DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-15, 17, 19-22 are presented for examination.  Claims 16, 18 are cancelled and Claims 21-22 are new.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/19/2022 has been entered.
 
Response to Arguments
Applicant's arguments filed 09/19/2022 have been fully considered. 
Applicant argues (pp 9-12) that the references do not teach or suggest “the first set of data packets ... comprising a first network identifier that identifies the first sub-network” and “the second set of data packets ... comprising a second network identifier that identifies the second sub-network”.
In response to the argument, Examiner respectfully agrees.  Smith teaches that within the packets, an interface is identified and the sub-networks to which each interface connects can be identified (mapping table).  Smith is silent on the packet including a network identifier that identifies the sub-network.  An updated search was conducted and a new art was discovered to read on that limitation:  US PGPub 2021/0051118 (Wang)
Please see office action below in view of US Patent 9,003,292 (Smith) in view of US PGPub 2021/0051118 (Wang) further in view of US Patent 10,735,269 (Wilson) more in view of US Patent 10,999,100 (Cidon) (Claims 1-4, 8-11, 15, 17)
Further in view of US PGPub 2010/0312875 (Wilerson) (Claims 5-6, 12-13, 19-20)
Further in view of US PGPub 2021/0352019 (Sheeja-JS) (Claims 7, 14)
Further in view of US PGPub 2013/0058346 A1 (Sridharan) (Claims 21-22)

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 8-11, 15, 17 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent 9,003,292 (Smith) in view of US PGPub 2021/0051118 (Wang)  further in view of US Patent 10,735,269 (Wilson) more in view of US Patent 10,999,100 (Cidon).

