DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-16, 18 and 19 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Curcio et al. U.S. Pub. No. 20180115471 (hereinafter Curcio).

As per claim 1, Curcio discloses a computer-implemented method for implementing an access control rule, the method comprising:
given an Access Control List (ACL) rule having a set of ACL qualifiers and an ACL action to be performed on a packet that matches the set of ACL qualifiers, generating for a first device a first rule comprising a first subset of qualifiers from the set of ACL qualifiers and a marking action to mark the packet with a tag if the packet comprises data or has associated metadata  that matches the first subset of qualifiers (Curcio: [0011]: generating a tag for first network device based on first subset of rules/qualifiers and first device tags the packet… ACL action is the deep packet inspection) ; and
generating for a second device a second rule comprising a second subset of qualifiers from the set of ACL qualifiers, the tag, and the ACL action, such that execution of the first rule and the second rule applies the ACL action to the packet at the second device (Curcio: [0011]-[0012]: second rule is to match the second set of pre-filters/qualifiers to the packet after the comparing the tag to determine whether deep inspection/ACL action is required…when first and second sets of pre-filters match the packet data, take ACL action which may be deep packet inspection).

As per claim 2, Curcio discloses the computer-implemented method of claim 1. Curcio further discloses wherein the second device, in response to receiving the packet that has been marked with the tag and determining that the packet comprises data or has associated metadata that matches the second subset of qualifiers, perform the ACL action to control flow of the packet (Curcio: [0012]: when the second set of pre-filters or rules/qualifiers match, control flow of the packet by sending it for further inspection by a deep packet inspection device).

As per claim 3, Curcio discloses the computer-implemented method of claim 2. Curcio further discloses wherein each of the first rule and the second rule, when stored in a memory device, individually uses fewer bits in the memory device than the bits needed to store the ACL rule (Curcio: [0011]-[0012]: the subset of pre-filters or rules use fewer bits than the complete set of rules; [0010]: efficiently go through different subsets of rules to avoid additional processing unless necessary).

As per claim 4, Curcio discloses the computer-implemented method of claim 1. Curcio further discloses wherein the second device uses the tag as an additional qualifier that relates the first subset of qualifiers to the ACL action (Curcio: [0011]-[0012]: second device uses tagged information to make decisions about packet flow (e.g. send packet flow to deep packet inspection device)).

As per claim 5, Curcio discloses the computer-implemented method of claim 1. Curcio further discloses wherein the first device, responsive to receiving the packet that comprises data or has associated metadata that matches the first subset of qualifiers, marks the packet with the tag (Curcio: [0011]: first device can tag the packet when the first subset of rules/qualifiers matches metadata of the packet).

As per claim 6, Curcio discloses the computer-implemented method of claim 5. Curcio further discloses wherein the first device, responsive to receiving the packet by including the tag in a header of the packet (Curcio: [0012]: the tag can be placed in a header of the packets and read by other network devices).

As per claim 7, Curcio discloses the computer-implemented method of claim 6. Curcio further discloses wherein the tag is an e-tag that comprises metadata in a reserved field (Curcio: [0040]-[0041]).

As per claim 8,  Curcio discloses a computer-implemented method for using an access control rule, the method comprising:
receiving, from a first network device having a first rule comprising a first subset of qualifiers from a set of Access Control List (ACL) qualifiers, a packet that comprises a tag indicating that the packet comprises data or has associated metadata that matches the first subset of qualifiers, the first subset of qualifiers being defined by an ACL rule that relates the first subset of qualifiers and a second subset of qualifiers from the set of ACL qualifiers to an ACL action (Curcio: [0011]: generating a tag for first network device based on first subset of rules/qualifiers and first device tags the packet… ACL action is the deep packet inspection);
in response to the packet having the tag, determining, using a second rule that comprises the second subset of qualifiers and the ACL action, whether the packet comprises data or has associated metadata that matches the second subset of qualifiers (Curcio: [0011]-[0012]: second rule is to match the second set of pre-filters/qualifiers to the packet after the comparing the tag to determine whether deep inspection/ACL action is required…when first and second sets of pre-filters match the packet data, take ACL action which may be deep packet inspection); and
in response to the packet matching the second subset of qualifiers, executing the ACL action at a second network device (Curcio: [0012]: perform deep packet inspection/ACL action when the first and second subset of pre-filters apply).

