DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending in this application.
Claims 1-3, 7-8 and 13-15 are currently amended.
No new IDS was submitted by the Applicant.

Claim Objections
The amendments filed on 04/19/2022 have been considered and are persuasive. Thus, the previous claim objection(s) have been withdrawn.

Claim Rejections - 35 USC § 112
The amendments filed on 04/19/2022 have been considered and are persuasive. Thus, the previous claim rejection(s) have been withdrawn.

Claim Rejections - 35 USC § 101
The amendments filed on 04/19/2022 have been considered and are persuasive. Thus, the previous claim rejection(s) have been withdrawn.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma et al. (US 10,284,473 B1) (hereinafter, “Sharma”) in view of O’Keeffe et al. (US 2006/0092947 A1) (hereinafter, “O’Keeffe”).

As to claim 1, Sharma discloses a method comprising: 
receiving an ingress packet (“In block 910, switch 190 receives incoming traffic and provides the incoming traffic to multifunctional engine 320.” –e.g. see, col. 18, lines 53-54); 
identifying a first matched rule from among a plurality of rules … using information contained in the received packet, wherein each of the plurality of rules belongs to an access control list (ACL) … (“In block 920, multifunctional engine 320 filters the received traffic. Filtering may include two phases, performed in any order. In one phase, multifunctional engine 320 compares the source IP address of the incoming traffic to one or more IP addresses configured as certain allowed, predefined sources. To that end, in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic).” –e.g. see, col. 18, lines 55-67; herein, source IP address is an information contained in the packet; Sharma also teaches memory for storing rules: “TCAM 329 may include a table mapping traffic buckets to service nodes” –e.g. see col. 17, lines 41-47; see also, col 22, lines 41-48); 
identifying a second matched rule from among a plurality of rules stored in a second memory using … the information contained in the received packet … (“In block 930, multifunctional engine 320 may, optionally, apply one or more policies or rules to at least some of the packets that passed the filtering of block 920 to determine whether those packets belong to one or more groups, e.g. device groups described herein and then perform one or more actions based on the device group(s) to which each packet is determined to belong. For example, in block 930, multifunctional engine 320 may group clients, i.e. group requests coming from predefined source IP addresses as specified by certain policies/rules, cache requests e.g. on a per-group basis, and then redirect the cached requests to one or more cache engines to determine whether the cached requests may be satisfied based on data in the one or more cache engines prior to forwarding the requests to the backend database servers 830.” –e.g. see, col. 19, lines 8-25; see also, col. 19, lines 37-42; herein, rules corresponds to a NAT mapping, see also, col. 17, lines 41-47; col 22, lines 41-48); and 
producing an egress packet by rewriting the received packet in accordance with a rewrite action associated with the second matched rule (“In block 950, according to the load balancing decisions of block 940, multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.” –e.g. see, col. 19, lines 37-46).  
Sharma doesn’t explicitly disclose … a first matched rule from among a plurality of rules stored in a first memory … and includes an identifier that identifies the ACL to which it belongs; … a second matched rule from among a plurality of rules stored in a second memory using … a first identifier included in the first matched rule that identifies the ACL to which the first matched rule belongs;
However, in an analogous art, O’Keeffe discloses identifying a first matched rule from among a plurality of rules stored in a first memory using information contained in the received packet, wherein each of the plurality of rules belongs to an access control list (ACL) and includes an identifier that identifies the ACL to which it belongs (“The operation of the rules engine 17 is shown in FIG. 2. In an ACL table 21 (held in memory 19) are entries comprising a `basic` rule 22, an action 23 and an `extACLID 24.” -e.g. see, [0026]; herein, first rule among a plurality of rules stored in a first memory 19; See further: “When a packet comes into the unit, both tables are searched. Suppose first that the relevant fields in the packet produce a match in both the ACL table 21 and the extension rule table 25. The match will of course `return` the relevant extACLID pointer and the relevant ruleID pointer respectively.” -e.g. see, [0028]; herein, identifying a first match (i.e. an entry in ACL table 21) using information contained in the received packet (i.e. using relevant fields in the packet produce a match); herein, each entry in ACL table contains an identifier (i.e. an extACLID) that identifies the ACL to which it belongs (i.e rule 11), see also, Fig. 2, [0032]); 
identifying a second matched rule from among a plurality of rules stored in a second memory using both the information contained in the received packet and a first identifier included in the first matched rule that identifies the ACL to which the first matched rule belongs (“The operation of the rules engine 17 is shown in FIG. 2. In an ACL table 21 (held in memory 19) are entries comprising a `basic` rule 22, an action 23 and an `extACLID 24. A rule table 25 (held in memory 18) contains entries each comprising a ruleID 26, an extension rule 27 and an action 28.” -e.g. see, [0026]; herein a second rule among a plurality of rules stored in a second memory 18; See furthermore: “When a packet comes into the unit, both tables are searched. Suppose first that the relevant fields in the packet produce a match in both the ACL table 21 and the extension rule table 25. The match will of course `return` the relevant extACLID pointer and the relevant ruleID pointer respectively. These are compared, as shown by block 29 and decision 30. If the extACLID 24 of the matched ACL rule 22 equals the ruleID 26 of the matched extension rule 27, then a `chain rule` is formed and the action to be executed (block 31) will be the action 28 specified for the matched extension rule from the rule table 25.” -e.g. see, [0028]; herein, second matched rule (i.e. extension rule) is identified using the information contained the received back (i.e. relevant fields in the packet) and by comparing a first identifier (i.e. extACILD 24) included in the first match rule that identifies the ACL (i.e. ACL table 21) to which the first matched rule belongs).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma with the teaching of O’Keeffe to include “a first matched rule from among a plurality of rules stored in a first memory … and includes an identifier that identifies the ACL to which it belongs; … a second matched rule from among a plurality of rules stored in a second memory using … a first identifier included in the first matched rule that identifies the ACL to which the first matched rule belongs” in order to effectively apply relevant policies to each data packet by uniquely identify plurality of related policies and consuming less memory by the process.