Regarding Claim 1:
Smith teaches One or more non-transitory computer-readable media (Col 21 ln 37-40) storing instructions, which when executed by one or more hardware processors (Col 21 ln 31-32), cause performance of operations comprising:  
generating a combined visual representation of a first set of devices (ie. network device objects) and a first sub-network of a network (Fig 16A, subnet, Col 16 ln 49-52) and a second set of devices (ie. network device objects) and a second sub-network of the network (Fig 16A, another subnet, Col 16 ln 49-52),   (Fig 18, "Render in visual display, subnet objects corresponding to identified subnets" step 1809.  Fig 19, visualizing a network flow over a network topology, which includes a topology view of a network on a visual display of a computer system. The topology view includes subnet objects, network device objects, and interface objects within the network device objects.   Fig 16A, The network flows are visualized by drawing a number of arrows 1601 extending through the network between the source and destination addresses. More specifically, an arrow is drawn from a source address to a subnet cloud. Then, an arrow is drawn from the subnet cloud to an ingress interface of a network device. Then, if necessary, additional arrows are drawn to another subnet cloud, and on to another network device, and through the other network device, Col 16 ln 41-54)
wherein at least one device (Fig 11, Device 1 1104) in the first sub-network (Fig 16A, subnet, Col 16 ln 49-52) and at least one device (Fig 11, Device 2 1104) in the second sub-network (Fig 16A, another subnet, Col 16 ln 49-52) are each associated with a same VLAN tag/MAC;  (The system 1100 also provides for visual identification of layer 2 network flows within a VLAN by MAC or VLAN tag parameters, or other relevant parameters. The system 1100 further provides for display of a virtualization of a VLAN on top of the network topology view within the GUI 1300, including identification of the VLAN port and device membership within the network, Col 18-19 ln 66-67, 1-6)
detecting a first set of data packets communicated through the first sub-network of the network, (FIG. 11, the system 1100 also includes a network flow collection management module 1115 defined to acquire network flow records from each device 1104 within the network 1102, Col 15 ln 1-4. Netflow monitoring, including sflow, Col 15 ln 26-34)
the first set of data packets (a) comprising a particular IP address (Fig 14, IP source address) as a source IP address of the first set of data packets, (b) comprising a first network identifier (ingress/egress interface identifier, Col 15 ln 9-16 and Fig 12, interface identifier) corresponding to the first sub-network (Fig 16A, subnet, Col 16 ln 49-52), and (c) originating from a first device (ie. Device 1) on the first sub-network (Fig 16A, subnet, Col 16 ln 49-52);  (Fig 12, Device information table 1107 includes an identification of each interface 1101 within each device 1104.  For each identified interface 1101, the example device information table 1107 also includes a name, a type, an address, and a subnet mask, Col 13-14 ln 64-67, 1.  The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect, Col 14 ln 6-11.  A network flow record may be generated for each packet of network traffic that is forwarded within a router or switch. The content of the network flow record can include the IP source address, the IP destination address, the source port, the destination port, the ToS byte value, the ingress interface identifier, the egress interface identifier, the packet size in bytes, Col 15 ln 9-16.  Fig 14, shows a table with packets received "from Device 1", source IP 1.1.1.1, 2.2.2.1).   The network flow record which is generated from each packet contains this information.  This shows that the packet has (a), (b), and (c) because the network flow record is created based on the contents of the packet.
mapping a first combination of identifiers comprising at least the (a) the particular IP address (Fig 14, IP source address) and (b) the first network identifier (ingress/egress interface identifier, Col 15 ln 9-16) to a first profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1) for the first device (ie. Device 1);  (The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect. The network visualization module 1109 operates to create a network topology by reading the configuration of each network device 1104, and by determining the physical and logical interfaces 1101 that exist, the subnets to which these interfaces 1101 interface, and the addresses of these interfaces 1101, Col 14 ln 6-17)
displaying, within the combined visual representation, a first interface element (ie. graphical representation) for the first device (ie. Device 1) based on the first profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1);  (The network visualization module 1109 is further defined to render in a visual display of a computer system, a network topology visualization 1113 that includes a topology view of the network 1102, including graphical representations of the devices 1104, the interfaces 1101  within the devices 1101, and various connections between the interfaces 1101 and subnets. Logical interfaces such as router loop back, null interface, local interface, VLAN interface, tunnels, are also depicted in the network topology visualization 1113, Col 14 ln 17-23)
detecting a second set of data packets communicated through the second sub-network of the network (Fig 16A, another subnet, Col 16 ln 49-52),  (FIG. 11, the system 1100 also includes a network flow collection management module 1115 defined to acquire network flow records from each device 1104 within the network 1102, Col 15 ln 1-4.  Netflow monitoring, including sflow, Col 15 ln 26-34)
the second set of data packets (a) comprising the particular IP address (Fig 14, IP source address) as a source IP address of the second set of data packets, (b) comprising a second network identifier (ingress/egress interface identifier, Col 15 ln 9-16 and Fig 12, interface identifier) corresponding to the second sub-network (Fig 16A, another subnet, Col 16 ln 49-52), and (c) originating from a second device (ie. Device 2) on the second sub-network (Fig 16A, another subnet, Col 16 ln 49-52);  (Fig 12, Device information table 1107 includes an identification of each interface 1101 within each device 1104.  For each identified interface 1101, the example device information table 1107 also includes a name, a type, an address, and a subnet mask, Col 13-14 ln 64-67, 1.  The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect, Col 14 ln 6-11.  A network flow record may be generated for each packet of network traffic that is forwarded within a router or switch. The content of the network flow record can include the IP source address, the IP destination address, the source port, the destination port, the ToS byte value, the ingress interface identifier, the egress interface identifier, the packet size in bytes, Col 15 ln 9-16.  Fig 14, shows a table with packets received "from Device 1", source IP 1.1.1.1, 2.2.2.1).   The network flow record which is generated from each packet contains this information.  This shows that the packet has (a), (b), and (c) because the network flow record is created based on the contents of the packet.
mapping a second combination of identifiers comprising at least the (a) the particular IP address (Fig 14, IP source address) and (b) the second network identifier (ingress/egress interface identifier, Col 15 ln 9-16) to a second profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1) for the second device (ie. Device 2);  (The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect. The network visualization module 1109 operates to create a network topology by reading the configuration of each network device 1104, and by determining the physical and logical interfaces 1101 that exist, the subnets to which these interfaces 1101 interface, and the addresses of these interfaces 1101, Col 14 ln 6-17)
displaying, within the combined visual representation concurrently with the first interface element (ie. graphical representation of Device 1), a second interface element (ie. graphical representation) for the second device (ie. Device 2) based on the second profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1).  (The network visualization module 1109 is further defined to render in a visual display of a computer system, a network topology visualization 1113 that includes a topology view of the network 1102, including graphical representations of the devices 1104, the interfaces 1101  within the devices 1101, and various connections between the interfaces 1101 and subnets. Logical interfaces such as router loop back, null interface, local interface, VLAN interface, tunnels, are also depicted in the network topology visualization 1113, Col 14 ln 17-23)
Smith teaches a network identifier (ingress/egress interface identifier, Col 15 ln 9-16 and Fig 12, interface identifier) corresponding to the sub-network (Fig 16A, another subnet, Col 16 ln 49-52).  However, Smith is silent on detecting a set of data packets communicated through the sub-network of a network, the set of data packets comprising a network identifier that identifies the sub-network.
Wang teaches, in the same field of endeavor, a packet processing method and device are provided, which includes parsing, by an intelligent network interface card, a received first packet to obtain an identifier of the first packet, Abstract.
Wang also teaches detecting a set of data packets communicated through the sub-network of a network, ([0009] The intelligent network interface card may record the reception and aggregation information of the plurality of first packets belonging to the same data flow. The intelligent network interface card obtains the identifier of the first packet by parsing the first packet.  Because the identifier of the first packet includes the identifier of the data flow to which the first packet belongs and the packet sequence number, the identifier of the data flow to which the first packet belongs may be 5-tuple information and a subnet identifier that are carried in the first packet, and the packet sequence number is used to identify an order of the first packet in the data flow)
the set of data packets (a) comprising the particular IP address as a source IP address of the set of data packets, (b) comprising a network identifier that identifies the sub-network.   ([0070] In this embodiment, the packet header of the first packet may include 5-tuple information, a subnet identifier, a packet sequence number, a packet type, a packet flag, other packet header information. The 5-tuple information may include a source internet protocol (IP) address, a source port number, a destination IP address, a destination port number, and a transport layer protocol number. The subnet identifier is used to identify a subnet to which a packet belongs, and is generally information such as a virtual local area network identifier (VLAN ID), a VXLAN network identifier (VNI), or an input port number.  [0074] same data flow)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify Smith per the teachings of Wang to include detecting a set of data packets communicated through the sub-network of a network, the set of data packets comprising a network identifier that identifies the sub-network.  It would have been advantageous to include these details as discussed above, as it would allow the modified system to positively and efficiently identify the subnetwork of the packet of flows by parsing of packets for subnetwork identification, without requiring the mapping of the interfaces to a network or deep packet inspection.
Smith teaches on a visual representation of multiple networking devices and subnets and the connectivity between these elements (Col 18-19 ln 66-67, 1).  However, Smith (as modified by Wang) does not show the detail on a set of devices in a subnet.  Smith (as modified by Wang) is silent on generating a combined visual representation of a first set of devices in a first sub-network of a network and a second set of devices in a second sub-network of the network.
Wilson teaches, in the same field of endeavor, method to dynamically discover and visually map computer networks comprising plurality of devices, physically and logically, Abstract.
Wilson also teaches generating a combined visual representation of a first set of devices in a first sub-network (ie. vlan120) of a network and a second set of devices in a second sub-network (ie. vlan502) of the network.  (Visually display the network topology, Col ln 27-47.  Fig 5A, shows vlan120 with two devices, 3560a and 3560b.  Fig 5B, shows vlan502 with devices asa4.INTERNAL-pri and asa4.INTERNAL-sec).  Though shown on two different figures, these are connecting drawings and the visual representation of the different subnet vlans are combined.  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify Smith (as modified by Wang) by modifying Smith per the teachings of Wilson to include generating a combined visual representation of a first set of devices in a first sub-network of a network and a second set of devices in a second sub-network of the network.  It would have been advantageous to include these details as discussed above, as it would allow the combined system to organize the visual representation per the set of subnet devices, which would provide a hierarchical view of the subnets.  Smith teaches on hierarchical view of the number of network devices and drilling down to the detail of each devices’ interfaces.  Organizing the visual topology by subnets would provide a more proper/structured viewing of the hierarchical levels of the network topology, drilling down from the subnet level first.
Smith teaches on multiple networking devices and subnets (Col 18-19 ln 66-67, 1).   However, Smith (as modified by Wang & Wilson) is silent on wherein at least one device in the first sub-network and at least one device in the second sub-network are each associated with a same private internet protocol (IP) address.
Cidon teaches, in the same field of endeavor, establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions, Abstract.
Cidon also teaches wherein at least one device in the first sub-network and at least one device in the second sub-network are each associated with a same private internet protocol (IP) address (ie. same internal IP address);  (It is important to perform source IP translation on data message flows exiting private networks, so that external devices can differentiate different devices within different private networks that use the same internal IP addresses, Col 32 ln 24-27).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify Smith (as modified by Wang & Wilson) by modifying Smith per the teachings of Cidon to include wherein at least one device in the first sub-network and at least one device in the second sub-network are each associated with a same private internet protocol (IP) address.  It would have been advantageous to include these details as discussed above, as it would allow the combined system to utilize the same addressing scheme in each virtual LAN (vlan/subnet) when deploying new virtual overlay networks, as this would provide more efficiency/automation.

