Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION

Claims 1-16 are pending in Instant Application.
Priority
Examiner acknowledges Applicant’s claim to priority benefits of U.S. Provisional Application Serial No. 62/694,349 filed July 5, 2018.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 9/30/2022 is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered if signed and initialed by the Examiner.

Claim Objections
Claims 1-6 are objected to because of the following informalities:  
Claim 1 recites “A unified fabric, comprising: " in line 1. It is recommended to change to “A unified fabric system, …: ", since the body of the claims recites various apparatus, “a first switching fabric at a first site”, “a second switching fabric at a second site”, and “a multi-site controller”.
Claims 5-6 are also objected to since they are dependent on the objected base independent claim 1 as set forth above.  
Appropriate correction is required.


Notice re prior art available under both pre-AIA  and AIA 

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



Claims 1-2, 5-8, 12-14 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over  Varadhan et al. (US Pub. No.: 2010/0043068), in view of Dunbar (US Pub. No.:2014/0307744) and further in view of Jain et al. (US Pub. No.: 2017/0339188).

As per claim 1, Varadhan disclose A unified fabric (see Fig.1, an example network environment 2), comprising: 
a first switching fabric at a first site (see Fig.1, VPN Site 6 A); 
a second switching fabric at a second site (see Fig.1, VPN Site 6 N), wherein the first site is at a different geographic location than the second site (see para. 0003-0004, the  devices are grouped into a number of site networks, and these sites in turn are geographically distributed over a wide area. Each site network include one or more local area networks (LANs) connecting the devices at the particular site), wherein the first switching fabric and the second switching fabric are communicatively coupled via a public network (see para. 0006, the remote sites establish VPN tunnels to hub site or between the remote sites to allow the computing devices within the remote sites to securely communicate with each other or with devices at the hub site through a public network infrastructure of a network service provider / coupled via a public network, see also para. 0033); and 
a controller (see Fig.1, LSR 14, para. 0033-0044, LSRs 14 use any type of label switching protocol to establish the LSPs, such as MPLS protocols like Resource Reservation Protocol (RSVP) and the Label Distribution Protocol (LDP), see also para. 0107-0108) configured to: 
create a stretched EPG extending between the first and second sites and containing at least a first endpoint in the first site and a second endpoint in the second site (see para. 0012, 0013 the device provides a user interface by which VPN tunnels are defined as logical interfaces for purposes of security policies, and these logical interfaces can be used like other physical interfaces to define zones to which policies are to be applied by the device and a user interface is remotely accessed or deployed by a web browser, a management and provisioning system, or other device), wherein the stretched EPG defines a security policy shared by the first and second endpoints (see para. 0008, 0039, the user interface of router 20 provides a syntax for defining security policies to be applied with respect to the defined zones / a security policy shared by the first and second hosts, see also Table 2, see also para. 0005, securely sharing data between site networks over a public network, such as the Internet, see also Fig,4, para. 0047, NSP 73 provides mapping information that identifies a VPN label and one or more MPLS labels to be applied by forwarding component 80 to IP traffic {transmit the packet from the first site to the second site using a multicast tunnel through the public network} destined for the customer VPN, see also Fig.2, para. 0036, router 20 includes physical interfaces 27 for sending and receiving IP traffic 28 to and from VPN sites 24 via physical network links / transmit the packet to the second site using the public network, also para. 0070, 0076, based on information installed within the copy of the FIB, firewall 123 determines based on the route lookup whether the packet will be output as IP traffic, clearly teaches transmit the packet to the second site using the public network); 

Although Varadhan disclose a controller configured to: create a stretched EPG extending between the first and second sites and containing at least a first endpoint in the first site and a second endpoint in the second site;
Varadhan however does not explicitly disclose a multi-site controller;

