Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/12/22 has been entered.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 7, 8, 14, 15, is/are rejected under 35 U.S.C. 103 as being unpatentable over TUMULURU et al. (U.S. Pub No.2018/0069924 A1) in view of Rong et al. (U.S. Pub No. 2018/0198854 A1).


1. TUMULURU teaches a method for a network device to perform service insertion in a public cloud environment that includes a first virtual network and a second virtual network [par 0025, 0026, Cloud computing environment 170 supports the creation of a virtual data center 180 having a plurality of virtual machines 172 instantiated to, for example, host deployed multi-tier applications. Virtual data center 180 includes one or more virtual networks 182 used to communicate between VMs 172 and managed by at least one networking gateway component (e.g., gateway 184), as well as one or more isolated internal networks 186 not connected to gateway 184. Gateway 184 (e.g., executing as a virtual machine) is configured to provide VMs 172 and other components in cloud computing environment 170 with connectivity to an external network 140 (e.g., Internet)|; wherein the method comprises: in response to receiving a first encapsulated packet from a first virtualized computing instance located in the first virtual network, generating, by the network device, a decapsulated packet by performing decapsulation to remove, from the first encapsulated packet, a first outer header that is addressed from the first virtualized computing instance to the network device [par 0052, the packets may all have the same source and destination IP address in their outer headers and be placed based on RSS/RPS hashing into the same queue, which can create an undesirable bottleneck. One embodiment provides an enhancement to RPS that looks deeper in received packets at internal IP addresses rather than just IP addresses in the outer header. In one embodiment, L2 concentrator 185 determines whether a received packet is a FOU packet and, if such is the case, L2 concentrator 185 looks deeper at an IPsec outer IP address, which is used to hash and place the FOU packet in a receive queue associated with a CPU that removes the FOU header, decrypts and decapsulates the IPsec packet, and removes the GRE header]; wherein the service path and the network device are both located in the second virtual network [par 0026, Gateway 184 is a WAN facing device providing services such as intelligent routing, traffic steering, WAN optimization, encryption, etc. Gateway 184 may be configured to provide virtual private network (VPN) connectivity over a network 140 with another VPN endpoint, such as a gateway 124 within virtualized computing system 102. In other embodiments, gateway 184 may be configured to connect to communicate with virtualized computing system 102 using a high-throughput, dedicated link between virtualized computing system 102 and cloud computing system 150], sending, by the network device, the decapsulated packet, or generating and sending, by the network device, a second encapsulated packet that includes a second outer header and the decapsulated packet, towards a destination address of the decapsulated packet [par 0052, Doing so distributes FOU packets would otherwise hash to the same queue across different queues, thereby providing performance parallelism. In a particular embodiment, the hash on the IPsec outer IP address may include computing the outer IP address modulo a number of available CPUs or cores. After CPUs or cores 460.sub.i process packets, the packets are sent to respective transmit queues 470.sub.i for transmission over a cloud-side network to which L2 concentrator 185 is connected], wherein the service path and the network device are both located in the second virtual network [par 0026, Gateway 184 is a WAN facing device providing services such as intelligent routing, traffic steering, WAN optimization, encryption, etc. Gateway 184 may be configured to provide virtual private network (VPN) connectivity over a network 140 with another VPN endpoint, such as a gateway 124 within virtualized computing system 102. In other embodiments, gateway 184 may be configured to connect to communicate with virtualized computing system 102 using a high-throughput, dedicated link between virtualized computing system 102 and cloud computing system 150].
 	TUMULURU fail to show based on one or more characteristics of the decapsulated packet, identifying, by the network device, a service path specified by a service insertion rule, based on the service insertion rule, sending, by the network device, the decapsulated packet to a first service virtualized computing instance located on the service path to cause the service path to process the decapsulated packet according to one or more services;
 	In an analogous art Rong show based on one or more characteristics of the decapsulated packet, identifying, by the network device, a service path specified by a service insertion rule [par 0029, 0032, The destination NVE decapsulates a tunneled packet—i.e., recovers the packet from the encapsulation—and forwards the decapsulated packet to the correct destination VM. The destination VM then processes the packet using a real server. The underlay sends the encapsulated packet to an intermediate NVE where the load-balancer is operating. The intermediate NVE decapsulates the packet to allow the load-balancer to use the packet in load-balancing. The intermediate NVE encapsulates the packet for the destination NVE where the real server selected by the load-balancer exists. The destination decapsulates the packet to allow the real server to service the request in the packet]; based on the service insertion rule, sending, by the network device, the decapsulated packet to a first service virtualized computing instance located on the service path to cause the service path to process the decapsulated packet according to one or more services [par 0015, 0032, The embodiment modifies a forwarding table in the NVE to indicate that a next hop for a packet having a destination address of the load-balancer instance is to be resolved by the load-balancer instance. The embodiment forwards the packet, using the modified forwarding table. The intermediate NVE decapsulates the packet to allow the load-balancer to use the packet in load-balancing. The intermediate NVE encapsulates the packet for the destination NVE where the real server selected by the load-balancer exists. The destination decapsulates the packet to allow the real server to service the request in the packet], and in response to the network device receiving the decapsulated packet processed by the service path [par 0032,0072, The destination decapsulates the packet to allow the real server to service the request in the packet. Load-balancer selects a real server, say, server1 416 to service the request of the packet].
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU and Rong because this provides a  method to implement a load-balancer in a distributed manner in an NVE.