Regarding Claim 8:
Smith teaches A method comprising:
generating a combined visual representation of a first set of devices (ie. network device objects) and a first sub-network of a network (Fig 16A, subnet, Col 16 ln 49-52) and a second set of devices (ie. network device objects) and a second sub-network of the network (Fig 16A, another subnet, Col 16 ln 49-52),   (Fig 18, "Render in visual display, subnet objects corresponding to identified subnets" step 1809.  Fig 19, visualizing a network flow over a network topology, which includes a topology view of a network on a visual display of a computer system. The topology view includes subnet objects, network device objects, and interface objects within the network device objects.   Fig 16A, The network flows are visualized by drawing a number of arrows 1601 extending through the network between the source and destination addresses. More specifically, an arrow is drawn from a source address to a subnet cloud. Then, an arrow is drawn from the subnet cloud to an ingress interface of a network device. Then, if necessary, additional arrows are drawn to another subnet cloud, and on to another network device, and through the other network device, Col 16 ln 41-54)
wherein at least one device (Fig 11, Device 1 1104) in the first sub-network (Fig 16A, subnet, Col 16 ln 49-52) and at least one device (Fig 11, Device 2 1104) in the second sub-network (Fig 16A, another subnet, Col 16 ln 49-52) are each associated with a same VLAN tag/MAC;   (The system 1100 also provides for visual identification of layer 2 network flows within a VLAN by MAC or VLAN tag parameters, or other relevant parameters. The system 1100 further provides for display of a virtualization of a VLAN on top of the network topology view within the GUI 1300, including identification of the VLAN port and device membership within the network, Col 18-19 ln 66-67, 1-6)
detecting a first set of data packets communicated through the first sub-network of the network, (FIG. 11, the system 1100 also includes a network flow collection management module 1115 defined to acquire network flow records from each device 1104 within the network 1102, Col 15 ln 1-4. Netflow monitoring, including sflow, Col 15 ln 26-34)
the first set of data packets (a) comprising a particular IP address (Fig 14, IP source address) as a source IP address of the first set of data packets, (b) comprising a first network identifier (ingress/egress interface identifier, Col 15 ln 9-16 and Fig 12, interface identifier) corresponding to the first sub-network (Fig 16A, subnet, Col 16 ln 49-52), and (c) originating from a first device (ie. Device 1) on the first sub-network (Fig 16A, subnet, Col 16 ln 49-52);  (Fig 12, Device information table 1107 includes an identification of each interface 1101 within each device 1104.  For each identified interface 1101, the example device information table 1107 also includes a name, a type, an address, and a subnet mask, Col 13-14 ln 64-67, 1.  The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect, Col 14 ln 6-11.  A network flow record may be generated for each packet of network traffic that is forwarded within a router or switch. The content of the network flow record can include the IP source address, the IP destination address, the source port, the destination port, the ToS byte value, the ingress interface identifier, the egress interface identifier, the packet size in bytes, Col 15 ln 9-16.  Fig 14, shows a table with packets received "from Device 1", source IP 1.1.1.1, 2.2.2.1).   The network flow record which is generated from each packet contains this information.  This shows that the packet has (a), (b), and (c) because the network flow record is created based on the contents of the packet.
mapping a first combination of identifiers comprising at least the (a) the particular IP address (Fig 14, IP source address) and (b) the first network identifier (ingress/egress interface identifier, Col 15 ln 9-16) to a first profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1) for the first device (ie. Device 1);  (The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect. The network visualization module 1109 operates to create a network topology by reading the configuration of each network device 1104, and by determining the physical and logical interfaces 1101 that exist, the subnets to which these interfaces 1101 interface, and the addresses of these interfaces 1101, Col 14 ln 6-17)
displaying, within the combined visual representation, a first interface element (ie. graphical representation) for the first device (ie. Device 1) based on the first profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1);  (The network visualization module 1109 is further defined to render in a visual display of a computer system, a network topology visualization 1113 that includes a topology view of the network 1102, including graphical representations of the devices 1104, the interfaces 1101  within the devices 1101, and various connections between the interfaces 1101 and subnets. Logical interfaces such as router loop back, null interface, local interface, VLAN interface, tunnels, are also depicted in the network topology visualization 1113, Col 14 ln 17-23)
detecting a second set of data packets communicated through the second sub-network of the network (Fig 16A, another subnet, Col 16 ln 49-52),  (FIG. 11, the system 1100 also includes a network flow collection management module 1115 defined to acquire network flow records from each device 1104 within the network 1102, Col 15 ln 1-4.  Netflow monitoring, including sflow, Col 15 ln 26-34)
the second set of data packets (a) comprising the particular IP address (Fig 14, IP source address) as a source IP address of the second set of data packets, (b) comprising a second network identifier (ingress/egress interface identifier, Col 15 ln 9-16 and Fig 12, interface identifier) corresponding to the second sub-network (Fig 16A, another subnet, Col 16 ln 49-52), and (c) originating from a second device (ie. Device 2) on the second sub-network (Fig 16A, another subnet, Col 16 ln 49-52);  (Fig 12, Device information table 1107 includes an identification of each interface 1101 within each device 1104.  For each identified interface 1101, the example device information table 1107 also includes a name, a type, an address, and a subnet mask, Col 13-14 ln 64-67, 1.  The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect, Col 14 ln 6-11.  A network flow record may be generated for each packet of network traffic that is forwarded within a router or switch. The content of the network flow record can include the IP source address, the IP destination address, the source port, the destination port, the ToS byte value, the ingress interface identifier, the egress interface identifier, the packet size in bytes, Col 15 ln 9-16.  Fig 14, shows a table with packets received "from Device 1", source IP 1.1.1.1, 2.2.2.1).   The network flow record which is generated from each packet contains this information.  This shows that the packet has (a), (b), and (c) because the network flow record is created based on the contents of the packet.
mapping a second combination of identifiers comprising at least the (a) the particular IP address (Fig 14, IP source address) and (b) the second network identifier (ingress/egress interface identifier, Col 15 ln 9-16) to a second profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1) for the second device (ie. Device 2);  (The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect. The network visualization module 1109 operates to create a network topology by reading the configuration of each network device 1104, and by determining the physical and logical interfaces 1101 that exist, the subnets to which these interfaces 1101 interface, and the addresses of these interfaces 1101, Col 14 ln 6-17)
displaying, within the combined visual representation concurrently with the first interface element (ie. graphical representation of Device 1), a second interface element (ie. graphical representation) for the second device (ie. Device 2) based on the second profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1).  (The network visualization module 1109 is further defined to render in a visual display of a computer system, a network topology visualization 1113 that includes a topology view of the network 1102, including graphical representations of the devices 1104, the interfaces 1101  within the devices 1101, and various connections between the interfaces 1101 and subnets. Logical interfaces such as router loop back, null interface, local interface, VLAN interface, tunnels, are also depicted in the network topology visualization 1113, Col 14 ln 17-23)
Smith teaches a network identifier (ingress/egress interface identifier, Col 15 ln 9-16 and Fig 12, interface identifier) corresponding to the sub-network (Fig 16A, another subnet, Col 16 ln 49-52).  However, Smith is silent on detecting a set of data packets communicated through the sub-network of a network, the set of data packets comprising a network identifier that identifies the sub-network.
Wang teaches detecting a set of data packets communicated through the sub-network of a network, ([0009] The intelligent network interface card may record the reception and aggregation information of the plurality of first packets belonging to the same data flow. The intelligent network interface card obtains the identifier of the first packet by parsing the first packet.  Because the identifier of the first packet includes the identifier of the data flow to which the first packet belongs and the packet sequence number, the identifier of the data flow to which the first packet belongs may be 5-tuple information and a subnet identifier that are carried in the first packet, and the packet sequence number is used to identify an order of the first packet in the data flow)
the set of data packets (a) comprising the particular IP address as a source IP address of the set of data packets, (b) comprising a network identifier that identifies the sub-network.   ([0070] In this embodiment, the packet header of the first packet may include 5-tuple information, a subnet identifier, a packet sequence number, a packet type, a packet flag, other packet header information. The 5-tuple information may include a source internet protocol (IP) address, a source port number, a destination IP address, a destination port number, and a transport layer protocol number. The subnet identifier is used to identify a subnet to which a packet belongs, and is generally information such as a virtual local area network identifier (VLAN ID), a VXLAN network identifier (VNI), or an input port number.  [0074] same data flow)
The motivation to combine Smith with Wang is the same as for Claim 1.
Smith teaches on a visual representation of multiple networking devices and subnets and the connectivity between these elements (Col 18-19 ln 66-67, 1).  However, Smith (as modified by Wang) does not show detail on a set of devices in a subnet.  Smith (as modified by Wang) is silent on generating a combined visual representation of a first set of devices in a first sub-network of a network and a second set of devices in a second sub-network of the network.
Wilson teaches generating a combined visual representation of a first set of devices in a first sub-network (ie. vlan120) of a network and a second set of devices in a second sub-network (ie. vlan502) of the network.  (Visually display the network topology, Col ln 27-47.  Fig 5A, shows vlan120 with two devices, 3560a and 3560b.  Fig 5B, shows vlan502 with devices asa4.INTERNAL-pri and asa4.INTERNAL-sec).  Though shown on two different figures, these are connecting drawings and the visual representation of the different subnet vlans are combined.
The motivation to combine Smith (as modified by Wang) with Wilson is the same as for Claim 1.
Smith teaches on multiple networking devices and subnets (Col 18-19 ln 66-67, 1).   However, Smith (as modified by Wang & Wilson) is silent on wherein at least one device in the first sub-network and at least one device in the second sub-network are each associated with a same private internet protocol (IP) address.
Cidon teaches wherein at least one device in the first sub-network and at least one device in the second sub-network are each associated with a same private internet protocol (IP) address (ie. same internal IP address);  (It is important to perform source IP translation on data message flows exiting private networks, so that external devices can differentiate different devices within different private networks that use the same internal IP addresses, Col 32 ln 24-27)
The motivation to combine Smith (as modified by Wang & Wilson) with Cidon is the same as for Claim 1.

