DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending in this application.
No IDS was submitted by the Applicant.

Claim Objections
Claims 7 and 8 are objected to because of the following: 
Claim 7 recites the limitation “IP address" in line 2. At least the first recitation of the IP address should be written out. Applicant may rewrite “IP address” as “Internet Protocol (IP) address” for the first recitation.
Claim 8 recites the limitation “IP address” in lines 3, 5 and 12. At least the first recitation of the IP address should be written out. Applicant may rewrite “IP address” as “Internet Protocol (IP) address” for the first recitation.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claim 1 recites “an identifier” in line 7. It’s not clear if identifier of line 7 is referring to the previous recitation of an identifier or a second identifier.
Claims 2-7 are also rejected for being dependent on at least one rejected base claim. 
Claim 13 recites “an ingress packet” in line 1. It is not clear if ingress packet of claim 13 is referring to the previous recitation of “an ingress packet” of the independent claim 8 or a different ingress packet.
Claim 14 recites “information contained in the one or more data fields” in line 14 which is already stated previously in line 10. It’s not clear if “information contained” in line 14 is referring back to the “information contained” of line 10.
Claim 15 recites “information contained in the one or more data fields” in line 5. It’s not clear if the “information” of claim 15 is referring back to the “information” of claim 14. 
Claims 15-20 are also rejected for being dependent on at least one rejected base claim. 
Appropriate correction is required.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 14-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because a system or an apparatus claim should always claim the structure or the hardware that performs the functions. Claims 14-18 have claimed limitations consists of software that do not describe the structure of a hardware. Claim 14 recites device, ports, pipeline processing logic, data stores which may be implemented as software/signals. 
Claims 15-18 are dependent from claim 14 and do not cure the deficiencies of claim 14.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma et al. (US 10,284,473 B1) (hereinafter, “Sharma”) in view of Paul et al. (US 2002/0116521 A1) (hereinafter, “Paul”) and further in view of Remen et al. (US 2021/0067448 A1) (hereinafter, “Remen”).
As to claim 1, Sharma discloses a method comprising: 
receiving an ingress packet (“In block 910, switch 190 receives incoming traffic and provides the incoming traffic to multifunctional engine 320.” –e.g. see, col. 18, lines 53-54); 
identifying a first matched rule from among a plurality of rules stored in a … memory using information contained in the received packet, … (“In block 920, multifunctional engine 320 filters the received traffic. Filtering may include two phases, performed in any order. In one phase, multifunctional engine 320 compares the source IP address of the incoming traffic to one or more IP addresses configured as certain allowed, predefined sources. To that end, in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic).” –e.g. see, col. 18, lines 55-67; herein, source IP address is an information contained in the packet; Sharma also teaches memory for storing rules: “TCAM 329 may include a table mapping traffic buckets to service nodes” –e.g. see col. 17, lines 41-47; see also, col 22, lines 41-48); 
identifying a second matched rule from among a plurality of rules stored in a … memory using both the information contained in the received packet … (“In block 930, multifunctional engine 320 may, optionally, apply one or more policies or rules to at least some of the packets that passed the filtering of block 920 to determine whether those packets belong to one or more groups, e.g. device groups described herein and then perform one or more actions based on the device group(s) to which each packet is determined to belong. For example, in block 930, multifunctional engine 320 may group clients, i.e. group requests coming from predefined source IP addresses as specified by certain policies/rules, cache requests e.g. on a per-group basis, and then redirect the cached requests to one or more cache engines to determine whether the cached requests may be satisfied based on data in the one or more cache engines prior to forwarding the requests to the backend database servers 830.” –e.g. see, col. 19, lines 8-25; see also, col. 19, lines 37-42; herein, rules corresponds to a NAT mapping, see also, col. 17, lines 41-47; col 22, lines 41-48); and 
producing an egress packet by rewriting the received packet in accordance with a rewrite action associated with the second matched rule (“In block 950, according to the load balancing decisions of block 940, multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.” –e.g. see, col. 19, lines 37-46).
Sharma may not explicitly disclose a first … rule from among a plurality of rules stored in a first memory, wherein each of the plurality of rules is associated with an identifier; a second ... rule from among a plurality of rules stored in a second memory, identifying a second matched rule … using … an identifier associated with the first matched rule.
wherein each of the plurality of rules is associated with an identifier (“Each policing data 302 preferably is identified by a unique police identifier (ID)/key 300. The police ID 300 preferably identifies different policy groups to which the packet may be classified. Preferably, each police ID 300 is composed of a customer identifier 300a and/or an application identifier 300b which may be similar to the customer identifier 254a and application identifier 254b of FIG. 7.” –e.g. see, Paul: [0066]); identifying a second matched rule … using … an identifier associated with the first matched rule (“Each policing data may further be associated with a next police ID 304. The next police ID 304 preferably allows nested lookups in the policing database to identify additional policy groups and associated policing data applicable to the current packet. Preferably, the next police ID 304 identifies a policy group with a priority ranking below the policy group identified by a current key 300. The policing data 302 associated with the additional policy groups preferably are also retrieved for performing rate checks for the current packet.” –e.g. see, Paul: [0067]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma with the teaching of Paul to include wherein each of the plurality of rules is associated with an identifier; identifying a second matched rule … using … an identifier associated with the first matched rule in order to effectively apply relevant policies to each data packet by uniquely identify plurality of related policies.