 

7. TUMULURU and Rong describe the method of claim 1, TUMULURU fail to show wherein the method further comprises: prior to receiving the first encapsulated packet, configuring the service insertion rule in a route table associated with a subnet interface.
In an analogous at Rong show wherein the method further comprises: prior to receiving the first encapsulated packet, configuring the service insertion rule in a route table associated with a subnet interface [par 0015, The embodiment modifies a forwarding table in the NVE to indicate that a next hop for a packet having a destination address of the load-balancer instance is to be resolved by the load-balancer instance. The embodiment determines, from a portion of the packet, and using the load-balancer instance, a value usable to select a singular next hop to a first real server in a pool of real servers managed by the load-balancer instance. The embodiment forwards the packet, using the modified forwarding table]
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU and Rong because this provides a  method to implement a load-balancer in a distributed manner in an NVE.


8. TUMULURU describe a non-transitory computer-readable storage medium that includes a set of instructions which, in response to execution by a processor of a network device, cause the processor to perform a method of service insertion in a public cloud environment that includes a first virtual network and a second virtual network [par 0025, 0026, Cloud computing environment 170 supports the creation of a virtual data center 180 having a plurality of virtual machines 172 instantiated to, for example, host deployed multi-tier applications. Virtual data center 180 includes one or more virtual networks 182 used to communicate between VMs 172 and managed by at least one networking gateway component (e.g., gateway 184), as well as one or more isolated internal networks 186 not connected to gateway 184. Gateway 184 (e.g., executing as a virtual machine) is configured to provide VMs 172 and other components in cloud computing environment 170 with connectivity to an external network 140 (e.g., Internet)|,wherein the method comprises: in response to receiving a first encapsulated packet from a first virtualized computing instance located in the first virtual network, generating, by the network device, a decapsulated packet by performing decapsulation to remove, from the first encapsulated packet, a first outer header that is addressed from the first virtualized computing instance to the network device; [par 0052, the packets may all have the same source and destination IP address in their outer headers and be placed based on RSS/RPS hashing into the same queue, which can create an undesirable bottleneck. One embodiment provides an enhancement to RPS that looks deeper in received packets at internal IP addresses rather than just IP addresses in the outer header. In one embodiment, L2 concentrator 185 determines whether a received packet is a FOU packet and, if such is the case, L2 concentrator 185 looks deeper at an IPsec outer IP address, which is used to hash and place the FOU packet in a receive queue associated with a CPU that removes the FOU header, decrypts and decapsulates the IPsec packet, and removes the GRE header]; wherein the service path and the network device are both located in the second virtual network [par 0026, Gateway 184 is a WAN facing device providing services such as intelligent routing, traffic steering, WAN optimization, encryption, etc. Gateway 184 may be configured to provide virtual private network (VPN) connectivity over a network 140 with another VPN endpoint, such as a gateway 124 within virtualized computing system 102. In other embodiments, gateway 184 may be configured to connect to communicate with virtualized computing system 102 using a high-throughput, dedicated link between virtualized computing system 102 and cloud computing system 150]; sending, by the network device, the decapsulated packet, or generating and sending, by the network device, a second encapsulated packet that includes a second outer header and the decapsulated packet, towards a destination address of the decapsulated packet [par 0052, Doing so distributes FOU packets would otherwise hash to the same queue across different queues, thereby providing performance parallelism. In a particular embodiment, the hash on the IPsec outer IP address may include computing the outer IP address modulo a number of available CPUs or cores. After CPUs or cores 460.sub.i process packets, the packets are sent to respective transmit queues 470.sub.i for transmission over a cloud-side network to which L2 concentrator 185 is connected].
 	TUMULURU fail to show based on one or more characteristics of the decapsulated packet, identifying, by the network device, a service path specified by a service insertion rule; based on the service insertion rule, sending, by the network device, the decapsulated packet to a first service virtualized computing instance located on the service path to cause the service path to process the decapsulated packet according to one or more services; and in response to the network device receiving the decapsulated packet processed by the service path
 	In an analogous art Rong show based on one or more characteristics of the decapsulated packet, identifying, by the network device, a service path specified by a service insertion rule[par 0029, 0032, The destination NVE decapsulates a tunneled packet—i.e., recovers the packet from the encapsulation—and forwards the decapsulated packet to the correct destination VM. The destination VM then processes the packet using a real server. The underlay sends the encapsulated packet to an intermediate NVE where the load-balancer is operating. The intermediate NVE decapsulates the packet to allow the load-balancer to use the packet in load-balancing. The intermediate NVE encapsulates the packet for the destination NVE where the real server selected by the load-balancer exists. The destination decapsulates the packet to allow the real server to service the request in the packet], based on the service insertion rule, sending, by the network device, the decapsulated packet to a first service virtualized computing instance located on the service path to cause the service path to process the decapsulated packet according to one or more services[par 0015, 0032, The embodiment modifies a forwarding table in the NVE to indicate that a next hop for a packet having a destination address of the load-balancer instance is to be resolved by the load-balancer instance. The embodiment forwards the packet, using the modified forwarding table. The intermediate NVE decapsulates the packet to allow the load-balancer to use the packet in load-balancing. The intermediate NVE encapsulates the packet for the destination NVE where the real server selected by the load-balancer exists. The destination decapsulates the packet to allow the real server to service the request in the packet]; and in response to the network device receiving the decapsulated packet processed by the service path[par 0032,0072, The destination decapsulates the packet to allow the real server to service the request in the packet. Load-balancer selects a real server, say, server1 416 to service the request of the packet].
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU and Rong because this provides a  method to implement a load-balancer in a distributed manner in an NVE.