As to claim 2, the combination of Sharma and O’Keeffe disclose wherein the plurality of rules in the second memory correspond to a network address translation (NAT) mapping, wherein the ACL identifies ingress packets to be translated according to the NAT mapping (Sharma: “When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 65-67 to col. 19, lines 1-7; herein, an incoming packet (i.e. an ingress packet) is compared to find a match at least with one ACL rule, when a match is found then the packet is further handled and in step 950 a NAT (network address translation) mapping is performed on the packet; e.g. see also, Sharma, e.g. see, col. 19, lines 37-46: “In block 950, according to the load balancing decisions of block 940, multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.”; Furthermore O’Keeffe discloses plurality of rules stored in the second memory: e.g. see, O’Keeffe: [0026], [0028]).
  
As to claim 3, the combination of Sharma and O’Keeffe disclose further comprising storing the first identifier associated with the first matched rule in a data store, wherein identifying the second matched rule includes using the information contained in the received packet and the first identifier stored in the data store as criteria for searching the plurality of rules stored in the second memory (O’Keeffe: “The operation of the rules engine 17 is shown in FIG. 2. In an ACL table 21 (held in memory 19) are entries comprising a `basic` rule 22, an action 23 and an `extACLID 24.” -e.g. see, O’Keeffe: [0026]; herein, first rule among a plurality of rules stored in a first memory 19; See further: “When a packet comes into the unit, both tables are searched. Suppose first that the relevant fields in the packet produce a match in both the ACL table 21 and the extension rule table 25. The match will of course `return` the relevant extACLID pointer and the relevant ruleID pointer respectively.” -e.g. see, O’Keeffe: [0028]; herein, identifying a first match (i.e. an entry in ACL table 21) using information contained in the received packet (i.e. using relevant fields in the packet produce a match); herein, each entry in ACL table contains an identifier (i.e. an extACLID) that identifies the ACL to which it belongs (i.e rule 11); second matched rule (i.e. extension rule) is identified using the information contained the received back (i.e. relevant fields in the packet) and by comparing a first identifier (i.e. extACILD 24) included in the first match rule that identifies the ACL (i.e. ACL table 21) to which the first matched rule belongs, see also, O’Keeffe: Fig. 2, [0032]).  

As to claim 4, the combination of Sharma and O’Keeffe disclose wherein subsets of the plurality of rules in the first memory correspond to respective ACLs, wherein rules in each of the subsets are associated with an identifier of the corresponding ACL, wherein each rule in the second memory includes the identifier of one of the ACLs as a match criterion (O’Keeffe: “When a packet comes into the unit, both tables are searched. Suppose first that the relevant fields in the packet produce a match in both the ACL table 21 and the extension rule table 25. The match will of course `return` the relevant extACLID pointer and the relevant ruleID pointer respectively. These are compared, as shown by block 29 and decision 30. If the extACLID 24 of the matched ACL rule 22 equals the ruleID 26 of the matched extension rule 27, then a `chain rule` is formed and the action to be executed (block 31) will be the action 28 specified for the matched extension rule from the rule table 25.” -e.g. see, O’Keeffe: [0028]; herein, second matched rule (i.e. extension rule) is identified using the information contained the received back (i.e. relevant fields in the packet) and by comparing a first identifier (i.e. extACILD 24) included in the first match rule that identifies the ACL (i.e. ACL table 21) to which the first matched rule belongs).  

