1-20 under 35 U.S.C. 103 is hereby withdrawn. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given by Matthew Frontz (Reg. #65,198) on October 25, 2021, during a telephone interview with the Examiner.

Please amend the claims as follows:

1. (Currently Amended)  A computer-implemented method comprising:
transmitting, from a network management system in a first Layer 3 (L3) network to a first networking device in the first L3 network, at a configurable interval or in response to a network failure, a request for a first L3-Layer 2 (L2) mapping to determine a unique identity of an endpoint of a second L3 network;
receiving, over a secure connection by the first networking device, the first L3-L2 mapping from a second networking device in the second L3 network, wherein the secure connection is established between a first security appliance of the first L3 network and a second security appliance of the second L3 network;

in response to determining that the L2 network address is associated with the third networking device, receiving, by the network management system, a second L3-L2 mapping from the third networking device;
determining, by the network management system and based on the second L3-L2 mapping, whether an L2 network address in the second L3-L2 mapping is associated with a fourth networking device or the endpoint;
in response to determining that the L2 network address [[of]] in the first L3-L2 mapping or the second L3-L2 mapping is associated with the endpoint, storing, by the network management system, an L3 network address associated with the L2 network address and the L2 network address as an identity of the endpoint;
monitoring network traffic to and from the L3 network address;
correlating the monitored network traffic with the endpoint based on the identity of the endpoint; and
presenting, by the network management system at a graphical user interface, metadata of the endpoint, one or more network policies associated with the endpoint, and network utilization information of the endpoint using the correlation of the monitored network traffic to and from the L3 network address of the endpoint including at least a graph of the network utilization information over a period of time related to the network failure.


resolving an L2 network address of the endpoint from the L3 network address of the endpoint based on the identity of the endpoint.

3. (Original) The computer-implemented method of claim 1, further comprising:
correlating the network traffic to the L3 network address to the endpoint within a first portion of a period of time that the endpoint is assigned to the L3 network address; and
correlating second network traffic to the L3 network address to a second endpoint within a second portion of the period of time that the second endpoint is assigned to the L3 network address.

4. (Original) The computer-implemented method of claim 1, further comprising: 
transmitting a first Simple Network Management Protocol (SNMP) message to the first networking device requesting for one of an Address Resolution Protocol (ARP) table or a Neighbor Discovery Protocol (NDP) neighbor table of the first networking device.

5. (Original) The computer-implemented method of claim 4, further comprising: 
transmitting a second SNMP message to the second networking device requesting for one of an ARP table or a NDP neighbor table of the second networking device.



7. (Original) The computer-implemented method of claim 5, wherein the second SNMP message it transmitted after the network management system receives an SNMP response to the first SNMP message.

8. (Original) The computer-implemented method of claim 4, wherein the first SNMP message is transmitted at a regular interval of time.

9. (Original) The computer-implemented method of claim 4, wherein the first SNMP message is transmitted in response to the network management system detecting a connection from the L3 network address after a predetermined period of time from a last connection.

10. (Currently Amended) The computer-implemented method of claim 1, further comprising: 
querying a database including Media Access Control (MAC) addresses for networking devices of the second L3 network 


querying a database including Media Access Control (MAC) addresses for endpoints of the second L3 network 

12. (Previously Presented) The computer-implemented method of claim 1, wherein the secure connection is a secure tunnel between the first networking device and the second networking device.

13. (Currently Amended) A system comprising:
one or more processors; and
at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to:
transmit, from the system in a first Layer 3 (L3) network to a first networking device in the first L3 network, at a configurable interval or in response to a network failure, a request for a first L3-Layer 2 (L2) mapping to determine a unique identity of an endpoint of a second L3 network;
receive, over a secure connection by the first networking device, [[a]] the first L3-L2 mapping from a second networking device in a second L3 network, wherein the secure connection is established between a first security appliance of the first L3 network and a second security appliance of the second L3 network;

in response to determining that the MAC address is associated with the third networking device, receive a second L3-L2 mapping 
determine, based on the second L3-L2 mapping, whether a MAC address in the second L3-L2 mapping is associated with a fourth networking device or the endpoint;
in response to determining that the MAC address [[of]] in the first L3-L2 mapping or the second L3-L2 mapping is associated with the endpoint, store an Internet Protocol (IP) address associated with the MAC address and the MAC address as an identity of the endpoint;
monitor network traffic to and from the IP address;
correlate the monitored network traffic with the endpoint based on the identity of the endpoint; and
present, at a graphical user interface, metadata of the endpoint, one or more network policies associated with the endpoint, and network utilization information of the endpoint using the correlation of the monitored network traffic to and from the IP address of the endpoint including at least a graph of the network utilization information over a period of time related to the network failure.


resolve a MAC address of the endpoint from the IP address of the endpoint based on the identity of the endpoint.