14. TUMULURU and Rong provides the non-transitory computer-readable storage medium of claim 8, TUMULURU fail to show wherein the method further comprises: prior to receiving the first encapsulated packet, configuring the service insertion rule in a route table associated with a subnet interface.
 	In an analogous art Rong show wherein the method further comprises: prior to receiving the first encapsulated packet, configuring the service insertion rule in a route table associated with a subnet interface[par 0015, The embodiment modifies a forwarding table in the NVE to indicate that a next hop for a packet having a destination address of the load-balancer instance is to be resolved by the load-balancer instance. The embodiment determines, from a portion of the packet, and using the load-balancer instance, a value usable to select a singular next hop to a first real server in a pool of real servers managed by the load-balancer instance. The embodiment forwards the packet, using the modified forwarding table]
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU and Rong because this provides a  method to implement a load-balancer in a distributed manner in an NVE.


15. TUMULURU provide a computer system configured to perform service insertion in a public cloud environment that includes a first virtual network and a second virtual network, wherein the computer system comprises: a processor; and a non-transitory computer-readable medium having stored thereon instructions that, when executed by the processor[par 0006, 0025, 0026, Cloud computing environment 170 supports the creation of a virtual data center 180 having a plurality of virtual machines 172 instantiated to, for example, host deployed multi-tier applications. Virtual data center 180 includes one or more virtual networks 182 used to communicate between VMs 172 and managed by at least one networking gateway component (e.g., gateway 184), as well as one or more isolated internal networks 186 not connected to gateway 184. Gateway 184 (e.g., executing as a virtual machine) is configured to provide VMs 172 and other components in cloud computing environment 170 with connectivity to an external network 140 (e.g., Internet)], cause the processor: in response to receiving a first encapsulated packet from a first virtualized computing instance located in the first virtual network, generate a decapsulated packet by performing decapsulation to remove, from the first encapsulated packet, a first outer header that is addressed from the first virtualized computing instance to the computer system [par 0052, the packets may all have the same source and destination IP address in their outer headers and be placed based on RSS/RPS hashing into the same queue, which can create an undesirable bottleneck. One embodiment provides an enhancement to RPS that looks deeper in received packets at internal IP addresses rather than just IP addresses in the outer header. In one embodiment, L2 concentrator 185 determines whether a received packet is a FOU packet and, if such is the case, L2 concentrator 185 looks deeper at an IPsec outer IP address, which is used to hash and place the FOU packet in a receive queue associated with a CPU that removes the FOU header, decrypts and decapsulates the IPsec packet, and removes the GRE header]; wherein the service path and the network device are both located in the second virtual network [par 0026, Gateway 184 is a WAN facing device providing services such as intelligent routing, traffic steering, WAN optimization, encryption, etc. Gateway 184 may be configured to provide virtual private network (VPN) connectivity over a network 140 with another VPN endpoint, such as a gateway 124 within virtualized computing system 102. In other embodiments, gateway 184 may be configured to connect to communicate with virtualized computing system 102 using a high-throughput, dedicated link between virtualized computing system 102 and cloud computing system 150]; receiving the decapsulated packet, or generating and send a second encapsulated packet that includes a second outer header and the decapsulated packet, towards a destination address of the decapsulated packet [par 0052, Doing so distributes FOU packets would otherwise hash to the same queue across different queues, thereby providing performance parallelism. In a particular embodiment, the hash on the IPsec outer IP address may include computing the outer IP address modulo a number of available CPUs or cores. After CPUs or cores 460.sub.i process packets, the packets are sent to respective transmit queues 470.sub.i for transmission over a cloud-side network to which L2 concentrator 185 is connected].
 	TUMULURU fail to show based on one or more characteristics of the decapsulated packet, identify a service path specified by a service insertion rule, wherein the service path and the computer system are both located in the second virtual network; based on the service insertion rule, send the decapsulated packet to a first service virtualized computing instance located on the service path to cause the service path to process the decapsulated packet according to one or more services;