However, in an analogous art, Remen discloses a first … rule from among a plurality of rules stored in a first memory; a second ... rule from among a plurality of rules stored in a second memory (“The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority defined among the multiple TCAMs.” –e.g. see, Remen: [0004], see also, Remen: [0023], claim 1 of Remen).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma and Paul with the teaching of Remen to include wherein a first … rule from among a plurality of rules stored in a first memory; a second ... rule from among a plurality of rules stored in a second memory in order to search packet headers for rules using multiple TCAM in an efficient manner which allow simultaneous comparison of desired information against pre-stored entries.

wherein the plurality of rules in the … memory correspond to an access control list (ACL) and the plurality of rules in the … memory correspond to a network address translation (NAT) mapping, wherein the ACL identifies ingress packets to be translated according to the NAT mapping, wherein the received packet is an ingress packet that is identified by the ACL to be translated according to the NAT mapping (“When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 65-67 to col. 19, lines 1-7; herein, an incoming packet (i.e. an ingress packet) is compared to find a match at least with one ACL rule, when a match is found then the packet is further handled and in step 950 a NAT (network address translation) mapping is performed on the packet; e.g. see also, Sharma, e.g. see, col. 19, lines 37-46: “In block 950, according to the load balancing decisions of block 940, multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.”).
Neither Sharma nor Paul explicitly disclose having a plurality of rules in the first memory and the plurality of rules in the second memory.
However, in an analogues art, Remen discloses having a plurality of rules in the first memory and the plurality of rules in the second memory (“The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority defined among the multiple TCAMs.” –e.g. see, Remen: [0004], see also, Remen: [0023]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma and Paul with the teaching of Remen to include wherein a first … rule from among a plurality of rules stored in a first memory; a second ... rule from among a plurality of rules stored in a second memory in order to search packet headers for rules using multiple TCAM in an efficient manner which allow simultaneous comparison of desired information against pre-stored entries.

As to claim 3, Sharma discloses … wherein identifying the second matched rule includes using the information contained in the received packet … as criteria for searching the plurality of rules stored in the … memory (“… in block 930, multifunctional engine 320 may group clients, i.e. group requests coming from predefined source IP addresses as specified by certain policies/rules, cache requests e.g. on a per-group basis, and then redirect the cached requests to one or more cache engines to determine whether the cached requests may be satisfied based on data in the one or more cache engines prior to forwarding the requests to the backend 
Sharma may not explicitly disclose comprising storing the identifier associated with the first matched rule in a data store, wherein identifying the second matched rule includes using … the identifier stored in the data store as criteria for searching the plurality of rules stored in the second memory.
However, in an analogous art, Paul discloses comprising storing the identifier associated with the first matched rule in a data store (“Each policing data 302 preferably is identified by a unique police identifier (ID)/key 300. The police ID 300 preferably identifies different policy groups to which the packet may be classified.” –e.g. see, Paul: [0066] & “The policing data table 298 may be stored in the policing engine 120, 166. The policing data table 298 may also be referred to as a policing database” –e.g. see, Paul: [0064], see also, [0065]), wherein identifying the second matched rule includes using … the identifier stored in the data store as criteria for searching the plurality of rules stored in the ... memory (“Each policing data may further be associated with a next police ID 304. The next police ID 304 preferably allows nested lookups in the policing database to identify additional policy groups and associated policing data applicable to the current packet. Preferably, the next police ID 304 identifies a policy group with a priority ranking below the policy group identified by a current key 300.” –e.g. see, [0067]).