As per claim 9, Curcio discloses the computer-implemented method of claim 8. Curcio further discloses including the tag as one of the qualifiers in the second subset of qualifiers that relates to the ACL action (Curcio: [0011]-[0012]: read the tag from packet to show that the packet match first subset of rules/qualifiers that relates to the deep packet inspection/ACL action).

As per claim 10, Curcio discloses the computer-implemented method of claim 8. Curcio further discloses wherein the ACL action controls flow of the packet (Curcio: [0011]: the subset of pre-filters/rules/qualifiers are used to control of packet).

As per claim 11, Curcio discloses the computer-implemented method of claim 8. Curcio further disclose wherein neither the first rule nor the second rule, when stored in a memory device, uses more bits in the memory device than the bits that would be used to store the ACL rule (Curcio: [0011]-[0012]: the subset of pre-filters or rules use fewer bits than the complete set of rules; [0010]: efficiently go through different subsets of rules to avoid additional processing unless necessary).

As per claim 12, Curcio discloses the computer-implemented method of claim 8. Curcio further discloses wherein the first network device, responsive to receiving the packet that comprises data or has associated metadata that matches the first subset of qualifiers, marks the packet with the tag (Curcio: [0011]: first device can tag the packet when the first subset of rules/qualifiers matches metadata of the packet).
As per claim 13, Curcio discloses the computer-implemented method of claim 12. Curcio further discloses wherein the first network device is a port extender that marks the packet by including the tag in a header of the a packet (Curcio: [0017]-[0018]: network infrastructure device (e.g. switches, routers, access points, etc);  [0012]: place tag in a header of the packets). 

As per claim 14, Curcio discloses the computer-implemented method of claim 13. Curcio further discloses wherein the tag is an e-tag that comprises metadata in a reserved field (Curcio: [0040]-[0041]).

As per claim 15, Curcio discloses a processor-implemented method comprising:
receiving, from a first information handling system at a second information handling system, a packet that comprises a tag, the tag indicating that the packet comprises data or associated metadata that matches a first qualifier set comprising one or more qualifiers, the first qualifier set being defined by an Access Control List (ACL) rule that relates at least the first qualifier set and a second qualifier set comprising one or more qualifiers to an ACL action (Curcio: [0011]: generating a tag for first network device based on first subset of rules/qualifiers and first device tags the packets… the second device reads the tag and make decision regarding flow of the packet… send packet for deep packet inspection/ACL action); and 
in response to determining that the packet comprises data or has associated metadata that matches the second qualifier set (Curcio: [0011]-[0012]: second rule is to match the second set of pre-filters/qualifiers to the packet after the comparing the tag to determine whether deep inspection/ACL action is required…when first and second sets of pre-filters match the packet data, take ACL action which may be deep packet inspection), 
initiating execution of the ACL action to process the packet according to the ACL rule (Curcio: [0012]: send packet to deep packet inspection device when both first and second subset of rules/qualifiers are matched).

As per claim 16, Curcio discloses the processor-implemented method of claim 15. Curcio further discloses using the tag as one of the qualifiers of the second qualifier set (Curcio: [0011]-[0012]: read the tag from packet as qualifiers to trigger comparison of additional subset of rules).

As per claim 18, Curcio discloses the processor-implemented method of claim 15. Curcio further discloses wherein any one of the first qualifier set or the second qualifier set, when stored in a memory device, uses fewer bits in the memory device than the bits needed to store the ACL rule (Curcio: [0011]-[0012]: the subset of pre-filters or rules use fewer bits than the complete set of rules; [0010]: efficiently go through different subsets of rules to avoid additional processing unless necessary).

As per claim 19, Curcio discloses the processor-implemented method of claim 15. Curcio further discloses wherein the first information handling system, responsive to receiving the packet which comprises data or associated metadata that matches the first qualifier set, marks the packet with the tag (Curcio: [0011]: first device can tag the packet when the first subset of rules/qualifiers matches metadata of the packet).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Curcio in view of Brunner U.S. Pub. No. 20170223151 (Brunner).

