DETAILED ACTION
	This application has been examined. Claims 1-20 are pending.
 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  
 
Making Final
Applicant's arguments filed 10/25/2022 have been fully considered but they are moot in view of the new grounds for rejection.  
The claim amendments regarding -- ‘based at least in part on the entry in the DHCP snoop database, validating, by the leaf node device, data traffic received from the host device prior to the host device sending a broadcast to the leaf node device’   --  clearly change the literal scope of the independent and dependent claims and/or the range of equivalents for such claims.  The said amendments alter the scope of the claims but do not overcome the disclosure by the prior art as shown below. 
 The Examiner is presenting new grounds for rejection as necessitated by the claim amendments and is thus making this action FINAL.
Response to Arguments
Applicant's arguments filed 10/25/2022 have been fully considered but they are moot in view of the new grounds for rejection. 

The Applicant presents the following argument(s) [in italics]:
… Fu does not describe “based at least in part on the entry in the DHCP snoop database, validating, by the leaf node device, data traffic received from the host device prior to the host device sending a broadcast to the leaf node device” as recited in amended claim 1. …
The Examiner respectfully disagrees with the Applicant. 

Fu-Fernando-Daun-Beck disclosed (re. Claim 1 ) based at least in part on the entry in the DHCP snoop database, (Daun-Paragraph 22, snoops on these messages to discover both the MAC address of the requesting cable modem and the IP address assigned to it by the DHCP server 36, and updates its ARP/ND database 40 with the discovered information )  validating, by the leaf node device, data traffic received from the host device (f1-Paragraph 27, with ARP snooping enabled on the leaf, ARP requests are redirected to a verification engine,Paragraph 29, If the endpoint repository returns a match, then the endpoint is to be admitted)
 
 
Priority
	The effective date of the claims described in this application is January 8, 2020.
 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fu (USPGPUB 2018/0176181) further in view of Fernando (USPGPUB 2017/0317919) further in view of Daun (USPGPUB 2020/0204517) further in view of Beck (USPGPUB 2019/0372886).

In regard to Claim 1
Fu Paragraph 19 disclosed wherein misbehaving devices can be detected and appropriate action taken even before they are "admitted" to pass traffic.
Fu Paragraph 24 disclosed wherein a data center network manager (DCNM) is a central management entity that performs overlay/underlay provisioning as well as managing and monitoring the data center. An endpoint repository can be maintained within the DCNM. The endpoint repository could also be stored externally, as long as it is accessible to the DCNM or the switch.  Fu Paragraph 26 disclosed wherein two leafs are interconnected via a single spine. A virtualized compute node is connected to each leaf, on which endpoints are spawned (in this case, virtual machines). The LDAP server hosts the endpoint repository.
Fu disclosed (re. Claim 1) a method of operating a leaf node device connected to a switch fabric, comprising:
by the leaf node device, in response to receiving the indication of the secure route, (Fu-Paragraph 22, the switch first validates the end host with its identity, Paragraph 23, only an end host with a validated identity is admitted into the network and is subsequently allowed to send traffic and receive traffic ) creating or updating an entry for the host device (Fu-Paragraph 29, If the endpoint repository returns a match, then the endpoint is to be admitted. A new ARP entry for the endpoint may then be added to the ARP cache, which in turn will result in an appropriate /32 route being populated by remote leafs, thereby ensuring optimal reachability of information distribution within the fabric. )  in an endpoint repository of the leaf node device.   
While Fu substantially disclosed the claimed invention Fu does not disclose (re. Claim 1) ‘receiving, at the leaf node device, a Border Gateway Protocol (BGP) message including an advertisement of a route to a host device’  --  and -- ‘determining, at the leaf node device, that the BGP message includes a BGP Extended Community attribute that is populated with a value that indicates the route is authenticated as secure’ . 