Neither Sharma nor Paul explicitly disclose the plurality of rules stored in the second memory.
However, in an analogous art, Remen discloses the plurality of rules stored in the second memory (“The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority defined among the multiple TCAMs.” –e.g. see, Remen: [0004], see also, Remen: [0023], claim 1 of Remen);
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma and Paul with the teaching of Remen to include wherein a first … rule from among a plurality of rules stored in a first memory; a second ... rule from among a plurality of rules stored in a second memory in order to search packet headers for rules 

As to claim 4, Sharma discloses wherein subsets of the plurality of rules in the … memory correspond to respective ACLs (“… in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic).” –e.g. see, col. 18, lines 55-67).
Sharma may not explicitly disclose the plurality of rules in the first memory; wherein rules in each of the subsets are associated with an identifier of the corresponding ACL, wherein each rule in the second memory includes the identifier of one of the ACLs as a match criterion.
However, in an analogous art, Paul discloses wherein rules in each of the subsets are associated with an identifier of the corresponding [policy] (“Each policing data 302 preferably is identified by a unique police identifier (ID)/key 300. The police ID 300 preferably identifies different policy groups to which the packet may be classified. Preferably, each police ID 300 is composed of a customer identifier 300a and/or an application identifier 300b which may be similar to the customer identifier 254a and application identifier 254b of FIG. 7.” –e.g. see, Paul: [0066]), wherein each rule in the … memory includes the identifier of one of the [policy] as a match criterion (“Each policing data may further be associated with a next police ID 304. The next police ID 304 preferably allows nested lookups in the policing database to identify additional policy groups and associated policing data applicable to the current packet. Preferably, the next police ID 304 identifies a policy group with a priority ranking below the policy group identified by a current key 300. The policing data 302 associated with the additional policy groups preferably are also retrieved for performing rate checks for the current packet.” –e.g. see, Paul: [0067]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma with the teaching of Paul to include wherein rules in each of the subsets are associated with an identifier of the corresponding [policy], wherein each rule in the … memory includes the identifier of one of the [policy] as a match criterion in order to effectively apply relevant policies to each data packet by uniquely identify plurality of related policies.
Neither Sharma nor Paul explicitly disclose the plurality of rules in the first memory and wherein each rule in the second memory.
However, in an analogous art, Remen discloses the plurality of rules in the first memory and wherein each rule in the second memory (“The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma and Paul with the teaching of Remen to include the plurality of rules in the first memory and wherein each rule in the second memory in order to search packet headers for rules using multiple TCAM in an efficient manner which allow simultaneous comparison of desired information against pre-stored entries.

As to claim 5, Sharma discloses wherein the plurality of rules in the first memory correspond to filters in an ACL, wherein each filter in the ACL is associated with a pair of complementary rules among the plurality of rules in the first memory (“Filtering may include two phases, performed in any order. In one phase, multifunctional engine 320 compares the source IP address of the incoming traffic to one or more IP addresses configured as certain allowed, predefined sources. To that end, in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic). In another phase, multifunctional engine 320 compares the destination IP of the incoming traffic to the VIP 820. When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by 

As to claim 6, Sharma discloses wherein each complementary pair of rules among the plurality of rules in the first memory includes a forward filter rule to match packets transmitted in a forward direction between a first node and a second node (“In block 960, after multifunctional engine 320 has rewritten the header of the packet to an IP address of an appropriate node, switch 190 forwards the incoming traffic to the node designated by the IP address.” –e.g. see, col. 19, lines 43-46; see also, col. 19, lines 1-7; herein, if a match is found then traffic is further processed and forwarded (i.e. forwarded based on the forward filtering rule)) and a reverse filter rule to match packets that are transmitted in a reverse direction between the first and second nodes (“Reverse traffic (response from service nodes to client devices) are delivered directly to the respective clients without any intervention from multifunctional engine 320.” –e.g. see, Sharma: Col. 18, lines 1-5).

