DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Status of Claims
The following claim(s) is/are pending in this office action: 1-20
The following claim(s) is/are amended: 1, 8, 15
The following claim(s) is/are new: -
The following claim(s) is/are cancelled: -
Claim(s) 1-20 is/are rejected. This rejection is FINAL.


Response to Arguments
Applicant’s arguments filed in the amendment filed 10/14/2022, have been fully considered but are moot in view of new grounds of rejection. The reasons set forth below.


Applicant’s Invention as Claimed
Claim Rejections - 35 USC § 103
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 7-8, and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Ferguson (US Pub. 2018/0227212) in view of Smith (Smith et al., “Scalable-Group Tag eXchange Protocol (SXP)”, IETF.org, 4/3/2019) and further in view of Voit (US Pub. 2018/0139240).
With respect to Claim 1, Ferguson teaches a first network apparatus, comprising: one or more processors; (Fig. 5, para. 50; processor)
and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause the first network apparatus to perform operations comprising: (Fig. 5, paras. 50-52; processor connected to static storage memory device)
activating the first network apparatus within a network; (Fig. 2, paras. 19-20, 22; edge devices (border routers) which provide routing for messages and receive and transmit route announcements, which suggests that they are activated.)
communicating a first message to a second network apparatus requesting the second network apparatus to cost out the first network apparatus prior to the first network apparatus receiving any Internet Protocol (IP) traffic and in response to determining that the SXP is configured on the first network apparatus, wherein costing out the first network apparatus prevents the IP traffic from flowing through the first network apparatus; (SXP will be taught later. paras. 26-28; advertising a route and cost. paras. 27-29, 35; system “costs” a route and selects the lowest cost route in order to deliver messages. System may load balance among multiple routes that are identically or similarly costed. Therefore, it would have been obvious to one of ordinary skill to cost out a device before it is fully configured because a device is not yet ready for live performance.) 
communicating a second message to the second network apparatus requesting the second network apparatus to cost in the first network apparatus in response to receiving the end-of-exchange message, wherein costing in the first network apparatus allows the IP traffic to flow through the first network apparatus. (paras. 26-28; advertising a route and cost. paras. 27-29, 35; system “costs” a route and selects the lowest cost route in order to deliver messages. System may load balance among multiple routes that are identically or similarly costed. Therefore, it would have been obvious to one of ordinary skill to cost in a device that is fully configured in order to help with message delivery by being the lowest cost route or by load balancing when there are similar cost routes.)
receiving, from the second network apparatus, the IP traffic; and (paras. 26-29; routing packets to a device.)
But Ferguson does not explicitly teach SXP.
Smith, however, does teach determining that a Scalable Group Tag (SGT) Exchange Protocol (SXP) is configured on the first network apparatus; (pg. 3; SXP for SGT. Pg. 7, Section 3.1.4; SXP connection protocol when SXP is configured, which allowed for determining if SXP is configured on a network apparatus. See also Ferguson, para. 25, 38; AS indicators and BGP community tag)
receiving IP-to-SGT bindings from an SXP speaker; (pgs. 4-6, Sections 2-3.1.1; Once SXP connections are established, the SXP Speaker sends IP-SGT Bindings to the listener. pg. 9, Section 3.2.1; Binding recoveries. Pg. 22, Section 4.5; Update message contains SXP mappings.)
receiving an end-of-exchange message from the SXP speaker; (pg. 22, Section 4.5 and pgs. 32-33, Section 4.5.2; Update message includes a length attribute and a number of updates, which informs the listener how many updates are in the message and is therefore an end of exchange message. Conversely, because an update may contain less than all of the mappings, it would have been obvious to one of ordinary skill to send a message indicating that there would be no more updates so that the listening device knows it has all the updates. Separation of parts is obvious, see MPEP 2144.)
Obtaining a source SGT and a destination SGT from the IP-to-SGT bindings; (Source and destination SGTs will be taught later. pg. 9, Section 3.2; binding database has bindings for IP addresses, which means a SGT can be derived from the source/destination IP addresses in messages. See also Voit, para. 27; SGT applied to incoming flow, which suggests obtaining a SGT from a binding table.)
It would have been obvious to one of ordinary skill, prior to the effective filing date, to combine the apparatus of Ferguson with the SXP in order to allow network devices to make policy decisions based on the role or intent of an endpoint. (Smith, pg. 3, Section 1)
But modified Ferguson does not explicitly teach SGACL.
Voit, however, does teach a source SGT and a destination SGT (paras. 27-28; SGTs are used to define the privileges of the source within an enterprise. Destination devices can also be assigned a security group tag (called a DGT).)
matching a security group access control list (SGACL) policy for the source SGT to the destination SGT; and (paras. 29-30; SGACL defines permissions for source toward a destination using the SGT and DGT, which is a policy.)
Applying the SGACL policy to the IP traffic (paras. 29-30; SGACL is enforced on IP traffic)
It would have been obvious to one of ordinary skill, prior to the effective filing date, to combine the apparatus of modified Ferguson with the SGACL to allow devices to move throughout the network and still provide access control. (Voit, para. 29)