While Fu substantially disclosed the claimed invention Fu does not disclose (re. Claim 1)  by the leaf node device, receiving from another leaf node device, via the switch fabric, an indication of a secure route to a host device.
While Fu substantially disclosed the claimed invention Fu does not disclose (re. Claim 1) a Dynamic Host Configuration Protocol (DHCP) snoop database of the leaf node device.  
Fernando Paragraph 31 disclosed wherein leaf switches 22 learn reachability information, such as IP-to-MAC bindings, for locally attached hosts 14 using Layer 2 learning mechanisms. Fernando Paragraph 32 disclosed wherein after learning reachability information for locally attached hosts, control plane learning VTEPs advertise the locally attached host reachability information in the MP-BGP EVPN control plane to MP-BGP peers, enabling control plane learning VTEPs to learn reachability information for remote hosts in the MP-BGP EVPN control plane. The MP-BGP EVPN control plane thus serves as a single source of truth for all forwarding information (within and across subnets), including reachability information, such as MAC addresses and IP addresses, for every endpoint and/or host in overlay network 30.
Fernando Paragraph 50 disclosed wherein anchor nodes use a MAC mobility extended community attribute, which is advertised with a Route type 2 message (MAC/IP advertisement routes), to ensure that control plane learning VTEPs retain correct MAC/IP routes for hosts moving between control plane learning VTEPs and data plane learning VTEPs.
 
Fernando disclosed (re. Claim 1)  by the leaf node device, receiving from another leaf node device, via the switch fabric, an indication of a secure route to a host device.( Fernando- Paragraph 32,wherein after learning reachability information for locally attached hosts, control plane learning VTEPs advertise the locally attached host reachability information in the MP-BGP EVPN control plane to MP-BGP peers, enabling control plane learning VTEPs to learn reachability information for remote hosts in the MP-BGP EVPN control plane ) 
 Fu and Fernando are analogous art because they present concepts and practices regarding facilitating inter-VXLAN network traffic such as network traffic to/from hosts 14 belonging to different VXLAN segments. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Fernando into Fu.  The motivation for the said combination would have been to implement interoperability between control plane learning VTEPs and data plane learning VTEPs  such that  when a control plane learning VTEP receives VXLAN network traffic from an unknown VTEP (in other words, not learned through the control plane), the control plane learning VTEP drops VXLAN network traffic received from the unknown VTEP. (Fernando-Paragraph 35)
While Fu-Fernando  substantially disclosed the claimed invention Fu-Fernando does not disclose (re. Claim 1) ‘receiving, at the leaf node device, a Border Gateway Protocol (BGP) message including an advertisement of a route to a host device’  --  and -- ‘determining, at the leaf node device, that the BGP message includes a BGP Extended Community attribute that is populated with a value that indicates the route is authenticated as secure’ . 