15. (Original) The system of claim 13, further comprising instructions which when executed further cause the one or more processors to:
correlate the network traffic to the IP address to the endpoint within a first portion of a period of time that the endpoint is assigned to the IP address; and
correlate second network traffic to the IP address to a second endpoint within a second portion of the period of time that the second endpoint is assigned to the IP address.

16. (Original) The system of claim 13, further comprising instructions which when executed further cause the one or more processors to:
query a database including MAC addresses for networking devices of the second L3 network using the first MAC address as a query.

17. (Currently Amended) A non-transitory computer-readable storage medium having stored therein instructions which, when executed by one or more processors of a system, cause the system to:
transmit, from the system in a first Layer 3 (L3) network to a first networking device in the first L3 network, at a configurable interval or in response to a network 
receive, over a secure connection by the first networking device, the first L3-L2 mapping from a second networking device in a second L3 network, wherein the secure connection is established between a first security appliance of the first L3 network and a second security appliance of the second L3 network;
determine, based on the first L3-L2 mapping, whether a Media Access Control (MAC) address in the first L3-L2 mapping is associated with a third networking device or the endpoint;
in response to determining that the MAC address is associated with the third networking device, receive a second L3-L2 mapping from the third networking device;
determine 
in response to determining that the MAC address [[of]] in the first L3-L2 mapping or the second L3-L2 mapping is associated with the endpoint, store an Internet Protocol (IP) address associated with the MAC address and the MAC address as an identity of the endpoint;
monitor network traffic to and from the IP 
correlate the monitored network traffic with the endpoint based on the identity of the endpoint; and
present, at a graphical user interface, metadata of the endpoint, one or more network policies associated with the endpoint, and network utilization information of the the IP address of the endpoint including at least a graph of the network utilization information over a period of time related to the network failure.

18. (Original) The non-transitory computer-readable storage medium of claim 17, further comprising instructions which when executed further cause the system to:
transmit a first Simple Network Management Protocol (SNMP) message to the first networking device requesting for one of an Address Resolution Protocol (ARP) table or a Neighbor Discovery Protocol (NDP) neighbor table of the first networking device; and 
transmit a second SNMP message to the second networking device requesting for one of an ARP table or a NDP neighbor table of the second networking device.

19. (Original) The non-transitory computer-readable storage medium of claim 18, wherein the second SNMP message it transmitted prior to the system receiving an SNMP response to the first SNMP message.

20. (Original) The non-transitory computer-readable storage medium of claim 18, wherein the first SNMP message is transmitted at a regular interval of time.


Allowable Subject Matter
Claims 1-20 are allowed.


The following is an examiner’s statement of reasons for allowance: upon further consideration and review, the prior art of record fails to anticipate or render obvious the claimed invention. The prior art discloses a system and method for determining a network connection structure of devices in a target service place using ARP tables and router management tables, i.e., mappings of IP addresses to MAC addresses, obtained from network devices in the target service place, wherein the determining includes determining whether a MAC address associated with IP address in the tables correspond to a networking device or an endpoint device (see Bang et al., US 2016/0044494 A1). Separately, the prior art discloses a system and method to identify media devices wherein monitored network traffic to a shared public IP address can be correlated to particular device using the device MAC address (see Kerkes et al., US 2018/0124009 A1). However, the cited prior art, alone or in combination, does not teach or reasonably suggest in combination with the other claim limitations transmitting, by a network management device in a first L3 network, at a configurable interval or in response to a network failure, a request for a first L3-L2 mapping to determine a unique identity of an endpoint of a second L3 network, and presenting, by the network management system at a graphical user interface, metadata of the endpoint, network polices associated with the endpoint, and network utilization information of the endpoint including at least a graph of the network utilization information over a time period related to the network failure using network traffic correlated to the endpoint, as recited in the following limitations of Claim 1 (and the substantially similar limitations of independent Claims 13 and 17, respectively):
“transmitting, from a network management system in a first Layer 3 (L3) network to a first networking device in the first L3 network, at a configurable interval or in response to a network failure, a request for a first L3-Layer 2 (L2) mapping to determine a unique identity of an endpoint of a second L3 network;” and 
“presenting, by the network management system at a graphical user interface, metadata of the endpoint, one or more network policies associated with the endpoint, and network utilization information of the endpoint using the correlation of the monitored network traffic to and from the L3 network address of the endpoint including at least a graph of the network utilization information over a period of time related to the network failure.”

Dependent Claims 2-12, 14-16 and 18-20 are allowable by virtue of its dependency upon allowable Independent Claims 1, 13 and 17, respectively.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM C MCBETH whose telephone number is (571)270-0495.  The examiner can normally be reached on Monday - Friday, 8:00AM - 4:30PM ET.
Examiner interviews are available via telephone, in-person, and video 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/WILLIAM C MCBETH/Examiner, Art Unit 2449                                                                                                                                                                                                        	
/VIVEK SRIVASTAVA/Supervisory Patent Examiner, Art Unit 2449