With respect to Claim 7, modified Ferguson teaches the first network apparatus of Claim 1, and Ferguson also teaches wherein a routing protocol initiates costing out the first network apparatus and costing in the first network apparatus. (paras. 27-29, 35; Costing done by BGP protocol.)

With respect to Claim 8, it is substantially similar to Claim 1, and is rejected in the same manner, the same art and reasoning applying.

With respect to Claim 14, it is substantially similar to Claim 7, and is rejected in the same manner, the same art and reasoning applying.

With respect to Claim 15, it is substantially similar to Claim 1, and is rejected in the same manner, the same art and reasoning applying. Further, Ferguson also teaches one or more computer-readable non-transitory storage media embodying instructions that, when executed by a processor, cause the processor to perform operations comprising: (paras. 53-54; non-volatile computer readable media such as a CD-ROM)


Claims 2-5, 9-12, and 16-19 are rejected under 35 U.S.C. 103(a) as being unpatentable over Ferguson (US Pub. 2018/0227212) in view of Smith (Smith et al., “Scalable-Group Tag eXchange Protocol (SXP)”, IETF.org, 4/3/2019), in view of Voit (US Pub. 2018/0139240) and further in view of Srinivasan (US Pub. 2018/0309685).
With respect to Claim 2, modified Ferguson teaches the first network apparatus of Claim 1, but does not explicitly teach a software defined network.
Srinivasan, however, does teach wherein: the first network apparatus is a first fabric border node of a first software-defined (SD) access site; (Fig. 1, paras. 19-22; Network elements 140 and 142 are connected to border element 150. By Applicant’s nomenclature, 140 and 142 are border nodes and 150 is an edge node. See also Fig. 2, paras. 24-26; Spine devices have connections to multiple leafs which connect to hosts in another network or subnet. Para. 23; software defined network.)
the IP traffic flows through a second fabric border node of the first SD access site prior to costing in the first fabric border node of the first SD access site; (Fig. 1, paras. 19-22; Traffic between the second network 120 and element 141 can either go through 140 or 142 to reach the border 150. If 140 is costed out, 142 will hand the traffic. See also Ferguson, paras. 27-29, 35; system “costs” a route and selects the lowest cost route in order to deliver messages. System may load balance among multiple routes that are identically or similarly costed. Consequently, traffic will flow through the other node when the first node is costed out.)
the IP traffic is received by the second fabric border node from an edge node of the first SD access site; (Fig.1, paras. 19-22; 142 and 150 are connected.)
and the IP traffic is received by the edge node of the first SD access site from an edge node of a second SD access site using Layer 3 virtual private network (L3 VPN).  (Fig. 1, paras. 19-22; 150 and 160 are connected. Paras. 21-29; EVPN connection using Layer 3 forwarding. See also Fig. 2, paras. 24-26; data from Host 220 is sent over a VPN to leaf 140, which transfers it to one of the spines 210, 215, which transfer it to leaf 142, which transfers to host 222. This is a handling by a second border node (215) if a first is costed out (210) through edge nodes (140, 142) with connections to elements in other networks (220, 222).
It would have been obvious to one of ordinary skill, prior to the effective filing date, to combine the apparatus of modified Ferguson with the software defined network in order to provide a standards-based control/data plane solution for building massive scale data centers. (Srinivasan, para. 23)

With respect to Claim 3, modified Ferguson teaches the first network apparatus of Claim 2, and Srinivasan also teaches wherein the SXP speaker is associated with a fabric border node within the second SD access site. (Fig. 2, para. 27; BGP route is generated to allow 220 to talk to 222. See also Smith, pgs. 4-5, Section 1.1-2; SXP Speaker propagates bindings.) 
The same motivation to combine as the parent claim applies here.