 	In an analogous art  Rong show based on one or more characteristics of the decapsulated packet, identify a service path specified by a service insertion rule[par 0029, 0032, The destination NVE decapsulates a tunneled packet—i.e., recovers the packet from the encapsulation—and forwards the decapsulated packet to the correct destination VM. The destination VM then processes the packet using a real server. The underlay sends the encapsulated packet to an intermediate NVE where the load-balancer is operating. The intermediate NVE decapsulates the packet to allow the load-balancer to use the packet in load-balancing. The intermediate NVE encapsulates the packet for the destination NVE where the real server selected by the load-balancer exists. The destination decapsulates the packet to allow the real server to service the request in the packet]; wherein the service path and the computer system are both located in the second virtual network[par 0026, Gateway 184 is a WAN facing device providing services such as intelligent routing, traffic steering, WAN optimization, encryption, etc. Gateway 184 may be configured to provide virtual private network (VPN) connectivity over a network 140 with another VPN endpoint, such as a gateway 124 within virtualized computing system 102. In other embodiments, gateway 184 may be configured to connect to communicate with virtualized computing system 102 using a high-throughput, dedicated link between virtualized computing system 102 and cloud computing system 150]; send the decapsulated packet to a first service virtualized computing instance located on the service path to cause the service path to process the decapsulated packet according to one or more services [par 0015, 0032, The embodiment modifies a forwarding table in the NVE to indicate that a next hop for a packet having a destination address of the load-balancer instance is to be resolved by the load-balancer instance. The embodiment forwards the packet, using the modified forwarding table. The intermediate NVE decapsulates the packet to allow the load-balancer to use the packet in load-balancing. The intermediate NVE encapsulates the packet for the destination NVE where the real server selected by the load-balancer exists. The destination decapsulates the packet to allow the real server to service the request in the packet]; 
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU and Rong because this provides a  method to implement a load-balancer in a distributed manner in an NVE.


5. 	 Claims 2, 9, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over TUMULURU et al. (U.S. Pub No.2018/0069924 A1) in view of Rong et al. (U.S. Pub No. 2018/0198854 A1) in further view of Cheng et al. (U.S. Pub No. 2020/0213224 A1).

2. TUMULURU and Rong disclose the method of claim 1, TUMULURU and Rong fail to show wherein identifying the service path comprises: matching the destination address in the decapsulated packet to a first classless inter-domain routing (CIDR) block specified by the service insertion rule, wherein the first virtual network is associated with the first CIDR block and the second virtual network is associated with a second CIDR block.
 	In an analogous art Cheng show wherein identifying the service path comprises: matching the destination address in the decapsulated packet to a first classless inter-domain routing (CIDR) block specified by the service insertion rule[par 0071, 0072, In some examples, the CSW 400 may ascertain whether the ingress packet matches a switch interface identifier, VLAN tag, and/or destination IP address (e.g., VM IP) in the fast-path table and/or a switch interface identifier, VLAN tag, destination subnet (e.g., CIDR block) in the slow-path table. If the CSW 400 determines that the ingress packet generates a hit (416), the CSW 400 may forward the ingress packet to the VPC router 418, which may include encapsulating the ingress packet, and the VPC router 418 may decapsulate the packet and forward the packet to the appropriate VM host running the VM instance], wherein the first virtual network is associated with the first CIDR block and the second virtual network is associated with a second CIDR block [par 0084, 0085,  a key 510 of a slow-path table 502 may map a VLAN tag and/or CIDR block identifier (e.g., a subnet identifier) to a value 512, which may include a global VNI (e.g., a range and/or pool of VNIs) and/or a gateway IP address (e.g., a VTEP address that terminates at the gateway 408].
 	 Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong, and Cheng because this provides isolation network traffic between tenants using a programmable switch that routes network traffic directly to the appropriate virtual private cloud (VPC). 

