DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Allowable Subject Matter
Claims 9-12, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


	Claims 1-8, 13-19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Dunbar et al.  (US PGPub 2013/0227108).

	As per claim 1, Dunbar teaches a computer system (Dunbar, see paragraph [0028], a system that manages the forwarding and/or address resolution in an overlay network) comprising: 
a virtual network of a customer, wherein the virtual network is hosted on a substrate network and comprises a compute instance (Dunbar, see paragraph [0008], maintain a plurality of mapping entries for one or more virtual network instances)
a first network virtualization device of the substrate network, wherein the first network virtualization device comprises one or more processors and one or more memories storing computer-readable instructions that, upon execution by the one or more processors, (Dunbar, see paragraph [0071], The computer system 1100 includes a processor 1102 (which may be referred to as a central processor unit or CPU) that is in communication with memory devices including secondary storage 1104, read only memory (ROM) 1106, random access memory (RAM) 1108, transmitter/receiver 1112, and input/output (I/O) device 1110. Although illustrated as a single processor, the processor 1102 is not so limited and may comprise multiple processors. The processor 1102 may be implemented as one or more CPU chips, cores (e.g., a multi-core processor), field-programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), and/or digital signal processors (DSPs), and/or may be part of one or more ASICs.) configure the first network virtualization device to: 
receive a packet generated by the compute instance (Dunbar, see paragraph [0008], receive a data packet within a first virtual network instance, wherein the data packet comprises an inner destination address)
 determine, based on a flow packet rule associated with the compute instance, a network boundary within which packets of the compute instance can flow (Dunbar, see paragraph [0042], When boundary node B 106 receives the encapsulated data packet 204 as the designated directory node, boundary node B 106 may subsequently decapsulate the outer header and map the inner destination address to an address that references the proper boundary node 106 within virtual network instance 108b.)
 determine that a flow of the packet is within the network boundary (Dunbar, see paragraph [0042], The boundary node B 106, as the designated directory node, may determine whether the inner destination address within the inner header references an end node 110 directly attached to boundary node B 106, such as end node 110k and 1101.) generate data indicating that the flow of the packet is permitted within the network boundary (Dunbar, see paragraph [0037], the designated directory node may map the target destination addresses of all end nodes 110 that participate in the specific virtual network instance to the addresses of all the boundary nodes 106 located within a specific virtual network instance) 
include the data in the packet and send, to a second network virtualization device and based on the flow, the packet that includes the data (Dunbar, see paragraph [0042], then boundary node B 106 may encapsulate and transmit an encapsulated data packet 206 to the proper boundary node 106. The encapsulated data packet 206 may comprise an outer destination address within an outer header (e.g. TRILL header) that references the proper boundary node 106. In FIG. 2A, the newly encapsulated data packet 206 may be subsequently transmitted to boundary node C 106).

	As per claim 2, Dunbar teaches the computer system of claim 1, wherein the network boundary is defined based on input of the customer and corresponds to at least one of: a layer 2 (L2) virtual local area network (VLAN) within the virtual network, a layer 3 (L3) subnet within the virtual network, the virtual network, a private network of the customer peered with the virtual network, another virtual network peered with the virtual network, or a public network (Dunbar, see paragraph [0030], [0031], The overlay network may comprise a plurality of virtual network instances 108a-c, such as IP subnets that partition network 100. Virtual network instances 108a-c may be collectively referred to as virtual network instances 108 throughout this disclosure. The virtual network instances 108 may be represented by many different types of virtual network identifiers in the underlay network, such as VLAN identifiers (VLAN-IDs), Service Instance Identifiers (ISIDs), subnet addresses, GRE key fields, multiprotocol label switching (MPLS) headers, and any other identifiers known to persons of ordinary skill in the art. In one embodiment, each virtual network instance 108 may be represented by one virtual network identifier. Other embodiments may constrain forwarding of data traffic by using more than one virtual network identifier to represent a virtual network instance).

	As per claim 3, Dunbar teaches The computer system of claim 1, wherein the compute instance executes on a host machine of the substrate network, wherein the first network virtualization device receives the packet from the host machine, executes a virtual network interface card that is associated with the compute instance and that is usable to send the packet on the virtual network, and stores the packet flow rule in association with the virtual network interface card (Dunbar, see paragraph [0030], Network 100 may comprise an underlay network that may be any physical network capable of supporting one or more virtual network instances. The underlay network may operate at Open Systems Interconnection (OSI) layer 1, layer 2, or layer 3. The underlay network may comprise boundary nodes 106, internal core nodes, such as routers and switches, and a plurality of physical links).

	As per claim 4, Dunbar teaches the computer system of claim 1, wherein the execution of the computer-readable  instructions further configures the first network virtualization device to: receive customer data indicating the packet flow rule, the customer data corresponding to a selection by the customer of the network boundary from a set of network boundaries and generate the packet flow rule based on the customer data (Dunbar, see paragraph [0042], When boundary node B 106 receives the encapsulated data packet 204 as the designated directory node, boundary node B 106 may subsequently decapsulate the outer header and map the inner destination address to an address that references the proper boundary node 106 within virtual network instance 108b. The boundary node B 106, as the designated directory node, may determine whether the inner destination address within the inner header references an end node 110 directly attached to boundary node B 106, such as end node 110k and 1101. If the inner destination address does not reference a directly attached end node 110, then boundary node B 106 may encapsulate and transmit an encapsulated data packet 206 to the proper boundary node 106).