With respect to Claim 4, modified Ferguson teaches the first network apparatus of Claim 1, and Ferguson also teaches wherein: the IP traffic is received by the edge node of the first SD access site from an edge node of a second SD access site using a wide area network (WAN); and (SD will be taught later. Fig. 1, para. 16; network communicates with the internet.)
And Smith also teaches the SXP speaker is associated with an identity services engine (ISE). (pg. 3; SGT value allows for dynamic classification of policies for a device.)
The same motivation to combine as the parent claim applies here.
But modified Ferguson does not explicitly teach a software defined network.
Srinivasan, however, does teach the first network apparatus is a first fabric border node of a first SD access site; (Fig. 1, paras. 19-22; Network elements 140 and 142 are connected to border element 150. By Applicant’s nomenclature, 140 and 142 are border nodes and 150 is an edge node. See also Fig. 2, paras. 24-26; Spine devices have connections to multiple leafs which connect to hosts in another network or subnet. Para. 23; software defined network.)
the IP traffic flows through a second fabric border node of the first SD access site prior to costing in the first fabric border node of the first SD access site; (Fig. 1, paras. 19-22; Traffic between the second network 120 and element 141 can either go through 140 or 142 to reach the border 150. If 140 is costed out, 142 will hand the traffic. See also Ferguson, paras. 27-29, 35; system “costs” a route and selects the lowest cost route in order to deliver messages. System may load balance among multiple routes that are identically or similarly costed. Consequently, traffic will flow through the other node when the first node is costed out.)
the IP traffic is received by the second fabric border node from an edge node of the first SD access site; (Fig.1, paras. 19-22; 142 and 150 are connected.)
It would have been obvious to one of ordinary skill, prior to the effective filing date, to combine the apparatus of modified Ferguson with the software defined network in order to provide a standards-based control/data plane solution for building massive scale data centers. (Srinivasan, para. 23)

With respect to Claim 5, modified Ferguson teaches the first network apparatus of Claim 1, and Ferguson also teaches wherein: the IP traffic is received by the second edge node from an edge node of a second site using WAN; and (Fig. 1, para. 16; network communicates with the internet.)
and Smith also teaches the SXP speaker is associated with an ISE. (pg. 3; SGT value allows for dynamic classification of policies for a device.)
The same motivation to combine as the parent claim applies here.
But modified Ferguson does not explicitly teach a first edge node of a first site.
Srinivasan, however, does teach wherein: the first network apparatus is a first edge node of a first site; (Fig. 1, paras. 19-22; Network elements 140 and 142 are connected to border element 150. By Applicant’s nomenclature, 140 and 142 are border nodes and 150 is an edge node. See also Fig. 2, paras. 24-26; Spine devices have connections to multiple leafs which connect to hosts in another network or subnet.)
the IP traffic flows through a second edge node of the first site prior to costing in the first edge node of the first site; (Fig. 1, paras. 19-22; Traffic between the second network 120 and element 141 can either go through 140 or 142 to reach the border 150. If 140 is costed out, 142 will hand the traffic. See also Ferguson, paras. 27-29, 35; system “costs” a route and selects the lowest cost route in order to deliver messages. System may load balance among multiple routes that are identically or similarly costed. Consequently, traffic will flow through the other node when the first node is costed out.)
It would have been obvious to one of ordinary skill, prior to the effective filing date, to combine the apparatus of modified Ferguson with the first/second edge nodes in order to provide efficient multipathing. (Srinivasan, Fig. 2, para. 23)


With respect to Claims 9-10, they are substantially similar to Claims 2-3, respectively, and are rejected in the same manner, the same art and reasoning applying.

With respect to Claim 11, it is substantially similar to Claim 4, and is rejected in the same manner, the same art and reasoning applying. Further, Smith also teaches the first fabric border node of the first SD access site determines the IP-to-SGT bindings from an identity services engine (ISE).  (pg. 3; SGT value allows for dynamic classification of policies for a device. pgs. 4-6, Sections 2-3.1.1; Once SXP connections are established, the SXP Speaker sends IP-SGT Bindings to the listener. pg. 9, Section 3.2.1; Binding recoveries. Pg. 22, Section 4.5; Update message contains SXP mappings.)
The same motivation to combine as the parent claim applies here.