9. TUMULURU and Rong reveal the non-transitory computer-readable storage medium of claim 8, TUMULURU and AKIYOSHI fail to show wherein identifying the service path comprises: matching the destination address in the decapsulated packet to a first classless inter-domain routing (CIDR) block specified by the service insertion rule, wherein the first virtual network is associated with the first CIDR block and the second virtual network is associated with a second CIDR block.
 	In an analogous art Cheng show wherein identifying the service path comprises: matching the destination address in the decapsulated packet to a first classless inter-domain routing (CIDR) block specified by the service insertion rule[par 0071, 0072, In some examples, the CSW 400 may ascertain whether the ingress packet matches a switch interface identifier, VLAN tag, and/or destination IP address (e.g., VM IP) in the fast-path table and/or a switch interface identifier, VLAN tag, destination subnet (e.g., CIDR block) in the slow-path table. If the CSW 400 determines that the ingress packet generates a hit (416), the CSW 400 may forward the ingress packet to the VPC router 418, which may include encapsulating the ingress packet, and the VPC router 418 may decapsulate the packet and forward the packet to the appropriate VM host running the VM instance], wherein the first virtual network is associated with the first CIDR block and the second virtual network is associated with a second CIDR block [par 0084, 0085,  a key 510 of a slow-path table 502 may map a VLAN tag and/or CIDR block identifier (e.g., a subnet identifier) to a value 512, which may include a global VNI (e.g., a range and/or pool of VNIs) and/or a gateway IP address (e.g., a VTEP address that terminates at the gateway 408].
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong, and Cheng because this provides isolation network traffic between tenants using a programmable switch that routes network traffic directly to the appropriate virtual private cloud (VPC). 


16. TUMULURU and Rong provides the computer system of claim 15, TUMULURU and Rong fail to show wherein the instructions for identifying the service path cause the processor to: match the destination address in the decapsulated packet to a first classless inter-domain routing (CIDR) block specified by the service insertion rule, wherein the first virtual network is associated with the first CIDR block and the second virtual network is associated with a second CIDR block.
In an analogous art Cheng show wherein the instructions for identifying the service path cause the processor to: match the destination address in the decapsulated packet to a first classless inter-domain routing (CIDR) block specified by the service insertion rule[par 0071, 0072, In some examples, the CSW 400 may ascertain whether the ingress packet matches a switch interface identifier, VLAN tag, and/or destination IP address (e.g., VM IP) in the fast-path table and/or a switch interface identifier, VLAN tag, destination subnet (e.g., CIDR block) in the slow-path table. If the CSW 400 determines that the ingress packet generates a hit (416), the CSW 400 may forward the ingress packet to the VPC router 418, which may include encapsulating the ingress packet, and the VPC router 418 may decapsulate the packet and forward the packet to the appropriate VM host running the VM instance], wherein the first virtual network is associated with the first CIDR block and the second virtual network is associated with a second CIDR block [par 0084, 0085,  a key 510 of a slow-path table 502 may map a VLAN tag and/or CIDR block identifier (e.g., a subnet identifier) to a value 512, which may include a global VNI (e.g., a range and/or pool of VNIs) and/or a gateway IP address (e.g., a VTEP address that terminates at the gateway 408].
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong, and Cheng because this provides isolation network traffic between tenants using a programmable switch that routes network traffic directly to the appropriate virtual private cloud (VPC). 


Claim(s) 4-6, 11-13, 18-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over TUMULURU et al. (U.S. Pub No.2018/0069924 A1) in view of Rong et al. (U.S. Pub No. 2018/0198854 A1) in further view of AKIYOSHI et al. (U.S. Pub No. 2016/0157274 A1).

4. TUMULURU and Rong illustrate the method of claim 3, TUMULURU and Rong fail to show wherein sending the decapsulated packet to the service path comprises: identifying that the first service virtualized computing instance is assigned with an active role based on a control-plane advertisement or a data-plane probe from the first service virtualized computing instance, wherein the first service virtualized computing instance and a second service virtualized computing instance are configured as a high availability (HA) pair
 	In an analogous art AKIYOSHI show wherein sending the decapsulated packet to the service path comprises: identifying that the first service virtualized computing instance is assigned with an active role based on a control-plane advertisement or a data-plane probe from the first service virtualized computing instance, wherein the first service virtualized computing instance and a second service virtualized computing instance are configured as a high availability (HA) pair [par 0206, The core system 701 includes a virtual S-GW 740 that is constructed by using software such as Virtual Machine. The virtual S-GW 740 includes a C-plane S-GW and a plurality of U-plane S- GWs 740-1 and 740-2 that correspond to the plurality of P-GWs 720-1 and 720-2, respectively. For example, the virtual S-GW 740 is constructed by activating software such as Virtual Machine on a server or general communication equipment. The C-plane S-GW 730 may be an apparatus different from an apparatus on which the virtual S-GW 740 is constructed. Moreover, it is also possible that the C-plane S-GW 730 is constructed by using software such as Virtual Machine on the apparatus on which the virtual S-GW 740 is constructed].
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong, and AKIYOSHI because communication system in which a logical path is configured in a network to perform communication, comprising: second gateways, which are deployed for a plurality of first gateways.

