Notice of Allowance 
1.	This communication is in response to amendments filed on 11/29/2021. After thorough search, prosecution history, applicant’s remarks, and in view of prior arts of record, claims 1-20 are allowed.

EXAMINER’S AMENDMENT
2.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
	Authorization for this examiner’s amendment was given by Eric Jones (Reg. No. 79,238) on 12/22/2021.

The application has been amended as follows: 
1.	(Currently Amended)	A method comprising:
receiving a first network configuration, wherein the first network configuration includes a plurality of subnets and a plurality of security zones;
generating an updated network configuration based on the first network configuration by:
generating, for a first security zone of the plurality of security zones, a first master class,
generating, for each respective subnet of the plurality of subnets, a respective bridge domain, and

creating a first local endpoint group (EPG) corresponding to the first security zone, 
assigning, to the first local EPG, the first master class for the first security zone, comprising setting one or more bits of a class field to a shared master value, and 
assigning, to the first local EPG, a first local class for the first security zone, comprising setting one or more bits of the class field to a unique local value;	
generating one or more contracts for the first master class based on the first network configuration; and
generating one or more contracts for the first local class based on the first network configuration, wherein the one or more contracts for the first master class and the one or more contracts for the first local class each apply to the first local EPG.

2.	(Original)	The method of claim 1, the method further comprising:
generating, for each respective security zone of the plurality of security zones, a respective master class;
for each respective bridge domain:
for each respective security zone of the plurality of security zones:
creating a respective local EPG corresponding to the respective security zone; and
assigning, to the respective local EPG, the respective master class corresponding to the respective security zone.

3.	(Currently Amended)	The method of claim 1, wherein assigning the first master class to the first local EPG corresponding to the first security zone causes nodes in the first local EPG corresponding to the first security zone to inherit a security configuration associated with the first security zone, such that the nodes in each  associated with the first security zone share security contracts in the updated network configuration.

4.	(Original)	The method of claim 3, the method further comprising:
identifying a first contract associated with the first master class; and
applying the first contract to each local EPG corresponding to the first security zone.

5.	(Original)	The method of claim 1, the method further comprising:
assigning, to each respective local EPG corresponding to the first security zone, a respective local class, in addition to the first master class, wherein the respective local class is given priority over the first master class when identifying relevant contracts.

6.	(Currently Amended)	The method of claim 5, wherein assigning, to each respective local EPG corresponding to the first security zone, a respective local class comprises setting one or more bits of a class field to a unique local value, the method further comprising:
, comprising 

7.	(Original)	The method of claim 5, the method further comprising:
creating a first application-specific contract for the first security zone by associating the first application-specific contract with the first master class; and
creating a first EPG-specific contract for a first local EPG corresponding to the first security zone by associating the first EPG-specific contract with a local class corresponding to the first local EPG.

8.	(Original)	The method of claim 7, the method further comprising:
determining that both the first application-specific contract and the first EPG-specific contract are applicable to a first data transmission from the first local EPG;
upon determining that the first application-specific contract conflicts with the first EPG-specific contract:
applying the first EPG-specific contract; and
refraining from applying the first application-specific contract.

9.	(Currently Amended)	A non-transitory computer-readable storage medium having computer-readable program code embodied therewith, the computer-readable program code executable by one or more computer processors to perform an operation comprising:

generating an updated network configuration based on the first network configuration by:
generating, for a first security zone of the plurality of security zones, a first master class,
generating, for each respective subnet of the plurality of subnets, a respective bridge domain, and
for a first bridge domain:
creating a first local endpoint group (EPG) corresponding to the first security zone, 
assigning, to the first local EPG, the first master class for the first security zone, comprising setting one or more bits of a class field to a shared master value, and 
assigning, to the first local EPG, a first local class for the first security zone, comprising setting one or more bits of the class field to a unique local value;	
generating one or more contracts for the first master class based on the first network configuration; and
generating one or more contracts for the first local class based on the first network configuration, wherein the one or more contracts for the first master class and the one or more contracts for the first local class each apply to the first local EPG.

10.	(Proposed Amended)	The non-transitory computer-readable storage medium of claim 9, wherein assigning the first master class to the first local EPG the first local EPG corresponding to the first security zone to inherit a security configuration associated with the first security zone, such that the nodes in each  associated with the first security zone share security contracts in the updated network configuration.

11. 	(Original)	The non-transitory computer-readable storage medium of claim 9, the operation further comprising:
assigning, to each respective local EPG corresponding to the first security zone, a respective local class, in addition to the first master class, wherein the respective local class is given priority over the first master class when identifying relevant contracts.