As to claim 5, Sharma discloses wherein the plurality of rules in the first memory correspond to filters in an ACL, wherein each filter in the ACL is associated with a pair of complementary rules among the plurality of rules in the first memory (“Filtering may include two phases, performed in any order. In one phase, multifunctional engine 320 compares the source IP address of the incoming traffic to one or more IP addresses configured as certain allowed, predefined sources. To that end, in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic). In another phase, multifunctional engine 320 compares the destination IP of the incoming traffic to the VIP 820. When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 55-67).  

As to claim 6, Sharma discloses wherein each complementary pair of rules among the plurality of rules in the first memory includes a forward filter rule to match packets transmitted in a forward direction between a first node and a second node (Sharma: “In block 960, after multifunctional engine 320 has rewritten the header of the packet to an IP address of an appropriate node, switch 190 forwards the incoming traffic to the node designated by the IP address.” –e.g. see, Sharma: col. 19, lines 43-46; see also, col. 19, lines 1-7; herein, if a match is found then traffic is further processed and forwarded (i.e. forwarded based on the forward filtering rule)) and a reverse filter rule to match packets that are transmitted in a reverse direction between the first and second nodes (Sharma: “Reverse traffic (response from service nodes to client devices) are delivered directly to the respective clients without any intervention from multifunctional engine 320.” –e.g. see, Sharma: Col. 18, lines 1-5).  

As to claim 7, Sharma discloses wherein rewriting the received packet includes changing an Internet Protocol (IP) address of the received packet to an IP address associated with the rewrite action that is associated with the second matched rule (multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.” –e.g. see, col. 19, lines 37-46).  

Claims 8-10 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma in view of O’Keeffe and further in view of Hooda et al. (US 2019/0327150 A1) (hereinafter, “Hooda”).