5. TUMULURU and Rong provide the method of claim 1, TUMULURU and Rong fail to show wherein sending the decapsulated packet towards the destination address comprises: sending the decapsulated packet towards the destination address associated with a destination located in an external network, wherein the network device connects the first virtualized computing instance to the external network.
 	In an analogous art AKIYOSHI show wherein sending the decapsulated packet towards the destination address comprises: sending the decapsulated packet towards the destination address associated with a destination located in an external network, wherein the network device connects the first virtualized computing instance to the external network [par 0059, 0244, if the logical path 50 is constructed in multiple stages in a cascaded manner, not a combination of decapsulating processing and encapsulating processing but a modification to information included in the outer header may be performed. Examples of the information to be modified include, but are not limited to, information for identifying a logical path included in the outer header, such as source and destination IP addresses and a Tunneling Endpoint Identifier (TEID). The U- plane S-GW 740-2 forwards a packet to the IPsec function 7712. The IPsec function 7712 encrypts the packet. The IPsec function 7712 determines which of the IPsec GWs 780-1 and 780-2 the packet is forwarded to, based on the destination IP address of the packet. If the destination IP address is IP address (A), which is the address of the virtual S-GW 740]
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong, and AKIYOSHI because communication system in which a logical path is configured in a network to perform communication, comprising: second gateways, which are deployed for a plurality of first gateways.

6. TUMULURU and Rong displays the method of claim 1, TUMULURU and Rong fail to show wherein generating the second encapsulated packet comprises: generating the second encapsulated packet by encapsulating the decapsulated packet with a second outer header, wherein the second outer header is addressed from the network device to a second virtualized computing instance located in the first virtual network.
In an analogous art AKIYOSHI show wherein generating the second encapsulated packet comprises: generating the second encapsulated packet by encapsulating the decapsulated packet with a second outer header, wherein the second outer header is addressed from the network device to a second virtualized computing instance located in the first virtual network [par 0078, The encapsulation function section 102 performs encapsulation based on a data packet input from the packet forward section 12 and metadata including identification information for identifying the logical path 50 and sends the resultant as a packet belonging to the logical path 50. Note that it is also possible to mark the header of a packet with QoS (Quality of Service) information at the time of encapsulation. The decapsulation function section 103, when receiving a packet belonging to the logical path 50, decapsulates the received packet and then outputs the decapsulated data packet to the packet forward section 12 and also outputs the identification information of the logical path 50 included in the outer header to the packet forward section 12 as metadata].
Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU. Rong, and AKIYOSHI because communication system in which a logical path is configured in a network to perform communication, comprising: second gateways, which are deployed for a plurality of first gateways

11. TUMULURU and Rong convey the non-transitory computer-readable storage medium of claim 10, TUMULURU and Rong fail to show wherein sending the decapsulated packet to the service path comprises: identifying that the first service virtualized computing instance is assigned with an active role based on a control-plane advertisement or a data-plane probe from the first service virtualized computing instance, wherein the first service virtualized computing instance and a second service virtualized computing instance are configured as a high availability (HA) pair.
 	In an analogous art AKIYOSHI show wherein sending the decapsulated packet to the service path comprises: identifying that the first service virtualized computing instance is assigned with an active role based on a control-plane advertisement or a data-plane probe from the first service virtualized computing instance, wherein the first service virtualized computing instance and a second service virtualized computing instance are configured as a high availability (HA) pair[par 0206, The core system 701 includes a virtual S-GW 740 that is constructed by using software such as Virtual Machine. The virtual S-GW 740 includes a C-plane S-GW and a plurality of U-plane S- GWs 740-1 and 740-2 that correspond to the plurality of P-GWs 720-1 and 720-2, respectively. For example, the virtual S-GW 740 is constructed by activating software such as Virtual Machine on a server or general communication equipment. The C-plane S-GW 730 may be an apparatus different from an apparatus on which the virtual S-GW 740 is constructed. Moreover, it is also possible that the C-plane S-GW 730 is constructed by using software such as Virtual Machine on the apparatus on which the virtual S-GW 740 is constructed].
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong, and AKIYOSHI because communication system in which a logical path is configured in a network to perform communication, comprising: second gateways, which are deployed for a plurality of first gateways.