While Fu-Fernando substantially disclosed the claimed invention Fu-Fernando does not disclose (re. Claim 1) a Dynamic Host Configuration Protocol (DHCP) snoop database of the leaf node device.  
Daun Paragraph 22 disclosed wherein CMTS 32 includes an ARP or ND Handling system 38 that snoops on these messages to discover both the MAC address of the requesting cable modem and the IP address assigned to it by the DHCP server 36, and updates its ARP/ND database 40 with the discovered information.
Daun disclosed (re. Claim 1) a Dynamic Host Configuration Protocol (DHCP) snoop database of the leaf node device.  (Daun-Paragraph 22, snoops on these messages to discover both the MAC address of the requesting cable modem and the IP address assigned to it by the DHCP server 36, and updates its ARP/ND database 40 with the discovered information) 
Fu,Fernando and Daun are analogous art because they present concepts and practices regarding MAC-IP bindings for individual devices. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Daun into Fu-Fernando.  The motivation for the said combination would have been to ensure that the bindings listed in a device's database or cache are current.(Daun-Paragraph 9)
 Fu-Fernando-Daun disclosed (re. Claim 1) a leaf node device, receiving from another  leaf node device  an indication (Fernando-Type-2 route advertisement, Type-3 route advertisement, Paragraph 50, anchor nodes use a MAC mobility extended community attribute, which is advertised with a Route type 2 message (MAC/IP advertisement routes) … control plane learning VTEP can update a sequence number of the MAC mobility extended community, indicating that previously advertised MAC/IP routes for the host are no longer valid  ) that  a secure route to a host device is secure. (Fernando-Paragraph 33, As soon as leaf switch 22(1), leaf switch 22(2), and leaf switch 22(3) receive the route advertisement from leaf switch 22(4) (a BGP neighbor), leaf switch 22(1), leaf switch 22(2), and leaf switch 22(3) add the IP address of leaf switch 22(4) (here, VTEP4-IP) to a VTEP peer list (also referred to as a white list that identifies valid VTEP peers in overlay network 30) ,  Paragraph 51, route advertisement can define a route type as a MAC/IP advertisement route, an Ethernet tag ID as a VXLAN identifier of the VXLAN segment (here, VNI 20000), a MAC address of host 14(3) (here, H3-MAC), an lip address of host 14(3) (here, 2.2.2,3/24), and a next hop as leaf switch 22(4) (here, VTEP4-IP, the IP address of leaf switch 22(4))., Paragraph 52, Leaf switch 22(1) then transmits a update route advertisement (for example, a Route Type 2 message) to all control plane learning VTEPs  ) 
 
While Fu-Fernando-Daun substantially disclosed the claimed invention Fu-Fernando-Daun does not disclose (re. Claim 1) ‘receiving, at the leaf node device, a Border Gateway Protocol (BGP) message including an advertisement of a route to a host device’  --  and -- ‘determining, at the leaf node device, that the BGP message includes a BGP Extended Community attribute that is populated with a value that indicates the route is authenticated as secure’ . 
Beck Paragraph 4 disclosed advertising a secure BGP path performed by a processor of a computing device, such as a router. The method may include receiving an indication of a route prefix to advertise, determining one or more current security settings, generating a BGP message including indications of any current security settings as one or more path security attributes, and sending the BGP message including the one or more path security attributes.
Beck disclosed (re. Claim 1) ‘receiving, at the leaf node device, a Border Gateway Protocol (BGP) message including an advertisement of a route to a host device’ (Beck-Paragraph 26, As BGP messages that advertise paths are received by routers, the paths and their attributes may be stored in routing tables for use in routing packets along those paths  )  --  and -- ‘determining, at the leaf node device, that the BGP message includes a BGP Extended Community attribute (Beck-Paragraph 59, bit position 606 may indicate whether or not community security is applied by the AS )   that is populated with a value that indicates the route is authenticated as secure’  (Beck-Paragraph 29,Paragraph 59, the path security attribute 600 may be a byte value carried in a BGP message …The indication of the one or more types of security applied in the BGP message may provide transparency as to the local security measures implemented along an AS path ) 
Fu,Fernando  and Beck are analogous art because they present concepts and practices regarding facilitating inter-VXLAN network traffic such as network traffic to/from hosts 14 belonging to different VXLAN segments. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Beck into Fu- Fernando.  The motivation for the said combination would have been to an indication of the one or more types of security applied in the BGP message in order to provide transparency as to the local security measures implemented along an AS path.   In this manner, though an AS may not be configured to handle the one or more path security attributes, when the AS advertises the route based on the BGP message, the one or more path security attributes may be preserved (Beck-Paragraph 29) 
Fu-Fernando-Daun-Beck disclosed (re. Claim 1) wherein the DHCP snoop database (Daun-Paragraph 22, snoops on these messages to discover both the MAC address of the requesting cable modem and the IP address assigned to it by the DHCP server 36, and updates its ARP/ND database 40 with the discovered information ) is configured to enable secure host device mobility between two leaf node devices in the switch fabric.  (Daun-Paragraph 23, station maintenance message exchanges with each cable modem 34 and upon receipt of a response message from a cable modem 34 updates the Station Maintenance Database 44 as well as refreshes the MAC-IP bindings in the ARP/ND database by resetting a timer for the next message exchange )
The Examiner notes wherein does not explicitly disclose a ‘second leaf node device including a second DHCP snoop database’.
The Supreme Court in KSR International Co. v. Teleflex Inc., identified a number of rationales to support a conclusion of obviousness which are consistent with the proper "functional approach" to the determination of obviousness as laid down in Graham.  An exemplary rationale that may support a conclusion of obviousness is that of ' applying a known technique to a known device (method, or product) ready for improvement to yield predictable results.'
  The Examiner notes wherein it would have been obvious to apply the Daun database in each of the Fernando BGP leaf nodes such that each of the plurality of Fernando BGP leaf nodes would implement a database for storing and updating the snooping information in order to confirm the continued validity of MAC/IP routes for hosts moving between control plane learning VTEPs and data plane learning VTEPs.