Dunbar however disclose a multi-site controller (see Fig. 6, centralized controller 614) configured to: create a stretched EPG extending between the first and second sites and containing at least a first endpoint in the first site and a second endpoint in the second site (see para. 0064, 0065, the centralized controller 614 is configured to communicate with servers A-C 310 and default gateway 612 in order to distribute service chain policies to the distributed gateways 314, NVEs 302, a default gateway 612, and/or other network nodes on the service chain, per para. 0065, the network nodes for any given virtual overlay network advertise reachable virtual overlay network prefixes to the centralized controller 614. After receiving the advertisements, the centralized controller 614 may construct service chain policies based on the network service function topology / creating a stretched EPG extending between the first and second sites, see also para. 0068-0071, using FIG. 6 as an example, the treatment policies on distributed gateways 314 (e.g. inter-network forwarding policies) is assigned the lowest policy tier, firewall and IPS network service functions found in firewall 306 and IPS 308, respectively, may be assigned as an intermediate policy tier, and the default gateways 612 may be assigned the highest policy tier);
identify a subset of endpoints in the stretched EPG using a categorizing criteria (see Fig.6, para. 0068-0071, using FIG. 6, the treatment policies on distributed gateways 314 (e.g. inter-network forwarding policies) is assigned the lowest policy tier, firewall and IPS network service functions found in firewall 306 and IPS 308, respectively, may be assigned as an intermediate policy tier, and the default gateways 612 may be assigned the highest policy tier. Additionally, when the DC system 600 comprises a plurality of default gateways 612, a subset of the default gateways 612 may be assigned as the highest policy tier, while the remaining default gateways 612 may be assigned to lower policy tiers. By categorizing the network nodes into different policy tiers, data traffic may be efficiently routed for proper network service function policy treatment)); and 
create a micro-stretched EPG from the subset of endpoints, wherein the micro-stretched EPG extends between the first and second sites and wherein the subset of endpoints is removed from the stretched EPG (see Fig.6, para. 0071, FIG. 6 illustrates that default gateway 612 may be part of the service chain to route a data packet from tenant end point A 304 to tenant end point C 304, and by categorizing the default gateway 612 as the highest policy tier, the centralized controller 614 may designate network nodes with lower policy tiers (e.g. firewall 306 and IPS 308) to enforce the network service functions before designating the network nodes with higher policy tiers (e.g. default gateway 612) for a service chain policy).

Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of a multi-site controller, as taught by Dunbar, in the system of Varadhan, so as to utilize a centralized controller, see Dunbar, paragraphs 21-22.

Although the combination of Varadhan and Dunbar disclose to identify a subset of endpoints in the stretched EPG using a categorizing criteria;