12. TUMULURU and Rong defines the non-transitory computer-readable storage medium of claim 8, TUMULURU and Rong fail to show wherein sending the decapsulated packet towards the destination address comprises: sending the decapsulated packet towards the destination address associated with a destination located in an external network, wherein the network device connects the first virtualized computing instance to the external network.
 	In an analogous art AKIYOSHI show wherein sending the decapsulated packet towards the destination address comprises: sending the decapsulated packet towards the destination address associated with a destination located in an external network, wherein the network device connects the first virtualized computing instance to the external network [par 0059, 02444, if the logical path 50 is constructed in multiple stages in a cascaded manner, not a combination of decapsulating processing and encapsulating processing but a modification to information included in the outer header may be performed. Examples of the information to be modified include, but are not limited to, information for identifying a logical path included in the outer header, such as source and destination IP addresses and a Tunneling Endpoint Identifier (TEID). The U- plane S-GW 740-2 forwards a packet to the IPsec function 7712. The IPsec function 7712 encrypts the packet. The IPsec function 7712 determines which of the [Psec GWs 780-1 and 780-2 the packet is forwarded to, based on the destination IP address of the packet. If the destination IP address is IP address (A), which is the address of the virtual S-GW 740]
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong, and AKIYOSHI because communication system in which a logical path is configured in a network to perform communication, comprising: second gateways, which are deployed for a plurality of first gateways.


13. TUMULURU and Rong display the non-transitory computer-readable storage medium of claim 8, TUMULURU and Rong fail to show wherein generating the second encapsulated packet comprises: generating the second encapsulated packet by encapsulating the decapsulated packet with a second outer header, wherein the second outer header is addressed from the network device to a second virtualized computing instance located in the first virtual network.
In an analogous art AKIYOSHI show wherein generating the second encapsulated packet comprises: generating the second encapsulated packet by encapsulating the decapsulated packet with a second outer header, wherein the second outer header is addressed from the network device to a second virtualized computing instance located in the first virtual network[par 0078, The encapsulation function section102 performs encapsulation based on a data packet input from the packet forward section 12 and metadata including identification information for identifying the logical path 50 and sends the resultant as a packet belonging to the logical path 50. Note that it is also possible to mark the header of a packet with QoS (Quality of Service) information at the time of encapsulation. The decapsulation function section 103, when receiving a packet belonging to the logical path 50, decapsulates the received packet and then outputs the decapsulated data packet to the packet forward section 12 and also outputs the identification information of the logical path 50 included in the outer header to the packet forward section 12 as metadata].
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong  and AKIYOSHI because communication system in which a logical path is configured in a network to perform communication, comprising: second gateways, which are deployed for a plurality of first gateways.

18. TUMULURU and Rong  reveal the computer system of claim 17, TUMULURU and Rong fail to show wherein the instructions for send the decapsulated packet to the service path cause the processor to: identify that the first service virtualized computing instance is assigned with an active role based on a control-plane advertisement or a data-plane probe from the first service virtualized computing instance, wherein the first service virtualized computing instance and a second service virtualized computing instance are configured as a high availability (HA) pair.
 	In an analogous art AKIYOSHI show wherein the instructions for send the decapsulated packet to the service path cause the processor to: identify that the first service virtualized computing instance is assigned with an active role based on a control-plane advertisement or a data-plane probe from the first service virtualized computing instance, wherein the first service virtualized computing instance and a second service virtualized computing instance are configured as a high availability (HA) pair [par 0078, 0079, The decapsulation function section 103, when receiving a packet belonging to the logical path 50, decapsulates the received packet and then outputs the decapsulated data packet to the packet forward section 12 and also outputs the identification information of the logical path 50 included in the outer header to the packet forward section 12 as metadata. The packet forward section 12 performs packet forwarding in accordance with a packet forward rule from the control apparatus 20. The packet forward section 12, in accordance with the packet forward rule, can exchange information related to the logical path termination processing with the logical path module 11 concurrently with packet forwarding].
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong, and AKIYOSHI because communication system in which a logical path is configured in a network to perform communication, comprising: second gateways, which are deployed for a plurality of first gateways.


19. TUMULURU and Rong illustrate the computer system of claim 15, TUMULURU and Rong fail to shows wherein the instructions for send the decapsulated packet towards the destination address cause the processor to: send the decapsulated packet towards the destination address associated with a destination located in an external network, wherein the computer system connects the first virtualized computing instance to the external network.
 	In an analogous art AKIYOSHI shows wherein the instructions for send the decapsulated packet towards the destination address cause the processor to: send the decapsulated packet towards the destination address associated with a destination located in an external network, wherein the computer system connects the first virtualized computing instance to the external network[par 0059, 0244, if the logical path 50 is constructed in multiple stages in a cascaded manner, not a combination of decapsulating processing and encapsulating processing but a modification to information included in the outer header may be performed. Examples of the information to be modified include, but are not limited to, information for identifying a logical path included in the outer header, such as source and destination IP addresses and a Tunneling Endpoint Identifier (TEID). The U-plane S-GW 740-2 forwards a packet to the IPsec function 7712. The IPsec function 7712 encrypts the packet. The IPsec function 7712 determines which of the IPsec GWs 780-1 and 780-2 the packet is forwarded to based on the destination IP address of the packet. If the destination IP address is IP address (A), which is the address of the virtual S-GW 740]
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong,  and AKIYOSHI because communication system in which a logical path is configured in a network to perform communication, comprising: second gateways, which are deployed for a plurality of first gateways.