As to claim 8, Sharma discloses method comprising: 
 receiving an access control list (ACL) comprising a plurality of filters, each filter specifying an IP address (“Filtering may include two phases, performed in any order. In one phase, multifunctional engine 320 compares the source IP address of the incoming traffic to one or more IP addresses configured as certain allowed, predefined sources. To that end, in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic)” - e.g. see, col. 18, lines 55-67; herein, multifunctional engine is configured (i.e. received) with an access control list); 
generating a plurality of first rules from the filters comprising the ACL (“FIG. 10A is an example command-line interface for defining ACL on the switch 190 for the scenario of FIG. 8, according to some exemplary embodiments of the present disclosure. The “permit” commands shown in FIG. 10A instruct multifunctional engine 320 to permit traffic from the source nodes 810-1 and 810-2 identified by their IP addresses 10.10.10.10 and 10.10.10.20, respectively.” –e.g. see, col. 19, lines 51-57, see also, col. 18, lines 55-67), 
generating a plurality of second rules from the NAT mapping (“FIG. 10D is an example command-line interface for defining load distribution service and specifying VIP NAT policy for the scenario of FIG. 8, according to some exemplary embodiments of the present disclosure. The “ingress interface” command shown in FIG. 10D defines e3/1 interface as the ingress interface for switch 190. The “device-group” command shown in FIG. 10D specifies the previously defined device group DB-SERVERS as the group of backend nodes to which traffic will be load balanced and NAT translated. The “virtual ip” command shown in FIG. 10D enables the VIP 820 to advertise VIP to neighbor routers, so traffic destined to VIP can reach the switch. The “nat destination” command shown in FIG. 10D instructs multifunctional engine 320 to perform network address translation as described in block 950.” –e.g. see, col. 20, lines 13-27, see also, col. 19, lines 37-42), 
Page 3 of 9Appl. No. 17/004,676Response dated April 19, 2022Office Action dated January 20, 2020wherein when an ingress packet matches one of the first rules and one of the second rules, the ingress packet is translated in accordance with said one of the second rules, wherein only ingress packets containing an IP address specified by one of the filters in the ACL are translated according to the NAT mapping (“When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 65-67 to col. 19, lines 1-7; herein, an incoming packet (i.e. an ingress packet) is compared to find a match at least with one ACL rule, when a match is found then the packet is further handled and in step 950 a NAT (network address translation) mapping is performed on the packet; e.g. see also, Sharma, e.g. see, col. 19, lines 37-46: “In block 950, according to the load balancing decisions of block 940, multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.”). 
Sharma may not explicitly disclose receiving a network address translation (NAT) mapping that specifies translating first Internet Protocol (IP) addresses to corresponding second IP addresses; each of the first rules including an identifier that identifies the ACL; and each of the second rules including the identifier that identifies the ACL.
 However, in an analogous art, O’Keeffe discloses each of the first rules including an identifier that identifies the ACL (“When a packet comes into the unit, both tables are searched. Suppose first that the relevant fields in the packet produce a match in both the ACL table 21 and the extension rule table 25. The match will of course `return` the relevant extACLID pointer and the relevant ruleID pointer respectively.” -e.g. see, [0028]; herein, each of the first rules (i.e. rules from ACL table 21) includes an identifier (i.e. extACLID) that identifies the ACL, see also, Fig. 2, [0032]); and each of the second rules including the identifier that identifies the ACL (“The operation of the rules engine 17 is shown in FIG. 2. In an ACL table 21 (held in memory 19) are entries comprising a `basic` rule 22, an action 23 and an `extACLID 24. A rule table 25 (held in memory 18) contains entries each comprising a ruleID 26, an extension rule 27 and an action 28.” -e.g. see, [0026]; herein a second rule among a plurality of rules stored in a second memory 18; See furthermore: “When a packet comes into the unit, both tables are searched. Suppose first that the relevant fields in the packet produce a match in both the ACL table 21 and the extension rule table 25. The match will of course `return` the relevant extACLID pointer and the relevant ruleID pointer respectively. These are compared, as shown by block 29 and decision 30. If the extACLID 24 of the matched ACL rule 22 equals the ruleID 26 of the matched extension rule 27, then a `chain rule` is formed and the action to be executed (block 31) will be the action 28 specified for the matched extension rule from the rule table 25.” -e.g. see, [0028]; herein, second matched rule (i.e. extension rule) is identified using the information contained the received back (i.e. relevant fields in the packet) and by comparing a first identifier (i.e. extACILD 24) included in the first match rule that identifies the ACL (i.e. ACL table 21) to which the first matched rule belongs; Thus, second rules including the identifier that identifies the ACL).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma with the teaching of O’Keeffe to include “each filter specifying an IP address; each of the first rules including an identifier that identifies the ACL; and each of the second rules including the identifier that identifies the ACL” in order to effectively apply relevant policies to each data packet by uniquely identify plurality of related policies and consuming less memory by the process.
Neither Sharma nor O’Keeffe explicitly disclose receiving a network address translation (NAT) mapping that specifies translating first Internet Protocol (IP) addresses to corresponding second IP addresses;
However, in in an analogous art, Hooda discloses receiving a network address translation (NAT) mapping that specifies translating first Internet Protocol (IP) addresses to corresponding second IP addresses (“The NAT network element 124 sends the NAT mapping (e.g., IP1 maps to IP2) in a message 340 to the policy server 140. The NAT network element 124 may send the message 340 any time after the first message 320 is translated through the NAT network element 124. In one example, the NAT network element 124 may send the message 340 with the NAT mapping in response to a request from the policy server 140.” –e.g. see, [0024]; herein, policy server receives NAT mapping from a network element);
Hooda further discloses generating a plurality of rules from the filters comprising the ACL (“The policy server 140 sends the identity-based policy (such as Virtual Local Area Network (VLAN) information, Security Group (SG) Access Control List (ACL), SG Name Table, etc.) to the network controller 126 in message 350. The network controller 126 implements the policy in the network 120, including network element 122, by sending message 355 with the identity-based policy information.” –e.g. see, [0027]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma and O’Keeffe with the teaching of Hooda to include receiving a network address translation (NAT) mapping that specifies translating packets containing a first IP address to replace the first IP address with a second IP address in order to control access to a network based on the type of user and/or device connecting to the network as suggested by Hooda (para. [0003]).

As to claim 9, the combination of Sharma, O’Keeffe and Hooda disclose wherein generating the plurality of second rules from the NAT mapping further includes including the identifier of the ACL as a match criterion in the plurality of second rules (Sharma: e.g. see, col. 20, lines 13-27, see also, col. 19, lines 37-42; herein, The “NAT destination” command shown in FIG. 10D instructs multifunctional engine 320 to perform network address translation as described in block 950; Further to clarify, O’Keeffe discloses: “When a packet comes into the unit, both tables are searched. Suppose first that the relevant fields in the packet produce a match in both the ACL table 21 and the extension rule table 25. The match will of course `return` the relevant extACLID pointer and the relevant ruleID pointer respectively. These are compared, as shown by block 29 and decision 30. If the extACLID 24 of the matched ACL rule 22 equals the ruleID 26 of the matched extension rule 27, then a `chain rule` is formed and the action to be executed (block 31) will be the action 28 specified for the matched extension rule from the rule table 25.” -e.g. see, [0028]; herein, second matched rule (i.e. extension rule) is identified using the information contained the received back (i.e. relevant fields in the packet) and by comparing a first identifier (i.e. extACILD 24) included in the first match rule that identifies the ACL (i.e. ACL table 21)).  

As to claim 10, the combination of Sharma, O’Keeffe and Hooda disclose further comprising storing the plurality of first rules in a first memory and storing the plurality of second rules in a second memory different from the first memory (O’Keeffe: “The operation of the rules engine 17 is shown in FIG. 2. In an ACL table 21 (held in memory 19) are entries comprising a `basic` rule 22, an action 23 and an `extACLID 24. A rule table 25 (held in memory 18) contains entries each comprising a ruleID 26, an extension rule 27 and an action 28.” -e.g. see, O’Keeffe: [0026]).  