	As per claim 5, Dunbar teaches The computer system of claim 4, wherein the customer data further indicates that the network boundary is selected specifically for the compute instance, and wherein the packet flow rule is generated specifically for the compute instance (Dunbar, see paragraph [0052], determines that the node infrequently receives data packets from the virtual network instance, then method 350 may move to block 360 to select the node as a non-designated directory node. For example, the node may receive data packets from the virtual network instance less than 10% of the time. When the node infrequently receives data packets from the virtual network instance (e.g. less than 10% of the time), method 350 may proceed to block 358). 

	As per claim 6, Dunbar teaches the computer system of claim 4, wherein the customer data further indicates that the network boundary is selected for a plurality of compute instances that are hosted on the virtual network of the customer and that comprise a second compute instance, and wherein a second packet flow rule is associated with the second compute instance and indicates the network boundary (Dunbar, see paragraph [0050], An announcement message may be advertised by the node that provides a list of virtual network instances that the node may be a designated directory node to boundary nodes)

As per claim 7, Dunbar teaches the computer system of claim 1, wherein the data is included in a field of a header of the packet, wherein the field indicates the network boundary (Dunbar, see paragraph [0027], The ingress boundary node may encapsulate the data packet with an outer header that includes the address of the egress boundary node and transmits the encapsulated data packet within an underlay network to reach the egress boundary node. When the encapsulated data packet arrives at the egress boundary node, the egress boundary node may de-capsulate the outer header of the data packet and forward the de-capsulated data packet toward the target end node based on the destination address).

As per claim 8, Dunbar teaches the computer system of claim 8, wherein the field further indicates that the packets of the compute instance are prohibited from flowing within another customer-selectable network boundary. (Dunbar, see paragraph [0042], If the inner destination address does not reference a directly attached end node 110, then boundary node B 106 may encapsulate and transmit an encapsulated data packet 206 to the proper boundary node 106. The encapsulated data packet 206 may comprise an outer destination address within an outer header (e.g. TRILL header) that references the proper boundary node 106. In FIG. 2A, The newly encapsulated data packet 206 may be subsequently transmitted to boundary node C 106. As the proper boundary node 106, boundary node C 106 may receive the newly encapsulated data packet 206, decapsulate the encapsulated data packet, and forward the decapsulated data packet to the proper end node 110).

As per claim 13, 
		[Rejection rational for claim 1is applicable].

As per claim 14, Dunbar teaches the method of claim 13, further comprising: receiving, from the second network virtualization device, a second packet that includes second data indicating that the second packet is permitted to flow within a second network boundary, wherein the second data is included in the second packet based on a second packet flow rule, and wherein the second network boundary is the same as or different from the network boundary; and enforcing the second network boundary by at least determining that the second packet is permitted to flow to the compute instance, and sending the second packet to a 9 host machine of the compute instance (Dunbar, see paragraph [0042], When boundary node B 106 receives the encapsulated data packet 204 as the designated directory node, boundary node B 106 may subsequently decapsulate the outer header and map the inner destination address to an address that references the proper boundary node 106 within virtual network instance 108b. The boundary node B 106, as the designated directory node, may determine whether the inner destination address within the inner header references an end node 110 directly attached to boundary node B 106, such as end node 110k and 1101. If the inner destination address does not reference a directly attached end node 110, then boundary node B 106 may encapsulate and transmit an encapsulated data packet 206 to the proper boundary node 106).

As per claim 15, Dunbar teaches The method of claim 13, further comprising: receiving, from the second network virtualization device, a second packet that includes second data, wherein the second data indicates that the second packet is prohibited from flowing within the network boundary; and enforcing the second network boundary by at least determining that a flow of the second packet includes a portion that is within the network boundary, and dropping, based on the second data, the second packet (Dunbar, see paragraph [0042], If the inner destination address does not reference a directly attached end node 110, then boundary node B 106 may encapsulate and transmit an encapsulated data packet 206 to the proper boundary node 106. The encapsulated data packet 206 may comprise an outer destination address within an outer header (e.g. TRILL header) that references the proper boundary node 106. In FIG. 2A, The newly encapsulated data packet 206 may be subsequently transmitted to boundary node C 106. As the proper boundary node 106, boundary node C 106 may receive the newly encapsulated data packet 206, decapsulate the encapsulated data packet, and forward the decapsulated data packet to the proper end node 110).

As per claim 16, Dunbar teaches the method of claim 13, further comprising: receiving customer data indicating the packet flow rule, the customer data corresponding to a selection by the customer of the network boundary from a set of network boundaries, wherein the set of network boundaries corresponds to at least a layer 2 (L2) virtual local area network (VLAN) within the virtual network, a layer 3 (L3) subnet within the virtual network, the virtual network, a private network of the customer peered with the virtual network, another virtual network peered with the virtual network, and a public network; and generating the packet flow rule based on the customer data (Dunbar, see paragraph [0030], [0031], The overlay network may comprise a plurality of virtual network instances 108a-c, such as IP subnets that partition network 100. Virtual network instances 108a-c may be collectively referred to as virtual network instances 108 throughout this disclosure. The virtual network instances 108 may be represented by many different types of virtual network identifiers in the underlay network, such as VLAN identifiers (VLAN-IDs), Service Instance Identifiers (ISIDs), subnet addresses, GRE key fields, multiprotocol label switching (MPLS) headers, and any other identifiers known to persons of ordinary skill in the art. In one embodiment, each virtual network instance 108 may be represented by one virtual network identifier. Other embodiments may constrain forwarding of data traffic by using more than one virtual network identifier to represent a virtual network instance).


As per claim 17, 
		[Rejection rational for claim 1 is applicable].

As per claim 18, 
		[Rejection rational for claim 1 is applicable].

As per claim 19,
		[Rejection rational for claim 1 and 6 is applicable].

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HERMON ASRES whose telephone number is (571)272-4257. The examiner can normally be reached Monday to Friday 9AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HERMON ASRES/            Primary Examiner, Art Unit 2449