As per claim 17, Curcio discloses the processor-implemented method of claim 15. Curcio does not explicitly disclose wherein the tag is a VLAN tag in an outer VLAN header and wherein the step of in response to determining that the packet comprise data or associated metadata that matches the second qualifier set, initiating execution of the ACL action to process the packet according to the ACL rule comprises: in response to relating the VLAN tag to a class identifier; removing the outer VLAN header; and  assigning the class identifier to the packet; and in response to determining that the packet comprises data or has associated metadata that matches the second qualifier set and the class identifier, initiating execution of the ACL action according to the ACL rule. However, Brunner discloses marking packet with VLAN tag and modifying header portion of the data packet responsive to inspecting at least part of the data portion of the data packet (Brunner: abstract; figure 3 and [0057]-[0060]). It would have been obvious to one having ordinary skill in the art to mark packet with tag by including VLAN identifier to allow virtual local area network to process packet accordingly because they are analogous art involving tagging network packets to determine additional processing. The motivation to combine would be to ensure packets are routed and processed correctly even in virtual local area network.
Curcio as modified does not explicitly disclose remove VLAN tag and assign class identifier to the packet and execute ACL action when the classifier and second qualifier set match data packet. However, maintaining the VLAN tag or replacing it with classifier appears to be a matter of design choice, since the system works equally well with VLAN tag or a substituted classifier since the purpose of that information is to allow second network device to ascertain whether first subset of qualifiers match the data packet to trigger additional comparison with second subset of qualifiers.

As per claim 20, Curcio discloses the processor-implemented method of claim 19. Curcio does not explicitly disclose wherein the first information handling system marks the packet with a tag by including a VLAN identifier in a header of the packet. However, Brunner discloses marks packet with VLAN tag in header of the packet to allow interconnected networking equipment to perform packet processing on the modified header information (Brunner: abstract; [0057]; [0060]). It would have been obvious to one having ordinary skill in the art to mark packet with tag by including VLAN identifier to allow virtual local area network to process packet accordingly because they are analogous art involving tagging network packets to determine additional processing. The motivation to combine would be to ensure packets are routed and processed correctly even in virtual local area network.

Response to Arguments
Applicant's arguments filed on 7/19/22 have been fully considered but they are not persuasive.
First, Applicant argues that the prior art of record does not disclose an ACL rule. Examiner disagrees. Based on broadest reasonable interpretation, the ACL rule is interpreted as access control rule that determines whether packet should be subject to deep packet inspection (Curcio: [0011]: ACL rule is related to deep packet inspection/the ACL action).
Second, Applicant argues that the prior art of record does not disclose taking a single rule and splitting the qualifier of that rule into two separate sets of qualifiers. Examiner disagrees. As explained in the previous office action, the first and second subset of prefilter rules are interpreted as first and second subset of qualifiers since the purpose of the pre-filter rules are conditions that trigger further analysis that leads to deep packet inspection/ACL action (Curcio: [0011]-[0012]: second rule is to match the second set of pre-filters/qualifiers to the packet after the comparing the tag to determine whether deep inspection/ACL action is required…when first and second sets of pre-filters match the packet data, take ACL action which may be deep packet inspection).
Third, Applicant argues that the prior art of record is for a different reason using a different approach to get a different result, and not dealing with splitting a single rule across devices. Examiner disagrees. The claims do not clearly disclose “splitting a single rule across devices.” The claims recite executing ACL action based on first and second subset of qualifiers at difference devices, which disclosed by Curcio. Specifically, Curcio discloses inspecting packets using a first subset of pre-filter rules at first device and second subset of pre-filter rules that serve as qualifiers to determine whether deep packet inspection is required (Curcio: [0011]-[0012]). Examiner explained in the previous office action that the ACL rule is directed toward deep packet inspection, and the subsets of pre-filter rules are the qualifiers applied at different network devices to determine whether to execute the deep packet inspection/ACL action.
Applicant’s arguments regarding claims 1, 8 and 15 are not persuasive in light of above explanation. Applicant is advised to further clarify inventive concept to expedite prosecution.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789. The examiner can normally be reached Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431