As to claim 13, the combination of Sharma, O’Keeffe and Hooda disclose further comprising, when the ingress packet matches a rule among the plurality of first rules, then storing the identifier associated with the matched rule in a data store, wherein information contained in the ingress packet and the data store are used as search criteria to search for a matching rule among the plurality of second rules (Sharma: “… in block 930, multifunctional engine 320 may group clients, i.e. group requests coming from predefined source IP addresses as specified by certain policies/rules, cache requests e.g. on a per-group basis, and then redirect the cached requests to one or more cache engines to determine whether the cached requests may be satisfied based on data in the one or more cache engines prior to forwarding the requests to the backend database servers 830.” –e.g. see, Sharma: col. 19, lines 8-25; herein, the second match is identified based on source IP from the packets as criteria; see also, see also, Sharma: col. 18, lines 65-67 to col. 19, lines 1-7; col 22, lines 41-48; Moreover, O’Keeffe discloses: “The operation of the rules engine 17 is shown in FIG. 2. In an ACL table 21 (held in memory 19) are entries comprising a `basic` rule 22, an action 23 and an `extACLID 24. A rule table 25 (held in memory 18) contains entries each comprising a ruleID 26, an extension rule 27 and an action 28.” -e.g. see, O’Keeffe: [0026], [0028]).  

Claims 14, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma in view of O’Keeffe and further in view of Merchant et al. (US 6,775,290 A1) (hereinafter, “Merchant”).