Regarding Claim 15:
Smith teaches A system comprising: at least one device (Fig 11, Device 1100) including a hardware processor (Col 21 ln 31-32);  the system being configured to perform operations comprising:
generating a combined visual representation of a first set of devices (ie. network device objects) and a first sub-network of a network (Fig 16A, subnet, Col 16 ln 49-52) and a second set of devices (ie. network device objects) and a second sub-network of the network (Fig 16A, another subnet, Col 16 ln 49-52),   (Fig 18, "Render in visual display, subnet objects corresponding to identified subnets" step 1809.  Fig 19, visualizing a network flow over a network topology, which includes a topology view of a network on a visual display of a computer system. The topology view includes subnet objects, network device objects, and interface objects within the network device objects.   Fig 16A, The network flows are visualized by drawing a number of arrows 1601 extending through the network between the source and destination addresses. More specifically, an arrow is drawn from a source address to a subnet cloud. Then, an arrow is drawn from the subnet cloud to an ingress interface of a network device. Then, if necessary, additional arrows are drawn to another subnet cloud, and on to another network device, and through the other network device, Col 16 ln 41-54)
wherein at least one device (Fig 11, Device 1 1104) in the first sub-network (Fig 16A, subnet, Col 16 ln 49-52) and at least one device (Fig 11, Device 2 1104) in the second sub-network (Fig 16A, another subnet, Col 16 ln 49-52) are each associated with a same VLAN tag/MAC;  (The system 1100 also provides for visual identification of layer 2 network flows within a VLAN by MAC or VLAN tag parameters, or other relevant parameters. The system 1100 further provides for display of a virtualization of a VLAN on top of the network topology view within the GUI 1300, including identification of the VLAN port and device membership within the network, Col 18-19 ln 66-67, 1-6)
detecting a first set of data packets communicated through the first sub-network of the network, (FIG. 11, the system 1100 also includes a network flow collection management module 1115 defined to acquire network flow records from each device 1104 within the network 1102, Col 15 ln 1-4. Netflow monitoring, including sflow, Col 15 ln 26-34)
the first set of data packets (a) comprising a particular IP address (Fig 14, IP source address) as a source IP address of the first set of data packets, (b) comprising a first network identifier (ingress/egress interface identifier, Col 15 ln 9-16 and Fig 12, interface identifier) corresponding to the first sub-network (Fig 16A, subnet, Col 16 ln 49-52), and (c) originating from a first device (ie. Device 1) on the first sub-network (Fig 16A, subnet, Col 16 ln 49-52);  (Fig 12, Device information table 1107 includes an identification of each interface 1101 within each device 1104.  For each identified interface 1101, the example device information table 1107 also includes a name, a type, an address, and a subnet mask, Col 13-14 ln 64-67, 1.  The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect, Col 14 ln 6-11.  A network flow record may be generated for each packet of network traffic that is forwarded within a router or switch. The content of the network flow record can include the IP source address, the IP destination address, the source port, the destination port, the ToS byte value, the ingress interface identifier, the egress interface identifier, the packet size in bytes, Col 15 ln 9-16.  Fig 14, shows a table with packets received "from Device 1", source IP 1.1.1.1, 2.2.2.1).   The network flow record which is generated from each packet contains this information.  This shows that the packet has (a), (b), and (c) because the network flow record is created based on the contents of the packet.
mapping a first combination of identifiers comprising at least the (a) the particular IP address (Fig 14, IP source address) and (b) the first network identifier (ie. ingress/egress interface identifier) to a first profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1) for the first device (ie. Device 1);  (The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect. The network visualization module 1109 operates to create a network topology by reading the configuration of each network device 1104, and by determining the physical and logical interfaces 1101 that exist, the subnets to which these interfaces 1101 interface, and the addresses of these interfaces 1101, Col 14 ln 6-17)
displaying, within the combined visual representation, a first interface element (ie. graphical representation) for the first device (ie. Device 1) based on the first profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1);  (The network visualization module 1109 is further defined to render in a visual display of a computer system, a network topology visualization 1113 that includes a topology view of the network 1102, including graphical representations of the devices 1104, the interfaces 1101  within the devices 1101, and various connections between the interfaces 1101 and subnets. Logical interfaces such as router loop back, null interface, local interface, VLAN interface, tunnels, are also depicted in the network topology visualization 1113, Col 14 ln 17-23)
detecting a second set of data packets communicated through the second sub-network of the network (Fig 16A, another subnet, Col 16 ln 49-52),  (FIG. 11, the system 1100 also includes a network flow collection management module 1115 defined to acquire network flow records from each device 1104 within the network 1102, Col 15 ln 1-4.  Netflow monitoring, including sflow, Col 15 ln 26-34)
the second set of data packets (a) comprising the particular IP address (Fig 14, IP source address) as a source IP address of the second set of data packets, (b) comprising a second network identifier (ingress/egress interface identifier, Col 15 ln 9-16 and Fig 12, interface identifier) corresponding to the second sub-network (Fig 16A, another subnet, Col 16 ln 49-52), and (c) originating from a second device (ie. Device 2) on the second sub-network (Fig 16A, another subnet, Col 16 ln 49-52);  (Fig 12, Device information table 1107 includes an identification of each interface 1101 within each device 1104.  For each identified interface 1101, the example device information table 1107 also includes a name, a type, an address, and a subnet mask, Col 13-14 ln 64-67, 1.  The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect, Col 14 ln 6-11.  A network flow record may be generated for each packet of network traffic that is forwarded within a router or switch. The content of the network flow record can include the IP source address, the IP destination address, the source port, the destination port, the ToS byte value, the ingress interface identifier, the egress interface identifier, the packet size in bytes, Col 15 ln 9-16.  Fig 14, shows a table with packets received "from Device 1", source IP 1.1.1.1, 2.2.2.1).   The network flow record which is generated from each packet contains this information.  This shows that the packet has (a), (b), and (c) because the network flow record is created based on the contents of the packet.
mapping a second combination of identifiers comprising at least the (a) the particular IP address (Fig 14, IP source address) and (b) the second network identifier (ingress/egress interface identifier, Col 15 ln 9-16) to a second profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1) for the second device (ie. Device 2);  (The system 1100 also includes a network visualization module 1109 defined to analyze the acquired device configuration data as compiled in the device information table 1107 to identify the interfaces 1101 of each network device 1104 and the subnets to which the interfaces 1101 connect. The network visualization module 1109 operates to create a network topology by reading the configuration of each network device 1104, and by determining the physical and logical interfaces 1101 that exist, the subnets to which these interfaces 1101 interface, and the addresses of these interfaces 1101, Col 14 ln 6-17)
displaying, within the combined visual representation concurrently with the first interface element (ie. graphical representation of Device 1), a second interface element (ie. graphical representation) for the second device (ie. Device 2) based on the second profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1).  (The network visualization module 1109 is further defined to render in a visual display of a computer system, a network topology visualization 1113 that includes a topology view of the network 1102, including graphical representations of the devices 1104, the interfaces 1101  within the devices 1101, and various connections between the interfaces 1101 and subnets. Logical interfaces such as router loop back, null interface, local interface, VLAN interface, tunnels, are also depicted in the network topology visualization 1113, Col 14 ln 17-23)
Smith teaches a network identifier (ingress/egress interface identifier, Col 15 ln 9-16 and Fig 12, interface identifier) corresponding to the sub-network (Fig 16A, another subnet, Col 16 ln 49-52).  However, Smith is silent on detecting a set of data packets communicated through the sub-network of a network, the set of data packets comprising a network identifier that identifies the sub-network.
Wang teaches detecting a set of data packets communicated through the sub-network of a network, ([0009] The intelligent network interface card may record the reception and aggregation information of the plurality of first packets belonging to the same data flow. The intelligent network interface card obtains the identifier of the first packet by parsing the first packet.  Because the identifier of the first packet includes the identifier of the data flow to which the first packet belongs and the packet sequence number, the identifier of the data flow to which the first packet belongs may be 5-tuple information and a subnet identifier that are carried in the first packet, and the packet sequence number is used to identify an order of the first packet in the data flow)
the set of data packets (a) comprising the particular IP address as a source IP address of the set of data packets, (b) comprising a network identifier that identifies the sub-network.   ([0070] In this embodiment, the packet header of the first packet may include 5-tuple information, a subnet identifier, a packet sequence number, a packet type, a packet flag, other packet header information. The 5-tuple information may include a source internet protocol (IP) address, a source port number, a destination IP address, a destination port number, and a transport layer protocol number. The subnet identifier is used to identify a subnet to which a packet belongs, and is generally information such as a virtual local area network identifier (VLAN ID), a VXLAN network identifier (VNI), or an input port number.  [0074] same data flow)
The motivation to combine Smith with Wang is the same as for Claim 1.
Smith teaches on a visual representation of multiple networking devices and subnets and the connectivity between these elements (Col 18-19 ln 66-67, 1).  However, Smith (as modified by Wang) does not show detail on a set of devices in a subnet.  Smith (as modified by Wang) is silent on generating a combined visual representation of a first set of devices in a first sub-network of a network and a second set of devices in a second sub-network of the network.
Wilson teaches generating a combined visual representation of a first set of devices in a first sub-network (ie. vlan120) of a network and a second set of devices in a second sub-network (ie. vlan502) of the network.  (Visually display the network topology, Col ln 27-47.  Fig 5A, shows vlan120 with two devices, 3560a and 3560b.  Fig 5B, shows vlan502 with devices asa4.INTERNAL-pri and asa4.INTERNAL-sec).  Though shown on two different figures, these are connecting drawings and the visual representation of the different subnet vlans are combined.
The motivation to combine Smith (as modified by Wang) with Wilson is the same as for Claim 1.
Smith teaches on multiple networking devices and subnets (Col 18-19 ln 66-67, 1).   However, Smith (as modified by Wang & Wilson) is silent on wherein at least one device in the first sub-network and at least one device in the second sub-network are each associated with a same private internet protocol (IP) address.
Cidon teaches wherein at least one device in the first sub-network and at least one device in the second sub-network are each associated with a same private internet protocol (IP) address (ie. same internal IP address);  (It is important to perform source IP translation on data message flows exiting private networks, so that external devices can differentiate different devices within different private networks that use the same internal IP addresses, Col 32 ln 24-27)
The motivation to combine Smith (as modified by Wang & Wilson) with Cidon is the same as for Claim 1.