12. 	(Currently  Amended)		The non-transitory computer-readable storage medium of claim 11, wherein assigning, to each respective local EPG corresponding to the first security zone, a respective local class comprises setting one or more bits of a class field to a unique local value, the operation further comprising:
, comprising 

13. 	(Original)	The non-transitory computer-readable storage medium of claim 11, the operation further comprising:
creating a first application-specific contract for the first security zone by associating the first application-specific contract with the first master class; and


14. 	(Original)	The non-transitory computer-readable storage medium of claim 13, the operation further comprising:
determining that both the first application-specific contract and the first EPG-specific contract are applicable to a first data transmission from the first local EPG;
upon determining that the first application-specific contract conflicts with the first EPG-specific contract:
applying the first EPG-specific contract; and
refraining from applying the first application-specific contract.

15.  (Currently Amended)       A system comprising:
one or more computer processors; and 
a memory containing a program which when executed by the one or more computer processors performs an operation, the operation comprising:
receiving a first network configuration, wherein the first network configuration includes a plurality of subnets and a plurality of security zones;
generating an updated network configuration based on the first network configuration by:
generating, for a first security zone of the plurality of security zones, a first master class;

for a first bridge domain:
creating a first local endpoint group (EPG) corresponding to the first security zone, 
assigning, to the first local EPG, the first master class for the first security zone, comprising setting one or more bits of a class field to a shared master value, and 
assigning, to the first local EPG, a first local class for the first security zone, comprising setting one or more bits of the class field to a unique local value;	
generating one or more contracts for the first master class based on the first network configuration; and
generating one or more contracts for the first local class based on the first network configuration, wherein the one or more contracts for the first master class and the one or more contracts for the first local class each apply to the first local EPG.

16.	(Currently Amended)	The system of claim 15, wherein assigning the first master class to the first local EPG corresponding to the first security zone causes nodes in the first local EPG corresponding to the first security zone to inherit a security configuration associated with the first security zone, such that the nodes in each  associated with the first security zone share security contracts in the updated network configuration.

17. 	(Original)	The system of claim 15, the operation further comprising:
assigning, to each respective local EPG corresponding to the first security zone, a respective local class, in addition to the first master class, wherein the respective local class is given priority over the first master class when identifying relevant contracts.

18. 	(Currently Amended)	The system of claim 17, wherein assigning, to each respective local EPG corresponding to the first security zone, a respective local class comprises setting one or more bits of a class field to a unique local value, value, the operation further comprising:
, comprising 

19. 	(Original)	The system of claim 17, the operation further comprising:
creating a first application-specific contract for the first security zone by associating the first application-specific contract with the first master class; and
creating a first EPG-specific contract for a first local EPG corresponding to the first security zone by associating the first EPG-specific contract with a local class corresponding to the first local EPG.

20. 	(Original)	The system of claim 19, the operation further comprising:
determining that both the first application-specific contract and the first EPG-specific contract are applicable to a first data transmission from the first local EPG;

applying the first EPG-specific contract; and
refraining from applying the first application-specific contract.


Reasons for Allowance
3.	 The following is an examiner’s statement of reasons for allowance: 
The prior art Eyada (US 2010/0071024) teaches applying aggregate security class to each VLAN of plurality VLANS in which group of end user devices are located. The security class dynamically determined based on collected information from the end user devices. 
Another prior art of record  Mao et al. (US 2003/0065944) teaches identifying one or more policies to apply to a security zone of plurality of security zones for inspecting packets traveling through the security zone. 
The prior art of record do not teach or suggest “generating one or more contracts for the first local class based on the first network configuration, wherein the one or more contracts for the first master class and the one or more contracts for the first local class each apply to the first local EPG.”  Furthermore, the prior art do not teach “assigning, to the first local EPG, the first master class for the first security zone, comprising setting one or more bits of a class field to a shared master value, and assigning, to the first local EPG, a first local class for the first security zone, comprising setting one or more bits of the class field to a unique local value;” features presented in claims 1, 9, and 15. 

Dependent claims are allowed over the prior art of record by virtue of their dependency form the independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESFU N MEKONEN whose telephone number is (571)270-0587. The examiner can normally be reached Monday - Friday, 8:00 AM to 4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 5712703037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available 





/T.N.M/Examiner, Art Unit 2454                                                                                                                                                                                                        

/UMAR CHEEMA/Supervisory Patent Examiner, Art Unit 2454