As to claim 14, Sharma discloses a network device comprising: 
pipeline processing logic configured to: receive a packet … (“In block 910, switch 190 receives incoming traffic and provides the incoming traffic to multifunctional engine 320.” –e.g. see, col. 18, lines 53-54); 
provide the received packet to the first rules data store to identify a first matched rule in the first rules data store using information contained in one or more data fields of the received packet (“In block 920, multifunctional engine 320 filters the received traffic. Filtering may include two phases, performed in any order. In one phase, multifunctional engine 320 compares the source IP address of the incoming traffic to one or more IP addresses configured as certain allowed, predefined sources. To that end, in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic).” –e.g. see, col. 18, lines 55-67; herein, source IP address is an information contained in the packet; Sharma also teaches memory for storing rules: “TCAM 329 may include a table mapping traffic buckets to service nodes” –e.g. see col. 17, lines 41-47; see also, col 22, lines 41-48); 
provide the received packet to the second rules data store to identify a second matched rule in the second rules data store using … the information contained in the one or more data fields of the received packet (“In block 930, multifunctional engine 320 may, optionally, apply one or more policies or rules to at least some of the packets that passed the filtering of block 920 to determine whether those packets belong to one or more groups, e.g. device groups described herein and then perform one or more actions based on the device group(s) to which each packet is determined to belong. For example, in block 930, multifunctional engine 320 may group clients, i.e. group requests coming from predefined source IP addresses as specified by certain policies/rules, cache requests e.g. on a per-group basis, and then redirect the cached requests to one or more cache engines to determine whether the cached requests may be satisfied based on data in the one or more cache engines prior to forwarding the requests to the backend database servers 830.” –e.g. see, col. 19, lines 8-25; see also, col. 19, lines 37-42); 
translate an address in the received packet according to a translation action in the second matched rule (“In block 950, according to the load balancing decisions of block 940, multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.” –e.g. see, col. 19, lines 37-46); and 
transmit the translated received packet … (“In block 960, after multifunctional engine 320 has rewritten the header of the packet to an IP address of an appropriate node, switch 190 forwards the incoming traffic to the node designated by the IP address.” –e.g. see, Col. 19, lines 43-46).  
Although receiving and transmitting packets couldn’t be accomplished without ports, Sharma may not explicitly disclose a first physical port; a second physical port; a first rules data store comprising a first memory to store a plurality of first rules, wherein each first rule includes an identifier that identifies an access control list (ACL) to which said each first rule belongs; Page 4 of 9Appl. No. 17/004,676a second rules data store comprising a second memory separate from the first memory to store a plurality of second rules; receive a packet on the first physical port and transmit …received packet on the second physical port. identify a second matched rule in the second rules data store using an identifier contained in the first matched rule that identifies an ACL to which the first matched rule belongs. 
However, in an analogous art, O’Keeffe discloses a first rules data store comprising a first memory to store a plurality of first rules, wherein each first rule includes an identifier that identifies an access control list (ACL) to which said each first rule belongs (“The operation of the rules engine 17 is shown in FIG. 2. In an ACL table 21 (held in memory 19) are entries comprising a `basic` rule 22, an action 23 and an `extACLID 24.” -e.g. see, [0026]; herein, first rule among a plurality of rules stored in a first memory 19; See further: “When a packet comes into the unit, both tables are searched. Suppose first that the relevant fields in the packet produce a match in both the ACL table 21 and the extension rule table 25. The match will of course `return` the relevant extACLID pointer and the relevant ruleID pointer respectively.” -e.g. see, [0028]; herein, identifying a first match (i.e. an entry in ACL table 21) using information contained in the received packet (i.e. using relevant fields in the packet produce a match); herein, each entry in ACL table contains an identifier (i.e. an extACLID) that identifies the ACL to which it belongs (i.e rule 11), see also, Fig. 2, [0032]); 
Page 4 of 9Appl. No. 17/004,676a second rules data store comprising a second memory separate from the first memory to store a plurality of second rules (“The operation of the rules engine 17 is shown in FIG. 2. In an ACL table 21 (held in memory 19) are entries comprising a `basic` rule 22, an action 23 and an `extACLID 24. A rule table 25 (held in memory 18) contains entries each comprising a ruleID 26, an extension rule 27 and an action 28.” -e.g. see, [0026]; herein a second rule among a plurality of rules stored in a second memory 18 which is separate from the first memory); 
provide the received packet to the second rules data store to identify a second matched rule in the second rules data store using an identifier contained in the first matched rule that identifies an ACL to which the first matched rule belongs and the information contained in the one or more data fields of the received packet (“The operation of the rules engine 17 is shown in FIG. 2. In an ACL table 21 (held in memory 19) are entries comprising a `basic` rule 22, an action 23 and an `extACLID 24. A rule table 25 (held in memory 18) contains entries each comprising a ruleID 26, an extension rule 27 and an action 28.” -e.g. see, [0026]; herein a second rule among a plurality of rules stored in a second memory 18; See furthermore: “When a packet comes into the unit, both tables are searched. Suppose first that the relevant fields in the packet produce a match in both the ACL table 21 and the extension rule table 25. The match will of course `return` the relevant extACLID pointer and the relevant ruleID pointer respectively. These are compared, as shown by block 29 and decision 30. If the extACLID 24 of the matched ACL rule 22 equals the ruleID 26 of the matched extension rule 27, then a `chain rule` is formed and the action to be executed (block 31) will be the action 28 specified for the matched extension rule from the rule table 25.” -e.g. see, [0028]; herein, second matched rule (i.e. extension rule) is identified using the information contained the received back (i.e. relevant fields in the packet) and by comparing a first identifier (i.e. extACILD 24) included in the first match rule that identifies the ACL (i.e. ACL table 21) to which the first matched rule belongs);
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma with the teaching of O’Keeffe to include “a first rules data store comprising a first memory to store a plurality of first rules, wherein each first rule includes an identifier that identifies an access control list (ACL) to which said each first rule belongs; Page 4 of 9Appl. No. 17/004,676a second rules data store comprising a second memory separate from the first memory to store a plurality of second rules; identify a second matched rule in the second rules data store using an identifier contained in the first matched rule that identifies an ACL to which the first matched rule belongs” in order to effectively apply relevant policies to each data packet by uniquely identify plurality of related policies and consuming less memory by the process.
Neither Sharma nor O’Keeffe explicitly disclose a first physical port; a second physical port; receive a packet on the first physical port and transmit …received packet on the second physical port; 
However, in an analogous art, Merchant discloses a first physical port; a second physical port; receive a packet on the first physical port and transmit …received packet on the second physical port (“… a network switching system comprises a first port for receiving data packets from members of a first plurality of VLANs, a second port for transmitting the data packets, and a decision making engine responsive to the data packets received by the first port for controlling forwarding of the received data packets to the second port. The decision making engine includes a first logic circuit responsive to the received data packets to prevent the switching system from forwarding to the second port a received data packet that does not belong to the first plurality of VLANs.” –col. 2, lines 6-16).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma and O’Keeffe with the teaching of Merchant to “a first physical port; a second physical port; receive a packet on the first physical port and transmit …received packet on the second physical port” in order to support data communication between multiple network nodes connected to various ports of the switch.

As to claim 17, the combination of Sharma, O’Keeffe and Merchant disclose wherein rules in the first rules data store correspond to an ACL and the rules in the second rules data store correspond to a network address translation (NAT) mapping, wherein only ingress packets that are identified by the ACL are translated according to the NAT mapping, wherein the received packet is an ingress packet that is identified by the ACL and translated according to the NAT mapping (“When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 65-67 to col. 19, lines 1-7; herein, an incoming packet (i.e. an ingress packet) is compared to find a match at least with one ACL rule, when a match is found then the packet is further handled and in step 950 a NAT (network address translation) mapping is performed on the packet; e.g. see also, Sharma, e.g. see, col. 19, lines 37-46: “In block 950, according to the load balancing decisions of block 940, multifunctional engine 320 performs network address translation for the packets by rewriting the VIP address of the VIP 820 with an IP address of the backend node selected to serve the packet, i.e. IP address of one of the nodes 830-1 through 830-4 shown in FIG. 8.”; see also, O’Keeffe: [0026], [0028]).  