Regarding Claims 2, 9:
Smith (as modified by Wang & Wilson & Cidon) teaches the inventions of Claims 1, 8 as described.
Smith teaches further comprising using the combined visual representation to assign a third network identifier (ingress/egress interface identifier, Col 15 ln 9-16) to a third profile (Fig 12, device 1104 information table, Col 13-14 ln 60-67, 1) corresponding to a third device (Fig 11, 14 Device 3),  (The network visualization module 1109 operates to create a network topology by reading the configuration of each network device 1104, and by determining the physical and logical interfaces 1101 that exist, the subnets to which these interfaces 1101 interface, and the addresses of these interfaces 1101, Col 14 ln 6-17.  FIG. 12, device information table 1107 which may be generated by the device information management module 1105.  The example device information table 1107 also includes a name, a type, an address, and a subnet mask, Col 13-14 ln 60-67, 1.  Fig 13 shows the 3 devices and Fig 16A shows the 3 network devices communication through different subnets)
 wherein the third device profile (ie. device 1104 information table) comprises the particular IP address (Fig 14, IP source address) as a source IP address for a third set of data packets.  (A network flow record may be generated for each packet of network traffic that is forwarded within a router or switch.  The content of the network flow record can include the IP source address, the IP destination address, the source port, the destination port, the ToS byte value, the ingress interface identifier, the egress interface identifier, the packet size in bytes, Col 15 ln 9-16.  Fig 14, shows a table with packets received "from Device 3", source IP 1.1.1.1).  The network flow record which is generated for each package contains this information, which shows that the packet has the particular IP address as a source IP address for a third set of data packets.