With respect to Claim 12, it is substantially similar to Claim 5 and is rejected in the same manner, the same art and reasoning applying.

With respect to Claims 16-17, they are substantially similar to Claims 2-3, respectively, and are rejected in the same manner, the same art and reasoning applying.

With respect to Claim 18, it is substantially similar to Claim 4, and is rejected in the same manner, the same art and reasoning applying. Further, Smith also teaches the first fabric border node of the first SD access site determines the IP-to-SGT bindings from an identity services engine (ISE).  (pg. 3; SGT value allows for dynamic classification of policies for a device. pgs. 4-6, Sections 2-3.1.1; Once SXP connections are established, the SXP Speaker sends IP-SGT Bindings to the listener. pg. 9, Section 3.2.1; Binding recoveries. Pg. 22, Section 4.5; Update message contains SXP mappings.)
The same motivation to combine as the parent claim applies here.

With respect to Claim 19, it is substantially similar to Claim 5 and is rejected in the same manner, the same art and reasoning applying.


Claims 6, 13 and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Ferguson (US Pub. 2018/0227212) in view of Smith (Smith et al., “Scalable-Group Tag eXchange Protocol (SXP)”, IETF.org, 4/3/2019), in view of Voit (US Pub. 2018/0139240) in view of Srinivasan (US Pub. 2018/0309685) and further in view of McCullough (US Pub. 2009/0199290).
With respect to Claim 6, modified Ferguson teaches the first network apparatus of Claim 1, and Ferguson also teaches wherein: the IP traffic is received by the second edge node of the branch office from an edge node of a head office using WAN; and (Head and branch offices will be taught later. Fig. 1, para. 16; network communicates with the internet. Customer network 106 may communicate with another customer network 126.)
and Smith also teaches the SXP speaker is associated with the edge node of the head office.  (pg. 3; SGT value allows for dynamic classification of policies for a device.)
The same motivation to combine as the parent claim applies here.
But modified Ferguson does not explicitly teach a first edge node of a first site.
Srinivasan, however, does teach the first network apparatus is a first edge node of a branch office; (Fig. 1, paras. 19-22; Network elements 140 and 142 are connected to border element 150. By Applicant’s nomenclature, 140 and 142 are border nodes and 150 is an edge node. See also Fig. 2, paras. 24-26; Spine devices have connections to multiple leafs which connect to hosts in another network or subnet.)
the IP traffic flows through a second edge node of the branch office prior to costing in the first edge node of the branch office; (Fig. 1, paras. 19-22; Traffic between the second network 120 and element 141 can either go through 140 or 142 to reach the border 150. If 140 is costed out, 142 will hand the traffic. See also Ferguson, paras. 27-29, 35; system “costs” a route and selects the lowest cost route in order to deliver messages. System may load balance among multiple routes that are identically or similarly costed. Consequently, traffic will flow through the other node when the first node is costed out.)
It would have been obvious to one of ordinary skill, prior to the effective filing date, to combine the apparatus of modified Ferguson with the first/second edge nodes in order to provide efficient multipathing. (Srinivasan, Fig. 2, para. 23)
But modified Ferguson does not explicitly teach head and branch offices.
McCullough, however, does teach branch office and head office; (para. 18; head office connected to branch office.)
It would have been obvious to one of ordinary skill, prior to the effective filing date, to combine the apparatus of modified Ferguson with the head and branch offices to transfer data and access resources between the two offices. (McCullough, para. 17) Further, application of a known technique for its predictable results and benefits is obvious, see MPEP 2143(I)(C) and (D).

With respect to Claims 13 and 20, they are substantially similar to Claim 6 and are rejected in the same manner, the same art and reasoning applying.