As to claim 7, Sharma discloses wherein rewriting the received packet includes changing an IP address of the received packet to an IP address associated with the rewrite action that is associated with the second matched rule (multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.” –e.g. see, col. 19, lines 37-46).

Claims 8, 9 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma in view of Hooda et al. (US 2019/0327150 A1) (hereinafter, “Hooda”) and further in view of Paul.

As to claim 8, Sharma discloses a method comprising: 
receiving an access control list (ACL) comprising a plurality of filters, each filter specifying an IP address (“Filtering may include two phases, performed in any order. In one phase, multifunctional engine 320 compares the source IP address of the incoming traffic to one or more IP addresses configured as certain allowed, predefined sources. To that end, in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic)” - e.g. see, col. 18, lines 55-67; herein, multifunctional engine is configured (i.e. received) with an access control list); 
generating a plurality of first rules from the filters comprising the ACL, each of the first rules associated with … the ACL (“FIG. 10A is an example command-line interface for defining ACL on the switch 190 for the scenario of FIG. 8, according to some exemplary embodiments of the present disclosure. The “permit” commands shown in FIG. 10A instruct multifunctional engine 320 to permit traffic from the source nodes 810-1 and 810-2 identified by their IP addresses 10.10.10.10 and 10.10.10.20, respectively.” –e.g. see, col. 19, lines 51-57, see also, col. 18, lines 55-67); and 
generating a plurality of second rules from the NAT mapping, each of the second rules associated with … the ACL (“FIG. 10D is an example command-line interface for defining load distribution service and specifying VIP NAT policy for the scenario of FIG. 8, according to some exemplary embodiments of the present disclosure. The “ingress interface” command shown in FIG. 10D defines e3/1 interface as the ingress interface for switch 190. The “device-group” command shown in FIG. 10D specifies the previously defined device group DB-SERVERS as the group of backend nodes to which traffic will be load balanced and NAT translated. The “virtual ip” command shown in FIG. 10D enables the VIP 820 to advertise VIP to neighbor routers, so traffic destined to VIP can reach the switch. The “nat destination” command shown in FIG. 10D instructs multifunctional engine 320 to perform network address translation as described in block 950.” –e.g. see, col. 20, lines 13-27, see also, col. 19, lines 37-42), 
wherein when an ingress packet matches one of the first rules and one of the second rules, the ingress packet is translated in accordance with said one of the second rules, wherein only ingress packets containing an IP address specified by one of the filters in the ACL are translated according to the NAT mapping (“When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 65-67 to col. 19, lines 1-7; herein, an incoming packet (i.e. an ingress packet) is compared to find a match at least with one ACL rule, when a match is found then the packet is further handled and in step 950 a NAT (network address translation) mapping is performed on the packet; e.g. see also, Sharma, e.g. see, col. 19, lines 37-46: “In block 950, according to the load balancing decisions of block 940, multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.”).
Sharma may not explicitly disclose receiving a network address translation (NAT) mapping that specifies translating packets containing a first IP address to replace the first IP address with a second IP address; each of the first rules associated with an identifier that identifies the ACL; each of the second rules associated with the identifier that identifies the ACL;
However, in an analogous art, Hooda discloses receiving a network address translation (NAT) mapping that specifies translating packets containing a first IP address to replace the first IP address with a second IP address (“The NAT network element 124 sends the NAT mapping (e.g., IP1 maps to IP2) in a message 340 to the policy server 140. The NAT network element 124 may send the message 340 any time after the first message 320 is translated through the NAT 
Hooda further discloses generating a plurality of rules from the filters comprising the ACL (“The policy server 140 sends the identity-based policy (such as Virtual Local Area Network (VLAN) information, Security Group (SG) Access Control List (ACL), SG Name Table, etc.) to the network controller 126 in message 350. The network controller 126 implements the policy in the network 120, including network element 122, by sending message 355 with the identity-based policy information.” –e.g. see, [0027]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma with the teaching of Hooda to include receiving a network address translation (NAT) mapping that specifies translating packets containing a first IP address to replace the first IP address with a second IP address in order to control access to a network based on the type of user and/or device connecting to the network as suggested by Hooda, para. [0003].
Neither Sharma nor Hooda explicitly disclose each of the first rules associated with an identifier that identifies the ACL; each of the second rules associated with the identifier that identifies the ACL;
each of the first rules associated with an identifier that identifies the [policy] (“Each policing data 302 preferably is identified by a unique police identifier (ID)/key 300. The police ID 300 preferably identifies different policy groups to which the packet may be classified. Preferably, each police ID 300 is composed of a customer identifier 300a and/or an application identifier 300b which may be similar to the customer identifier 254a and application identifier 254b of FIG. 7.” –e.g. see, Paul: [0066]); each of the second rules associated with the identifier that identifies the [policy] (“Each policing data may further be associated with a next police ID 304. The next police ID 304 preferably allows nested lookups in the policing database to identify additional policy groups and associated policing data applicable to the current packet. Preferably, the next police ID 304 identifies a policy group with a priority ranking below the policy group identified by a current key 300. The policing data 302 associated with the additional policy groups preferably are also retrieved for performing rate checks for the current packet.” –e.g. see, Paul: [0067]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma and Hooda with the teaching of Paul to include wherein each of the first rules associated with an identifier that identifies the [policy]; each of the second rules associated with the identifier that identifies the [policy]  in order to effectively apply relevant policies to each data packet by uniquely identify plurality of related policies.