Fu Paragraph 19, Paragraph 27 disclosed wherein misbehaving devices can be detected and appropriate action taken even before they are "admitted" to pass traffic.
Daun disclosed ‘a DHCP snoop database’ (Daun-Paragraph 22, snoops on these messages to discover both the MAC address of the requesting cable modem and the IP address assigned to it by the DHCP server 36, and updates its ARP/ND database 40 with the discovered information)
Fu-Fernando-Daun-Beck disclosed (re. Claim 1) distributing the entry in the DHCP snoop database to a second leaf node device (Fernando- Paragraph 32,wherein after learning reachability information for locally attached hosts, control plane learning VTEPs advertise the locally attached host reachability information in the MP-BGP EVPN control plane to MP-BGP peers, enabling control plane learning VTEPs to learn reachability information for remote hosts in the MP-BGP EVPN control plane , Paragraph 32, leaf switch 22(2) has learned reachability information for host 14(2) from the MP-BGP EVPN control plane via Route Type 2 messages) such that, upon the host device connecting to the second leaf node device, the second leaf node device communicates secure traffic with the host device prior to the host device sending a broadcast to the second leaf node. (Fu-Paragraph 22, the switch first validates the end host with its identity, Paragraph 23, only an end host with a validated identity is admitted into the network and is subsequently allowed to send traffic and receive traffic, Paragraph 19, Paragraph 27,misbehaving devices can be detected and appropriate action taken even before they are "admitted" to pass traffic)

Fu-Fernando-Daun-Beck disclosed (re. Claim 1 ) based at least in part on the entry in the DHCP snoop database, (Daun-Paragraph 22, snoops on these messages to discover both the MAC address of the requesting cable modem and the IP address assigned to it by the DHCP server 36, and updates its ARP/ND database 40 with the discovered information )  validating, by the leaf node device, data traffic received from the host device (f1-Paragraph 27, with ARP snooping enabled on the leaf, ARP requests are redirected to a verification engine,Paragraph 29, If the endpoint repository returns a match, then the endpoint is to be admitted)