Regarding Claims 3, 10, 17:
Smith (as modified by Wang & Wilson & Cidon) teaches the inventions of Claims 1, 8, 15 as described.
Smith teaches on multiple networking devices and subnets (Col 18-19 ln 66-67, 1).   However, Smith (as modified by Wang & Cidon) is silent on wherein: the first interface element displays a first set of additional devices associated with the first sub-network in addition to the first device, the second interface element displays a second set of additional devices associated with the second sub-network in addition to the second device and wherein the first set of additional devices and the second set of additional devices do not have any devices in common.
Wilson teaches wherein: the first interface element displays a first set of additional devices associated with the first sub-network in addition to the first device;  (Fig 5A, shows vlan120 (subnet) with two devices, 3560a and 3560b)
the second interface element displays a second set of additional devices associated with the second sub-network in addition to the second device;  (Fig 5B, shows vlan502 (subnet) with devices asa4.INTERNAL-pri and asa4.INTERNAL-sec) 
and wherein the first set of additional devices and the second set of additional devices do not have any devices in common.  (Fig 5A, B:  These vlan (subnet) sets of devices do not have any devices in common.  Fig 11, shows a list view of the different devices)
The motivation to combine Smith (as modified by Wang & Cidon) with Wilson is the same as for Claim 1.

Regarding Claims 4, 11:
Smith (as modified by Wang & Wilson & Cidon) teaches the inventions of Claims 3, 10 as described.
Smith teaches on multiple networking devices and subnets (Col 18-19 ln 66-67, 1).   However, Smith (as modified by Wang & Wilson) is silent on wherein at least one additional device of the first set of additional devices associated with the first sub-network and at least one additional device of the second set of additional devices associated with the second sub-network share a same IP address.
Cidon teaches wherein at least one additional device of the first set of additional devices associated with the first sub-network and at least one additional device of the second set of additional devices associated with the second sub-network share a same IP address.  (It is important to perform source IP translation on data message flows exiting private networks, so that external devices can differentiate different devices within different private networks that use the same internal IP addresses, Col 32 ln 24-27)
The motivation to combine Smith (as modified by Wang & Wilson) with Cidon is the same as for Claim 1.

Claims 5-6, 12-13, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent 9,003,292 (Smith) in view of US PGPub 2021/0051118 (Wang) further in view of US Patent 10,735,269 (Wilson) more in view of US Patent 10,999,100 (Cidon) even more in view of US PGPub 2010/0312875 (Wilerson).