However, in an analogues art, Paul discloses wherein generating the plurality of second rules [nested rules/policies] further includes including the identifier of the [First policy] as a match criterion in the plurality of second rules (“Each policing data may further be associated with a next police ID 304. The next police ID 304 preferably allows nested lookups in the policing database to identify additional policy groups and associated policing data applicable to the current packet. Preferably, the next police ID 304 identifies a policy group with a priority ranking below the policy group identified by a current key 300. The policing data 302 associated with the additional policy groups preferably are also retrieved for performing rate checks for the current packet.” –e.g. see, Paul: [0067], see also, Paul: [0066]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma and Hooda with the teaching of Paul to include wherein generating the plurality of second rules [nested rules/policies] further includes including the identifier of the [First policy] as a match criterion in the plurality of second rules in order to effectively apply relevant policies to each data packet by uniquely identify plurality of related policies.

comprising, … wherein information contained in the ingress packet and the data store are used as search criteria to search for a matching rule among the plurality of second rules (“… in block 930, multifunctional engine 320 may group clients, i.e. group requests coming from predefined source IP addresses as specified by certain policies/rules, cache requests e.g. on a per-group basis, and then redirect the cached requests to one or more cache engines to determine whether the cached requests may be satisfied based on data in the one or more cache engines prior to forwarding the requests to the backend database servers 830.” –e.g. see, Sharma: col. 19, lines 8-25; herein, the second match is identified based on source IP from the packets as criteria; see also, see also, col 22, lines 41-48).
Sharma further discloses an ingress packet matches a rule among the plurality of first rules (“When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 65-67 to col. 19, lines 1-7; herein, an incoming packet (i.e. an ingress packet) is compared to find a match at least with one ACL rule, when a match is found then the packet is further handled and in step 950 a NAT (network address translation) mapping is performed on the packet).
Neither Sharma nor Hooda explicitly disclose storing the identifier associated with the matched rule in a data store.
storing the identifier associated with the matched rule in a data store (“Each policing data 302 preferably is identified by a unique police identifier (ID)/key 300. The police ID 300 preferably identifies different policy groups to which the packet may be classified.” –e.g. see, Paul: [0066] & “The policing data table 298 may be stored in the policing engine 120, 166. The policing data table 298 may also be referred to as a policing database” –e.g. see, Paul: [0064], see also, [0065]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma and Hooda with the teaching of Paul to include storing the identifier associated with the matched rule in a data store in order to effectively apply relevant policies to each data packet by uniquely identify plurality of related policies.

Claims 14, 17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma in view of Merchant et al. (US 6,775,290 A1) (hereinafter, “Merchant”) and further in view of Remen.