Alternate Grounds
Claims 1, 7-8, and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Ferguson (US Pub. 2018/0227212) in view of Smith (Smith et al., “Scalable-Group Tag eXchange Protocol (SXP)”, IETF.org, 4/3/2019) and further in view of Smith (“Smith2”, US Pub. 2010/0235544).
With respect to Claim 1, Ferguson and Smith teach as above, but under this ground of rejection do not teach matching a security group access control list (SGACL) policy for the source SGT to the destination SGT.
Smith2, however, does teach Obtaining a source SGT and a destination SGT from the IP-to-SGT bindings; (para. 49; system determines security group identifier from looking at packet contents and assigning a tag. The source host results in a source group tag. Para. 52-54; system determines destination security group as well. Para. 98; security group of a destination can also be represented by a SGT.)
matching a security group access control list (SGACL) policy for the source SGT to the destination SGT; and (paras. 42-45; role-based ACL requires determining source security group, destination security group, determining permission, and enforcing permission. Para. 52; before the appropriate RBACL can be applied, a determination is made as to the destination security group. Para. 74; permissions matrix includes source and destination IP addresses. para. 98; RBACL has SGT applied, and at some point in the network the security group of the destination is also known. At this point access control can be enforced.)
Applying the SGACL policy to the IP traffic (paras. 45, 98; enforcement of ACL policy.)
It would have been obvious to one of ordinary skill, prior to the effective filing date, to combine the apparatus of modified Ferguson with the access control list to control access based upon the source and destination of a message.
The same citation would apply, mutatis mutandis, to all other claims.


Remarks
Applicant amends the independent claims to strike subject matter that Examiner cited Smith2 for and adds new limitations. Applicant argues at Remarks, pg. 12 that “[W]hile Smith2 discloses providing access control using a role-based access control list (RBACL) (see Smith2 at paragraph 98), Smith2 does not disclose an any [sic] sort of relationship between a source SGT, a destination SGT, and an ACL policy.”
Examiner disagrees with this argument. Smith2, paras. 42-45 make clear that role based ACL enforcement requires the security group of both the source and the destination. Paras. 49, 52-54 make clear that these groups can be expressed through group tags. Thus, Smith2 does disclose a relationship between a source SGT, a destination SGT, and an ACL policy.
Regardless, Examiner cites Voit - which explains the situation more clearly and uses the exact terminology of the claims – to compact prosecution and avoid any issues. Examiner leaves Smith2 as an alternate ground rejection. Examiner maintains the rejection.
Applicant’s remaining argument at Remarks, pgs. 13-14 is a complaint that Examiner piecemeal rejects Claim 6 using five references.
While Applicant does cite a lot of caselaw, Applicant fails to apply it to the instant claims. Applicant does not identify any language where Examiner improperly bifurcates or destroys the meaning of the claim or its elements. Nor does Applicant provide a reason that the references do not teach the claim as a whole. Applicant raises a hindsight argument, but fails to take issue with Examiner’s cited motivations. Instead, the argument is little more than the statement that Applicant’s claim is patentable because Examiner has cited five references to teach the claim. However, the number of references is not, by itself, a non-obvious consideration (see MPEP 2145(V), citing In re Gorman, which upheld a rejection based upon thirteen prior arts). See also MPEP 707.07(f) and form paragraph 7.37.06.
Examiner does not maintain the rejection haphazardly. As Examiner previously stated, Smith and Smith2 appear to be the same real person. Regardless, Smith, Smith2, Srinivasan and now Voit are all Cisco disclosures, which means three of the five references rejecting Claim 6 (either previously or currently) are all the prior, publicly disclosed knowledge of Applicant. McCullough was cited for the conventional, plainly obvious knowledge that enterprises may have branch offices and head offices. The labelling of physical locations which store devices in a networked system has little-to-no merit to nonobviousness (that is, after all, the entire point of the field of computer networking) and Examiner thinks that an allowance based upon the fact that there are head and branch offices in the world would not be beneficial to either the public or to Applicant. The only reasons Claim 6 is not a two-reference rejection is because Examiner chose not to take official notice for what McCullough was cited for, and because Applicant Cisco failed to publish a single text that combined at all of its personal knowledge. Applicant’s previously-dedicated-to-the-public knowledge does not become re-patentable merely by collation.
The standard for obviousness is what was obvious to a hypothetical person of ordinary skill with all public knowledge in the field. Examiner’s rejection to all claims is little more than just what Cisco publicly taught, plus one obvious change induced by Ferguson.
The argument to Claim 6 is unpersuasive, and Examiner maintains the rejection.
All claims remain rejected.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS P CELANI whose telephone number is (571)272-1205.  The examiner can normally be reached on M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/NICHOLAS P CELANI/Examiner, Art Unit 2449