20. TUMULURU and Rong disclose the computer system of claim 15, TUMULURU and Rong fail to show wherein the instructions for generating the second encapsulated packet cause the processor to: generate the second encapsulated packet by encapsulating the decapsulated packet with a second outer header, wherein the second outer header is addressed from the computer system to a second virtualized computing instance located in the first virtual network.
 	In an analogous art AKIYOSHI show wherein the instructions for generating the second encapsulated packet cause the processor to: generate the second encapsulated packet by encapsulating the decapsulated packet with a second outer header, wherein the second outer header is addressed from the computer system to a second virtualized computing instance located in the first virtual network[par 0078, The encapsulation function section 102 performs encapsulation based on a data packet input from the packet forward section 12 and metadata including identification information for identifying the logical path 50 and sends the resultant as a packet belonging to the logical path 50. Note that it is also possible to mark the header of a packet with QoS (Quality of Service) information at the time of encapsulation. The decapsulation function section 103, when receiving a packet belonging to the logical path 50, decapsulates the received packet and then outputs the decapsulated data packet to the packet forward section 12 and also outputs the identification information of the logical path 50 included in the outer header to the packet forward section 12 as metadata].
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong, and AKIYOSHI because communication system in which a logical path is configured in a network to perform communication, comprising: second gateways, which are deployed for a plurality of first gateways

21. TUMULURU and Rong provide the computer system of claim 15, TUMULURU and Rong fail to show wherein the instructions further cause the processor to: prior to receiving the first encapsulated packet, configure the service insertion rule in a route table associated with a subnet interface.
 	In an analogous art AKIYOSHI show wherein the instructions further cause the processor to: prior to receiving the first encapsulated packet, configure the service insertion rule in a route table associated with a subnet interface[par 0104, 0105, A flow entry includes Match Fields, which prescribe matching rules to be matched against information (e.g., destination IP address, VLAN ID, and the like) included in a header of a packet received by the Switch, a field (Counters) indicating statistical information on each packet flow, and an action field (Action), which prescribes packet processing methods that match the matching rules. If an entry that matches the header information
in the received packet is retrieved, the OpenFlow Switch 391 processes the received packet in accordance with a processing method prescribed in the action field of the retrieved entry].
 	Before the effective filing date it would have been obvious to one of ordinary skill in the art to combine the teachings of TUMULURU, Rong, and AKIYOSHI because communication system in which a logical path is configured in a network to perform communication, comprising: second gateways, which are deployed for a plurality of first gateways.

Response to Arguments


The final Office Action concedes that Tumuluru fails to teach the aforementioned elements and relies on Akiyoshi to cure the deficiencies of Tumuluru. See final Office Action, Page 4. However, it is respectfully submitted that Akiyoshi does not teach or suggest these elements.
Akiyoshi clearly does not teach any service virtualized computing instance located on its logical path 50, let alone require sending the decapsulated packet on logical path 50 “based on the service insertion rule” as recited in amended claim 1. Therefore, Akiyoshi cannot teach or suggest the elements of “based on the service insertion rule, sending, by the network device, the decapsulated packet to a first service virtualized computing instance located on the service path to cause the service path to process the decapsulated packet according to one or more services” recited in amended claim 1.
Therefore, Akiyoshi cannot teach or suggest the elements of “identifying, by the network device, a service path specified by a service insertion rule...sending, by the network device, the decapsulated packet to a first service virtualized computing instance located on the service path [emphasis added]” recited in amended claim 1.

The examiner respectfully disagrees the applicant’s arguments are moot in view of newly rejected claims. In an analogous art Rong show identifying, by the network device, a service path specified by a service insertion rule...sending, by the network device, the decapsulated packet to a first service virtualized computing instance located on the service.


However, Johnson merely discloses the symbol type of Cidr and is completely silent with respect to at least the following recitations: “matching the destination address in the decapsulated packet to a first CIDR block specified by the service insertion rule, wherein the first virtual network is associated with the first CIDR block and the second virtual network is associated with a second CIDR block [emphasis added].”

The examiner respectfully disagrees the applicant’s arguments are moot in view of newly rejected claims. In an analogous art Cheng show matching the destination address in the decapsulated packet to a first CIDR block specified by the service insertion rule, wherein the first virtual network is associated with the first CIDR block and the second virtual network is associated with a second CIDR block.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON A HARLEY whose telephone number is (571)270-5435. The examiner can normally be reached 7:30-300 6:30-8:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Asad M Nawaz can be reached on (571) 272-3988. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JASON A HARLEY/Examiner, Art Unit 2468                                                                                                                                                                                                        

/KHALED M KASSIM/Primary Examiner, Art Unit 2468