As to claim 18, the combination of Sharma, O’Keeffe and Merchant disclose wherein rules in the first rules data store correspond to filters in an ACL, wherein each rule includes an identifier of its corresponding ACL, wherein rules in the second rules data store correspond to a NAT mapping, wherein each rule in the second rules data store includes the ACL identifier as a match criterion (Sharma: “Filtering may include two phases, performed in any order. In one phase, multifunctional engine 320 compares the source IP address of the incoming traffic to one or more IP addresses configured as certain allowed, predefined sources. To that end, in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic). In another phase, multifunctional engine 320 compares the destination IP of the incoming traffic to the VIP 820. When an incoming packet matches at least one ACL rule and there is a match between the destination IP of the incoming traffic and the VIP 820, the multifunctional engine 320 may be configured to infer that the packet is to be handled further by multifunctional engine 320 as illustrates in blocks 930-960.” –e.g. see, Sharma: col. 18, lines 55-67; see also, Sharma: e.g. see, col. 19, lines 37-46; O’Keeffe further discloses: O’Keeffe discloses: “When a packet comes into the unit, both tables are searched. Suppose first that the relevant fields in the packet produce a match in both the ACL table 21 and the extension rule table 25. The match will of course `return` the relevant extACLID pointer and the relevant ruleID pointer respectively. These are compared, as shown by block 29 and decision 30. If the extACLID 24 of the matched ACL rule 22 equals the ruleID 26 of the matched extension rule 27, then a `chain rule` is formed and the action to be executed (block 31) will be the action 28 specified for the matched extension rule from the rule table 25.” -e.g. see, [0028]; herein, second matched rule (i.e. extension rule) is identified using the information contained the received back (i.e. relevant fields in the packet) and by comparing a first identifier (i.e. extACILD 24) included in the first match rule that identifies the ACL (i.e. ACL table 21)).  
	
Claims 11 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma in view of O’Keeffe in view of Hooda and further in view of Remen et al. (US 2021/0067448 A1) (hereinafter, “Remen”).

As to claim 11, neither Sharma nor O’Keeffe nor Hooda explicitly disclose wherein the first memory is a first ternary content-addressable memory (TCAM) and the second memory is second TCAM separate from the first TCAM.
However, in an analogous art, Remen disclose wherein the first memory is a first ternary content-addressable memory (TCAM) and the second memory is second TCAM separate from the first TCAM (Remen: “The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority defined among the multiple TCAMs.” –e.g. see, Remen: [0004], see also, Remen: [0023], claim 1 of Remen).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma, O’Keeffe and Hooda with the teaching of Remen to include “wherein the first memory is a first ternary content-addressable memory (TCAM) and the second memory is second TCAM separate from the first TCAM” in order to search packet headers for rules using multiple TCAM in an efficient manner which allow simultaneous comparison of desired information against pre-stored entries.

As to claim 12, the combination of Sharma, O’Keeffe, Hooda and Remen disclose wherein the first memory is a TCAM and the second memory is an associative memory separate from the TCAM (Remen: “The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority defined among the multiple TCAMs.” –e.g. see, Remen: [0004], see also, Remen: [0023], claim 1 of Remen).  

Claims 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma in view of O’Keeffe in view of Merchant and further in view of Rangachari et al. (US 2020/0053026 A1) (Rangachari).