Regarding Claims 5, 12, 19:
Smith (as modified by Wang & Wilson & Cidon) teaches the inventions of Claims 1, 8, 15 as described.
Smith teaches wherein the first profile for the first device (ie. device 1104 information table) comprises a plurality of first attributes that includes one or more of a media access control address associated with the first device,  (The system 1100 also provides for visual identification of layer 2 network flows within a VLAN by MAC or VLAN tag parameters, or other relevant parameters. The system 1100 further provides for display of a virtualization of a VLAN on top of the network topology view within the GUI 1300, including identification of the VLAN port and device membership within the network, Col 18-19 ln 66-67, 1-6.  FIG. 12 shows an example device information table 1107 that may be generated by the device information management module 1105. The example device information table 1107 includes an identification of each interface 1101 within each device 1104. For each identified interface 1101, the example device information table 1107 also includes a name, a type, an address, and a subnet mask, Col 13-14 ln 60-67, 1)
a communication protocol (Fig 12, Ethernet Interface Type) associated with the first set of data packets communicated from the first device.  (FIG. 12 shows an example device information table 1107 that may be generated by the device information management module 1105. The example device information table 1107 includes an identification of each interface 1101 within each device 1104. For each identified interface 1101, the example device information table 1107 also includes a name, a type, an address, and a subnet mask, Col 13-14 ln 60-67, 1)
Smith teaches on device profiles (Col 13-14 ln 60-67, 1 above).  However, Smith (as modified by Wang & Wilson & Cidon) is silent on wherein the first profile for the first device comprises a plurality of first attributes that includes a dynamic host configuration protocol values associated with a communication session within which the first set of data packets were communicated.
Wilerson teaches, in the same field of endeavor, method are disclosed for the automated discovery of devices on a network, such as a TCP/IP network using Dynamic Host Configuration Protocol ("DHCP") and Domain Name System ("DNS") servers, Abstract.
Wilerson also teaches wherein the first profile for the first device (ie. resource records) comprises a plurality of first attributes that includes dynamic host configuration protocol values associated with a communication session within which the first set of data packets were communicated.  ([0020] The DHCP server may be configured to send update requests to the DNS server whenever a new address is assigned. When a device using DHCP receives an IP address, that data may be sent to the DNS server. DHCP may be configured to update the resource records for the DNS system. When a device's address changes, DHCP can automatically send an update to the DNS server so that device can be located at its new IP address. The device identification information may be sent to the DNS server and stored in the resource records)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify Smith (as modified by Wang & Wilson & Cidon) by modifying Smith per the teachings of Wilerson to include wherein the first profile for the first device comprises a plurality of first attributes that includes a dynamic host configuration protocol values associated with a communication session within which the first set of data packets were communicated.  It would have been advantageous to include these details as discussed above, as it would allow the combined system to automatically determine if the device is new to the network, see Wilerson, Abstract. 

Regarding Claims 6, 13, 20:
Smith (as modified by Wang & Wilson & Cidon & Wilerson) teaches the inventions of Claims 5, 12, 19 as described.
Smith teaches further comprising using the first profile (ie. device 1104 information table) and the second profile (ie. device 1104 information table) to identify the first device as different from the second device.  (FIG. 12 shows an example device information table 1107 that may be generated by the device information management module 1105. The example device information table 1107 includes an identification of each interface 1101 within each device 1104. For each identified interface 1101, the example device information table 1107 also includes a name, a type, an address, and a subnet mask, Col 13-14 ln 60-67, 1)
Smith teaches on device profiles (Col 13-14 ln 60-67, 1 above).  However, Smith (as modified by Wang & Wilson & Wilerson) is silent on further comprising using the first profile and the second profile to identify the first device as different from the second device despite sharing the same private IP address.
Cidon teaches further comprising using the first profile and the second profile (ie. configuration data w tenant identifier) to identify the first device as different from the second device despite sharing the same private IP address.  (It is important to perform source IP translation on data message flows exiting private networks, so that external devices can differentiate different devices within different private networks that use the same internal IP addresses, Col 32 ln 24-27.  Configuration data contains tenant identifiers, Col 47 ln 3-7)
The motivation to combine Smith (as modified by Wang & Wilson & Wilerson) with Cidon is the same as for Claim 1.

Claims 7, 14 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent 9,003,292 (Smith) in view of US PGPub 2021/0051118 (Wang) further in view of US Patent 10,735,269 (Wilson) more in view of US Patent 10,999,100 (Cidon) even more in view of US PGPub 2021/0352019 (Sheeja-JS).

Regarding Claims 7, 14:
Smith (as modified by Wang & Wilson & Cidon) teaches the inventions of Claims 1, 8 as described.
Smith teaches assigning the first network identifier to the first set of data packets based on one or more parameters comprising: (c) a sub-network identifier applied to the first set of data packets;  (IPFIX, sflow, J-flow monitoring creates network flow records, Col 15 ln 22-34.  The correlation module 1119 processes the network flow records acquired from the various network devices 1104 to identify and correlate network traffic that is identical based on key fields found in the network flow records. Typical key fields used to identify and correlate network traffic are source IP address, destination IP address, source port number, destination port number, and IP header DSCP marking. When the values in the above-mentioned key fields of the network flow records match, the network flow records are identified as being part of the same network communication, Col 16 ln 1-10).  The network flow record which is generated for each package contains this information which shows that the packets have a sub-network identifier applied.
and (d) an identifier associated with a virtual local area network used to communicate the first set of data packets.  (The system 1100 also provides for visual identification of layer 2 network flows within a VLAN by MAC or VLAN tag parameters, or other relevant parameters. The system 1100 further provides for display of a virtualization of a VLAN on top of the network topology view within the GUI 1300, including identification of the VLAN port and device membership within the network, Col 18-19 ln 66-67, 1-6)
Smith teaches on detecting network flows (Fig 11, Col 15 ln 1-4).  However, Smith (as modified by Wang & Wilson & Cidon) is silent on assigning the first network identifier to the first set of data packets based on one or more parameters comprising: (a) an identifier of a first sensor used to detect the first set of data packets and (b) a network location of the first sensor used to detect the first set of data packets;
Sheeja-JS teaches, in the same field of endeavor, A network monitoring device may receive, from a mediation device, flow-tap geolocation information that identifies a geographical location, Abstract.
Sheeja-JS also teaches assigning the first network identifier to the first set of data packets based on one or more parameters comprising: (a) an identifier of a first sensor (ie. mediation device) used to detect the first set of data packets;  (A network monitoring device may receive, from a mediation device, flow-tap geolocation information that identifies a geographical location (e.g., that is derived based on current and/or previous flow-tap investigation reports) and may obtain, from a geographical Internet protocol (GeoIP) database and based on the flow-tap geolocation information, a plurality of Internet protocol (IP) addresses that are associated with the geographical location, Abstract.
(b) a network location of the first sensor (ie. mediation device) used to detect the first set of data packets;  ([0020] when the network device determines that the mediation device is an authorized device, the network device may store the flowtap geolocation information and/or analyze network traffic based on the flow-tap geolocation information)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify Smith (as modified by Wang & Wilson & Cidon) by modifying Smith per the teachings of Sheeja-JS to include assigning the first network identifier to the first set of data packets based on one or more parameters comprising: (a) an identifier of a first sensor used to detect the first set of data packets and (b) a network location of the first sensor used to detect the first set of data packets.  It would have been advantageous to include these details as discussed above, as it would allow the combined system to map the devices based on the location of the network sensor device collecting the data and to organize the records based on the identifiers as this would allow for easier retrieval of collected data.