As to claim 14. Sharma discloses a network device comprising: 
pipeline processing logic comprising a first rules data store and a second rules data store …, the first rules data store and the second rules data store having stored therein rules to support network address translation of packets an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 65-67 to col. 19, lines 1-7; herein, ACL rule is comparable to first rule stored in a memory coupled with multifunctional engine and a NAT (network address translation) mapping is performed on the packet as part of second rule stored in the memory coupled with the multifunctional engine; e.g. see also, Sharma, e.g. see, col. 19, lines 37-46: “In block 950, according to the load balancing decisions of block 940, multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.”; It should be noted that “pipeline processing logic” can broadly be interpreted as orderly processing logic or algorithm which Sharma teaches as part of the flow chart such as Fig. 8; In Fig. 8 Sharma teaches comparing packets against a first set of rule followed by a second set of rule. Furthermore, Sharma also teaches memory for storing rules: “TCAM 329 may include a table mapping traffic buckets to service nodes” –e.g. see col. 17, lines 41-47; see also, col 22, lines 41-48), 
the pipeline processing logic configured to: receive a packet … (“In block 910, switch 190 receives incoming traffic and provides the incoming traffic to multifunctional engine 320.” –e.g. see, col. 18, lines 53-54); 
provide the received packet to the first rules data store to identify a first matched rule in the first rules data store using information contained in one or more data fields of the received packet (“In block 920, multifunctional engine 320 filters the received traffic. Filtering may include two phases, performed in any order. In one phase, multifunctional engine 320 compares the source IP address of the incoming traffic to one or more IP addresses configured as certain allowed, predefined sources. To that end, in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic).” –e.g. see, col. 18, lines 55-67; herein, source IP address is an information contained in the packet; Sharma also teaches memory for storing rules: “TCAM 329 may include a table mapping traffic buckets to service nodes” –e.g. see col. 17, lines 41-47; see also, col 22, lines 41-48); 
provide the received packet to the second rules data store to identify a second matched rule in the second rules data store using information contained in the first matched rule and information contained in the one or more data fields of the received packet (“In block 930, multifunctional engine 320 may, optionally, apply one or more policies or rules to at least some of the packets that passed the filtering of block 920 to determine whether those packets belong to one or more groups, e.g. device groups described herein and then perform one or more actions based on the device group(s) to which each packet is determined to belong. For example, in block 930, multifunctional engine 320 may group clients, i.e. group requests coming from predefined source IP addresses as specified by certain policies/rules, cache requests e.g. on a per-group basis, and then redirect the cached requests to one or 
translate an address in the received packet according to a translation action in the second matched rule (“In block 950, according to the load balancing decisions of block 940, multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.” –e.g. see, col. 19, lines 37-46); and 
transmit the translated received packet … (“In block 960, after multifunctional engine 320 has rewritten the header of the packet to an IP address of an appropriate node, switch 190 forwards the incoming traffic to the node designated by the IP address.” –e.g. see, Col. 19, lines 43-46).
Although receiving and transmitting packets couldn’t be accomplished without ports, Sharma may not explicitly disclose a first port; a second port; a second rules data store separate from the first rules data store, receive a packet on the first port and transmit the …received packet on the second port.
However, in an analogous art, Merchant discloses a first port; a second port; receive a packet on the first port and transmit the …received packet on the second port (“… a network switching system comprises a first port for receiving data packets from members of a first plurality of VLANs, a second port for transmitting the data packets, and a decision making engine responsive to the data packets received by the first port for controlling forwarding of the received data packets to the second port. The decision making engine includes a first logic circuit responsive to the received data packets to prevent the switching system from forwarding to the second port a received data packet that does not belong to the first plurality of VLANs.” –col. 2, lines 6-16).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma with the teaching of Merchant to include a first port; a second port; receive a packet on the first port and transmit the …received packet on the second port in order to support data communication between multiple network nodes connected to various ports of the switch.
Neither Sharma nor Merchant explicitly disclose a second rules data store separate from the first rules data store. However, in an analogous art, Remen discloses a second rules data store separate from the first rules data store (“The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority defined among the multiple TCAMs.” –e.g. see, Remen: [0004], see also, Remen: [0023], claim 1 of Remen);


 
As to claim 17, Sharma discloses wherein rules in the first rules data store correspond to an ACL and the rules in the second rules data store correspond to a network address translation (NAT) mapping, wherein only ingress packets that are identified by the ACL are translated according to the NAT mapping, wherein the received packet is an ingress packet that is identified by the ACL and translated according to the NAT mapping (“When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 65-67 to col. 19, lines 1-7; herein, an incoming packet (i.e. an ingress packet) is compared to find a match at least with one ACL rule, when a match is found then the packet is further handled and in step 950 a NAT (network address translation) mapping is performed on the packet; e.g. see also, Sharma, e.g. see, col. 19, lines 37-46: “In block 950, according to the load balancing multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.”).