As to claim 15, neither Sharma or O’Keeffe nor Merchant explicitly disclose wherein the network device further comprises a metadata data store, wherein the pipeline processing logic is further configured to store the metadata contained in the first matched rule to the metadata data store, wherein the second matched rule is identified using information contained in the metadata data store and the information contained in the one or more data fields of the received packet.  
However, in an analogous art, Rangachari discloses wherein the network device further comprises a metadata data store, wherein the pipeline processing logic is further configured to store the metadata contained in the first matched rule to the metadata data store, wherein the second matched rule is identified using information contained in the metadata data store and the information contained in the one or more data fields of the received packet (“The processing along data paths can process from gates of batch manager 665 based on the classifier assigned port_ID, policy_ID, or port_ID and policy_ID that can be read from the metadata area of each data packet. In the non-limiting example of FIG. 6, data packets are sent on datapath A or datapath B based these internal identifiers. Datapath A includes a path from batch manager 665 to switch 654 and datapath B includes a path from batch manager 665 to switch 656. Switch 665 and switch 654 are software modules that are devices for the flow of data packets and are assigned device_IDs. Each software module along the paths chosen in FIG. 6 are devices for the flow of data packets and are assigned device_IDs. These devices include a FW VNF 651, an ACL VNF 653-1, a video codec VNF 661, a network address translation (NAT) VNF 658, an ACL VNF 653-2, a deep packet inspection (DPI) VNF 662, and a VPN VNF 659. NAT is a mechanism to remap one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. DPI is a type of data processing that can examine details of the contents of the data being sent and may re-route the data accordingly. It in combination with filtering can enable advanced network management, user services, and security functions as well as internet data mining, eavesdropping, and internet censorship.” –e.g. see, Rangachari: [0086], see also, [0065]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma, O’Keeffe and Merchant with the teaching of Rangachari to include wherein rules in each set of rules are associated with metadata that identifies the corresponding ACL, wherein identifying the second matched rule is based on the ACL metadata associated with the first matched rule in order to support moving individual network functions out of dedicated hardware devices into software that can run on commodity hardware as suggested by Rangachari (Spec. para [0004]).

As to claim 16, the combination of Sharma, O’Keeffe, Merchant and Rangachari disclose wherein the first rules data store comprises one or more sets of rules, each set of rules corresponding to a respective access control list (ACL) (“… in an embodiment, multifunctional engine 320 may be configured with an access control list (ACL) defining a match (i.e. certain source IP addresses) and an action (e.g. permit or deny traffic).” –e.g. see, Sharma: col. 18, lines 55-67), wherein rules in each set of rules are associated with metadata that identifies the corresponding ACL, wherein identifying the second matched rule is based on the ACL metadata associated with the first matched rule (e.g. see, Sharma: col. 18, lines 65-67 to col. 19, lines 1-7; herein, an incoming packet (i.e. an ingress packet) is compared to find a match at least with one ACL rule, when a match is found then the packet is further handled and in step 950 a NAT (network address translation) mapping is performed on the packet; e.g. see also, Sharma, e.g. see, col. 19, lines 37-46; Furthermore, Rangachari: “The processing along data paths can process from gates of batch manager 665 based on the classifier assigned port_ID, policy_ID, or port_ID and policy_ID that can be read from the metadata area of each data packet. In the non-limiting example of FIG. 6, data packets are sent on datapath A or datapath B based these internal identifiers. Datapath A includes a path from batch manager 665 to switch 654 and datapath B includes a path from batch manager 665 to switch 656. Switch 665 and switch 654 are software modules that are devices for the flow of data packets and are assigned device_IDs. Each software module along the paths chosen in FIG. 6 are devices for the flow of data packets and are assigned device_IDs. These devices include a FW VNF 651, an ACL VNF 653-1, a video codec VNF 661, a network address translation (NAT) VNF 658, an ACL VNF 653-2, a deep packet inspection (DPI) VNF 662, and a VPN VNF 659. NAT is a mechanism to remap one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. DPI is a type of data processing that can examine details of the contents of the data being sent and may re-route the data accordingly. It in combination with filtering can enable advanced network management, user services, and security functions as well as internet data mining, eavesdropping, and internet censorship.” –e.g. see, Rangachari: [0086], see also, [0065]).  

Claims 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sharma in view of O’Keeffe in view of Merchant and further in view of Remen.

As to claim 19, neither Sharma or O’Keeffe nor Merchant explicitly disclose wherein the first rules data store is a ternary content addressable memory (TCAM).  
However, in an analogous art, Remen disclose wherein the first rules data store is a ternary content addressable memory (TCAM) (Remen: “The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority defined among the multiple TCAMs.” –e.g. see, Remen: [0004], see also, Remen: [0023], claim 1 of Remen).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sharma, O’Keeffe and Merchant with the teaching of Remen to include “wherein the first rules data store is a ternary content addressable memory (TCAM)” in order to search packet headers for rules using multiple TCAM in an efficient manner which allow simultaneous comparison of desired information against pre-stored entries.
As to claim 20, the combination of Sharma, O’Keeffe, Merchant and Remen disclose wherein the second rules data store is a TCAM or an associative memory (Remen: “The classifier includes (i) multiple Ternary Content Addressable Memories (TCAMs), each TCAM configured to match the packet to a respective subset of the set of rules and to output a match result, and (ii) circuitry configured to specify the action to be applied to the packet based on match results produced for the packet by the multiple TCAMs, and based on a priority defined among the multiple TCAMs.” –e.g. see, Remen: [0004], see also, Remen: [0023], claim 1 of Remen).

Response to Arguments
Applicant’s arguments with respect to claims 1, 8 and 14 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495                                                                                                                                                                                                        

/HENRY TSANG/Primary Examiner, Art Unit 2495