Claims 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent 9,003,292 (Smith) in view of US PGPub 2021/0051118 (Wang) further in view of US Patent 10,735,269 (Wilson) more in view of US Patent 10,999,100 (Cidon) even more in view of US PGPub 2013/0058346 A1 (Sridharan).

Regarding Claim 21:
Smith (as modified by Wang & Wilson & Cidon) teaches the invention of Claim 1 as described.
Smith teaches receiving, by a tagging system (system 1100, network flow collection management module 1115) in the network, the first set of data packets;  (FIG. 11, the system 1100 also includes a network flow collection management module 1115 defined to acquire network flow records from each device 1104 within the network 1102, Col 15 ln 1-4. Netflow monitoring, including sflow, Col 15 ln 26-34)
determining, by the tagging system (system 1100, network flow collection management module 1115) based on one or more attributes of the first set of data packets, that the first sub-network is a source of the first set of data packets;  (a network flow record may be generated for each packet of network traffic that is forwarded within a router or switch. The content of the network flow record can include the IP source address, the IP destination address, the source port, the destination port, the ToS byte value, the ingress interface identifier, the egress interface identifier, the packet size in bytes, Col 15 ln 9-16.  IPFIX, sflow, J-flow monitoring creates network flow records, Col 15 ln 22-34.  The correlation module 1119 processes the network flow records acquired from the various network devices 1104 to identify and correlate network traffic that is identical based on key fields found in the network flow records. Typical key fields used to identify and correlate network traffic are source IP address, destination IP address, source port number, destination port number, and IP header DSCP marking. When the values in the above-mentioned key fields of the network flow records match, the network flow records are identified as being part of the same network communication, Col 16 ln 1-10.  Fig 14, shows a table with packets received from the device "from Device 1")
Smith teaches visual identification of layer 2 network flows within a VLAN by VLAN tag parameters (Col 18-19 ln 67, 1) and labeling of each object for network visualization (Col 20, ln 4-13).  However, Smith (as modified by Wilson & Cidon) is silent on responsive to determining that the first sub-network is the source of the first set of data packets:  applying, by the tagging system, a label comprising the first sub-network identifier to at least one packet in the first set of packets.
Sridharan teaches, in the same field of endeavor, A distributed routing domain is disclosed wherein each user or tenant can deploy a multi-subnet routing topology in a network-virtualized datacenter, Abstract.
Sridharan also teaches responsive to determining that the first sub-network is the source of the first set of data packets:  applying, by the tagging system (Fig 3, host datacenter 301), a label (encapsulate with header) comprising the first sub-network identifier (Virtual Subnet ID) to at least one packet in the first set of packets.  ([0041] Each tenant is considered to be the "owner" of a group of VMs deployed in host datacenter 301. Each customer network 302-304 consists of one or more customer virtual subnets that form an isolation boundary. The VMs address packets using a Customer Address even though that same Customer Address may be used by one or more other customer's subnets. As a result, virtual subnets in the same customer network do not use overlapping IP address prefixes.  [0075] In Generic Routing Encapsulation (GRE), the router encapsulates the VM's packet (using CA IP addresses) inside another packet (using PA IP addresses). The header of the new packet also contains a copy of the Virtual Subnet ID. An advantage of GRE is that because the Virtual Subnet ID is included in the packet, network equipment can apply per-tenant policies on the packets, enabling efficient traffic metering, traffic shaping, and intrusion detection)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify Smith (as modified by Wang & Wilson & Cidon) by modifying Smith per the teachings of Sridharan to include responsive to determining that the first sub-network is the source of the first set of data packets:  applying, by the tagging system, a label comprising the first sub-network identifier to at least one packet in the first set of packets.  It would have been advantageous to include these details as discussed above, as it would allow the combined system to utilize the attached label to enable efficient traffic metering, traffic shaping, and intrusion detection, See Sridharan [0075].

Regarding Claim 22:
Smith (as modified by Wang & Wilson & Cidon) teaches the invention of Claim 1 as described.
Smith teaches on a visual representation of multiple networking devices and subnets and the connectivity between these elements (Col 18-19 ln 66-67, 1).  However, Smith (as modified by Wang & Wilson & Cidon) is silent on wherein identical sub-network identifiers are used for all devices in each respective sub-network of the network.
Sridharan teaches wherein identical sub-network identifiers (assigned a Virtual Subnet ID (VSID)) are used for all devices in each respective sub-network of the network.  ([0041] Each tenant is considered to be the "owner" of a group of VMs deployed in host datacenter 301. Each customer network 302-304 consists of one or more customer virtual subnets that form an isolation boundary. The VMs address packets using a Customer Address even though that same Customer Address may be used by one or more other customer's subnets. As a result, virtual subnets in the same customer network do not use overlapping IP address prefixes.  [0043] Each virtual subnet implements the Layer 3 IP subnet semantics for the VMs within the same virtual subnet. As a result, VMs in a virtual subnet use the same IP prefix, although a single virtual subnet can accommodate both an IPv4 and an IPv6 prefix simultaneously.  Each virtual subnet belongs to a single customer network (RDID) and is assigned a Virtual Subnet ID (VSID))
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify Smith (as modified by Wang & Wilson & Cidon) by modifying Smith per the teachings of Sridharan to include wherein identical sub-network identifiers are used for all devices in each respective sub-network of the network.  It would have been advantageous to include these details as discussed above, as it would allow the combined system to utilize the attached unique subnet ID label to enable efficient traffic metering, traffic shaping, and intrusion detection, See Sridharan [0075].

Conclusion & Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RACHEL J HACKENBERG whose telephone number is (571)272-5417. The examiner can normally be reached 7am-4pm M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached on 5712723949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/R.J.H/Examiner, Art Unit 2454 

/GLENTON B BURGESS/Supervisory Patent Examiner, Art Unit 2454