The combination of Varadhan and Dunbar however does not explicitly disclose identify a subset of endpoints in the stretched EPG using a filtering criteria.
.
Jain however disclose identify a subset of endpoints in the stretched EPG using a filtering criteria (see para. 0016, 0019, 0023, the method include providing, for the respective network attribute endpoint group, a third respective policy model. The third respective policy model can include the one or more rules from the first and/or second respective policy model, the third respective policy model can inherits the one or more rules from the first and/or second respective policy model. The rules in the third respective policy model can be used by network devices to enforce various policies for traffic associated with endpoints in the respective network attribute endpoint group, which are classified based on the network addresses of the endpoints, identify a subset of endpoints in the stretched EPG using a filtering criteria based on various policies, see also Fig.3, para. 0067-0071); and 
create a micro-stretched EPG from the subset of endpoints, wherein the micro-stretched EPG extends between the first and second sites and wherein the subset of endpoints is removed from the stretched EPG (see para. 0036-0040, 0046, a policy defined for a security group at controller 124, where the security group corresponds to web endpoints (e.g., SG-web), the policy may require web traffic (e.g., http traffic) to be allowed only between web endpoints, and otherwise blocked or dropped if flowing to or from an endpoint that is not in the web security group. Also consider that VM4-web on host 112 sends a packet to VM2-web and VM3-app on host 110. VM4-web is assigned to the web security group, SG-web, defined by controller 124. Accordingly, traffic to and from VM4-web should be processed according to the policies defined for the web security group defined by controller 124. Thus, in this example, based on the policy defined for the web security group in controller 124, the packet from VM4-web to VM2-web should be allowed, while the packet from VM4-web to VM3-app should be blocked or dropped. However, because the security groups in controller 124 are not visible by controller 122 and SDN 146, and the security groups in controller 122 are not visible by controller 124 and SDN 148, the traffic to VM2-web and VM3-app on host 110 will be treated the same. In other words, the packets to VM2-web and VM3-app will both be allowed or blocked, see also 0051-0055, consider a policy defined on SDN.sub.B for the web EPG, attr-epg-web, which provides that http traffic between endpoints in attr-epg-web and endpoints in an application EPG on SDN.sub.B, attr-epg-app, should be blocked. Matching or mirroring policies can be created for SDN.sub.A on controllers 122, 124, indicating that http traffic between sg-web1 and sg-app1, and sg-web2 and sg-app2, should be blocked. Since the security groups sg-web1 and sg-web2 on controllers 122, 124 are the SDN.sub.A counterparts of the web EPG on SDN.sub.B, attr-epg-web, then the policies defined for attr-epg-web on the SDN.sub.B should match the policies defined on controllers 122, 124 for sg-web1 and sg-web2. By following these steps, microsegmentation can be performed across the heterogeneous network 100. Traffic can be classified and policies enforced across different SDNs, hypervisors, virtual switching elements, etc. For example, by categorizing the VMs 126-134 in the SDN.sub.A into security groups, the leaf switches 106 can use the network address EPGs (e.g., MAC EPGs) to differentiate traffic from VMs running on VS.sub.A in the SDN.sub.A, and then apply the same policies as corresponding attribute EPGs from the SDN.sub.B based on inheritance).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality to identify a subset of endpoints in the stretched EPG using a filtering criteria create a micro-stretched EPG from the subset of endpoints, wherein the micro-stretched EPG extends between the first and second sites and wherein the subset of endpoints is removed from the stretched EPG, as taught by Jain, in the system of Varadhan and Dunbar, so as to define for the respective endpoint group, a first respective policy model including one or more rules for processing associated network traffic, the policy model can include contracts, rules, or policies for traffic associated with the respective endpoint group., see Jain, paragraphs 13-15.

As per claim 2, the combination Varadhan, Dunbar and Jain disclose the unified fabric of claim 1.

Jain further disclose wherein the multi-site controller is configured to: configure the micro-stretched EPG to have at least one different policy than the stretched EPG, wherein the micro-stretched EPG is in a different bridge domain or subnet than the stretched EPG (see Fig.3, para. 0067-0070, at step 300, the controller 152 classify each of a first set of endpoints (e.g., VMs 136-140) in a network 100 into a respective endpoint group (e.g., attr-epg-web, attr-epg-app, attr-epg-db), based on a respective attribute (e.g., name, label, guest OS name, security tag, etc.) associated with the respective endpoint group, and per para. 0070, at step 308, the controller 152 can define, for each respective security group, a respective policy model including the one or more rules associated with the respective policy model associated with the respective attribute EPG. For example, the policies or rules created at step 302 for an attribute EPG can be defined for the counterpart security group from step 308).

As per claim 6, the combination Varadhan, Dunbar and Jain disclose the unified fabric of claim 1.