As to claim 19, the combination of Sharma, Merchant and Remen disclose wherein the first rules data store is a ternary content addressable memory (TCAM) (Remen: “The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority defined among the multiple TCAMs.” –e.g. see, Remen: [0004], see also, Remen: [0023], claim 1 of Remen).

As to claim 20, the combination of Sharma, Merchant and Remen disclose wherein the second rules data store is a TCAM or an associative memory (Remen: “The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple .

Claims 10-12 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma in view of Hooda in view of Paul and further in view of Remen.


As to claim 10, neither Sharma nor Hooda nor Paul explicitly disclose further comprising storing the plurality of first rules in a first memory and storing the plurality of second rules in a second memory different from the first memory.
However, in an analogous art, Remen discloses comprising storing the plurality of first rules in a first memory and storing the plurality of second rules in a second memory different from the first memory (“The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority defined among the multiple TCAMs.” –e.g. see, Remen: [0004], see also, Remen: [0023], claim 1 of Remen).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma, Hooda  and Paul with the teaching of Remen to include storing the plurality of 

As to claim 11, the combination of Sharma, Hooda, Paul and Remen disclose wherein the first memory is a first ternary content-addressable memory (TCAM) and the second memory is second TCAM separate from the first TCAM (Remen: “The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority defined among the multiple TCAMs.” –e.g. see, Remen: [0004], see also, Remen: [0023], claim 1 of Remen).

As to claim 12, the combination of Sharma, Hooda, Paul and Remen disclose wherein the first memory is a TCAM and the second memory is an associative memory separate from the TCAM (Remen: “The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results .

Claims 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma in view of Merchant in view of Remen and further in view of Rangachari et al. (US 2020/0053026 A1) (Rangachari).


As to claim 15, neither Sharma nor Merchant nor Remen explicitly disclose wherein the network device further comprises a metadata data store, wherein the pipeline processing logic is further configured to store the metadata contained in the first matched rule to the metadata data store, wherein the second matched rule is identified using information contained in the metadata data store and information contained in the one or more data fields of the received packet.
However, in an analogous art, Rangachari discloses wherein the network device further comprises a metadata data store, wherein the pipeline processing logic is further configured to store the metadata contained in the first matched rule to the metadata data store, wherein the second matched rule is identified using information contained in the metadata data store and information contained in the one or more data fields of the received packet (“The processing along data paths can process from gates of batch manager 665 based on the classifier assigned policy_ID that can be read from the metadata area of each data packet. In the non-limiting example of FIG. 6, data packets are sent on datapath A or datapath B based these internal identifiers. Datapath A includes a path from batch manager 665 to switch 654 and datapath B includes a path from batch manager 665 to switch 656. Switch 665 and switch 654 are software modules that are devices for the flow of data packets and are assigned device_IDs. Each software module along the paths chosen in FIG. 6 are devices for the flow of data packets and are assigned device_IDs. These devices include a FW VNF 651, an ACL VNF 653-1, a video codec VNF 661, a network address translation (NAT) VNF 658, an ACL VNF 653-2, a deep packet inspection (DPI) VNF 662, and a VPN VNF 659. NAT is a mechanism to remap one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. DPI is a type of data processing that can examine details of the contents of the data being sent and may re-route the data accordingly. It in combination with filtering can enable advanced network management, user services, and security functions as well as internet data mining, eavesdropping, and internet censorship.” –e.g. see, Rangachari: [0086], see also, [0065]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma, Merchant and Remen with the teaching of Rangachari to include wherein rules in each set of rules are associated with metadata that identifies the corresponding ACL, wherein identifying the second matched rule is based on the ACL metadata associated with the first matched rule in order to support moving individual network functions out of 

As to claim 16, Sharma discloses wherein the first rules data store comprises one or more sets of rules, each set of rules corresponding to a respective access control list (ACL) (“… in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic).” –e.g. see, col. 18, lines 55-67), wherein identifying the second matched rule is based on the ACL … associated with the first matched rule (“When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 65-67 to col. 19, lines 1-7; herein, an incoming packet (i.e. an ingress packet) is compared to find a match at least with one ACL rule, when a match is found then the packet is further handled and in step 950 a NAT (network address translation) mapping is performed on the packet; e.g. see also, Sharma, e.g. see, col. 19, lines 37-46).
Neither Sharma nor Merchant nor Remen explicitly disclose wherein rules in each set of rules are associated with metadata that identifies the corresponding ACL, wherein identifying the second matched rule is based on the ACL metadata associated with the first matched rule.
wherein rules in each set of rules are associated with metadata that identifies the corresponding ACL, wherein identifying the second matched rule is based on the ACL metadata associated with the first matched rule (“The processing along data paths can process from gates of batch manager 665 based on the classifier assigned port_ID, policy_ID, or port_ID and policy_ID that can be read from the metadata area of each data packet. In the non-limiting example of FIG. 6, data packets are sent on datapath A or datapath B based these internal identifiers. Datapath A includes a path from batch manager 665 to switch 654 and datapath B includes a path from batch manager 665 to switch 656. Switch 665 and switch 654 are software modules that are devices for the flow of data packets and are assigned device_IDs. Each software module along the paths chosen in FIG. 6 are devices for the flow of data packets and are assigned device_IDs. These devices include a FW VNF 651, an ACL VNF 653-1, a video codec VNF 661, a network address translation (NAT) VNF 658, an ACL VNF 653-2, a deep packet inspection (DPI) VNF 662, and a VPN VNF 659. NAT is a mechanism to remap one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. DPI is a type of data processing that can examine details of the contents of the data being sent and may re-route the data accordingly. It in combination with filtering can enable advanced network management, user services, and security functions as well as internet data mining, eavesdropping, and internet censorship.” –e.g. see, Rangachari: [0086], see also, [0065]).
.

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Sharma in view of Merchant in view of Remen and further in view of Paul.


As to claim 18, Sharma discloses wherein rules in the first rules data store correspond to filters in an ACL (“Filtering may include two phases, performed in any order. In one phase, multifunctional engine 320 compares the source IP address of the incoming traffic to one or more IP addresses configured as certain allowed, predefined sources. To that end, in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic). In another phase, multifunctional engine 320 compares the destination IP of the incoming traffic to the VIP 820. When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 55-67), wherein rules in the second rules data store correspond to a NAT mapping (“In block 950, according to the load balancing decisions of block 940, multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.” –e.g. see, col. 19, lines 37-46).
Neither Sharma nor Merchant nor Remen explicitly disclose wherein each rule includes an identifier of its corresponding ACL, wherein each rule in the second rules data store includes the ACL identifier as a match criterion.
However, in an analogous art, Paul discloses wherein each rule includes an identifier of its corresponding [policy] (“Each policing data 302 preferably is identified by a unique police identifier (ID)/key 300. The police ID 300 preferably identifies different policy groups to which the packet may be classified. Preferably, each police ID 300 is composed of a customer identifier 300a and/or an application identifier 300b which may be similar to the customer identifier 254a and application identifier 254b of FIG. 7.” –e.g. see, Paul: [0066]), wherein each rule in the second rules data store includes the [policy] identifier as a match criterion (“Each policing data may further be associated with a next police ID 304. The next police ID 304 preferably allows nested lookups in the policing database to identify additional policy groups and associated policing data applicable to the current packet. Preferably, the next police ID 304 identifies a policy group with a priority ranking below the policy group identified by a current key 300. The policing data 302 associated with the additional policy groups preferably are also retrieved for performing rate checks for the current packet.” –e.g. see, Paul: [0067]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma, Merchant and Remen with the teaching of Paul to include wherein each rule includes an identifier of its corresponding [policy], wherein each rule in the second rules data store includes the [policy] identifier as a match criterion in order to effectively apply relevant policies to each data packet by uniquely identify plurality of related policies.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

US 2008/0049752 A1 –Grant teaches Classification may be based on packet flow parameters such as the source and destination addresses, protocol, service type, and Layer 4 ports or port ranges. Each ACL defines a part of the overall flow space, and different ACLs may overlap. Thus, classification engine typically assigns one class identifier to a region of a given ACL that overlaps a certain other ACL, and a different class identifier to another region of the ACL that does not overlap –e.g. see, para 15, 19 and 20 of Grant. 



	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 

SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495     

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495