Varadhan further disclose the unified fabric further comprising: at least one security policy permitting endpoints in the stretched EPG to communicate with the subset of endpoints in the micro-stretched EPG (see para. 0069-0073, at step 304, the controller 152 can identify a second set of endpoints (see para. 0031-0033, traffic flowing along network links 16 to and from VPN sites 6 may take the form of Internet Protocol (IP) packets, and may be secured using Internet Protocol Security (IPSec) protocols, Secure Sockets Layer (SSL) protocols or other protocols that make use of cryptographic technology. PE routers 10 provide ingress and egress for the IP traffic with respect to the Multi-protocol Label Switching (MPLS) services provided within service provider network 4), and
Jain further disclose the unified fabric further comprising: at least one security policy permitting endpoints in the stretched EPG to communicate with the subset of endpoints in the micro-stretched EPG (see para. 0069-0073, at step 304, the controller 152 can identify a second set of endpoints (e.g., VMs 126-134) associated with a second type of virtualized environment (e.g., SDN.sub.A, VS.sub.A, etc.) that is different than the first type of virtualized environment. At step 306, the controller 152 can create security groups (e.g., sg-web1, sg-app1, sg-db1, sg-web2, sg-app2, sg-db2) which include each of the second set of endpoints. Each respective security group from the security groups can correspond to a respective endpoint group from step 300. Moreover, each of the second set of endpoints can be included in the respective security group based on the respective attribute (security tag)).

As per claim 7, claim 7 is rejected the same way as claim 1.
As per claim 8, claim 8 is rejected the same way as claim 2.

As per claim 12, claim 12 is rejected the same way as claim 6.

As per claim 13, claim 13 is rejected the same way as claim 1. Varadhan further disclose  A non-transitory computer readable medium having program instructions embodied therewith, the program instructions executable by a processor to perform an operation (see Fig.6, Router 100, control unit 102, para. 0064, router 100 may operate according to program code having executable instructions fetched from a computer-readable storage medium. Examples of such media include random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), electrically erasable programmable read-only memory (EEPROM), flash memory, and the like. The functions of router 100 may be implemented by executing the instructions of the computer-readable storage medium with one or more processors, discrete hardware circuitry, firmware, software executing on a programmable processor).

As per claim 14, claim 14 is rejected the same way as claim 2.

As per claim 17, the combination Varadhan, Dunbar and Jain disclose the unified fabric of claim 1.

Varadhan further disclose wherein the operation further comprises: rewriting a destination header value in the packet to a first switch in the second switching fabric coupled to the second endpoint (see para. 0032, 0033, PE router 10A may receive IP traffic from VPN site 6A, and may then prepend a VPN label based on the corresponding customer VPN associated with the traffic. The VPN traffic may then be viewed as flowing along a VPN tunnel through service provider network 4, and the VPN tunnel 18 may be viewed as a form of an MPLS tunnel. One or more of these VPN tunnels 18 (i.e., packet flows having VPN labels prepended to each packet) may then further be encapsulated within a label stack of additional MPLS labels so as to flow along one or more LSPs).

As per claim 18, claim 18 is rejected the same way as claim 6.

Allowable Subject Matter
Claims 3-5, 9-11 and 15-16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Kapadia (US Pub. No.:2017/0034057) - In accordance with embodiments described herein, a stretch subnet may be configured to support routing for a total number of host destinations in excess of the number of entries in the FIB hardware tables. Reference is now made to FIG. 1 which illustrates an exemplary stretched subnet 100, constructed and operative in accordance with embodiments described herein to more optimally utilize the FIB resources on the internal ToR switches/leafs for cross-fabric stretched subnets while still providing optimized traffic forwarding for both within and cross fabric traffic. Stretched subnet 100 comprises data center fabrics 10A and 10B, connected via inter data center core 60. Data center fabrics 10 may be implemented, for example, using Layer-2 DCI. Common technologies used to implement Layer-2 DCI are VPLS, OTV, Layer-2 LISP, etc. Inter data center core 60 may be implemented, for example, using Layer-3 DCI. Common technologies used for Layer-3 DCI are MPLS, Layer-3 LISP, etc.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to LAKERAM JANGBAHADUR whose telephone number is (571)272-1335.  The examiner can normally be reached on M-F 7 am - 4 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ian Moore can be reached on 571-272-3085.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/LAKERAM JANGBAHADUR/
Primary Examiner, Art Unit 2469