In regard to Claim 9
Claim 9 (re. leaf node device) recites substantially similar limitations as Claim 1.  Claim 9 is rejected on the same basis as Claim 1.
In regard to Claim 16
Claim 16 (re. non-transitory computer-readable storage media) recites substantially similar limitations as Claim 1.  Claim 16 is rejected on the same basis as Claim 1.
In regard to Claim 2
 	Fu-Fernando-Daun-Beck disclosed (re. Claim 2) by the leaf node device, determining from the DHCP snoop database (Daun-Paragraph 22, snoops on these messages to discover both the MAC address of the requesting cable modem and the IP address assigned to it by the DHCP server 36, and updates its ARP/ND database 40 with the discovered information) of the leaf node device that the route to the host device is secure, and based at least in part on the determining, (Fernando-Type-2 route advertisement, Type-3 route advertisement, Paragraph 50, anchor nodes use a MAC mobility extended community attribute, which is advertised with a Route type 2 message (MAC/IP advertisement routes) … control plane learning VTEP can update a sequence number of the MAC mobility extended community, indicating that previously advertised MAC/IP routes for the host are no longer valid  ) communicating with the host device attached to the leaf node device. (Fernando-Paragraph 32, where leaf switch 22(2) receives the ARP request for host 14(2) from host 14(3) )  
In regard to Claim 3,10
 Fu-Fernando-Daun-Beck disclosed (re. Claim 3,10) wherein the switch fabric is an underlay for an Ethernet Virtual Private Network (EVPN) overlay.(Fernando-Paragraph 28, overlay network 30 can operate with a control plane in an Ethernet Virtual Private Network (EVPN) mode that drives control plane learning ) 
In regard to Claim 4,11
 Fu-Fernando-Daun-Beck disclosed (re. Claim 4,11) wherein the indication that the    route to the host device is secure is received  (Fernando-Paragraph 33, As soon as leaf switch 22(1), leaf switch 22(2), and leaf switch 22(3) receive the route advertisement from leaf switch 22(4) (a BGP neighbor), leaf switch 22(1), leaf switch 22(2), and leaf switch 22(3) add the IP address of leaf switch 22(4) (here, VTEP4-IP) to a VTEP peer list (also referred to as a white list that identifies valid VTEP peers in overlay network 30))  via a Border Gateway Protocol (BGP)  update message from a second leaf node device, the second leaf node device including a second DHCP snoop database storing the indication that the route to the host device is secure.(Fernando- Paragraph 32,wherein after learning reachability information for locally attached hosts, control plane learning VTEPs advertise the locally attached host reachability information in the MP-BGP EVPN control plane to MP-BGP peers, enabling control plane learning VTEPs to learn reachability information for remote hosts in the MP-BGP EVPN control plane , Paragraph 32, leaf switch 22(2) has learned reachability information for host 14(2) from the MP-BGP EVPN control plane via Route Type 2 messages) 

In regard to Claim 5,12,17
 Fu-Fernando-Daun-Beck disclosed (re. Claim 5,12,17) wherein the leaf node device receives from the other leaf node device, the indication that the route to the host device is secure along with an Internet Protocol (IP) to Media Access Control (MAC) pairing for the host device.(Fernando-Paragraph 32, forwarding information (within and across subnets), including reachability information, such as MAC addresses and IP addresses, for every endpoint and/or host in overlay network 30…IP-to-MAC bindings for locally attached hosts 14 , Paragraph 51, route advertisement can define a route type as a MAC/IP advertisement route, an Ethernet tag ID as a VXLAN identifier of the VXLAN segment (here, VNI 20000), a MAC address of host 14(3) (here, H3-MAC), an lip address of host 14(3) (here, 2.2.2,3/24), and a next hop as leaf switch 22(4) (here, VTEP4-IP, the IP address of leaf switch 22(4))) 
In regard to Claim 6,13,18
 Fu-Fernando-Daun-Beck disclosed (re. Claim 6,13,18) by the leaf node device, receiving from the other leaf node device, via the switch fabric, an indication of a lease renewal time for the  route, (Daun-Paragraph 23, station maintenance message exchanges with each cable modem 34 and upon receipt of a response message from a cable modem 34 updates the Station Maintenance Database 44 as well as refreshes the MAC-IP bindings in the ARP/ND database by resetting a timer for the next message exchange ) wherein creating or updating the entry for the host device in the DHCP snoop database includes providing the lease renewal time in the entry. (Daun-Paragraph 23, scheduled maintenance messages for a predefined period of time before a timer expires) 
In regard to Claim 7,14,19
 Fu-Fernando-Daun-Beck disclosed (re. Claim 7,14,19) wherein updating the entry for the host device in the DHCP snoop database (Daun-Paragraph 23, station maintenance message exchanges with each cable modem 34 and upon receipt of a response message from a cable modem 34 updates the Station Maintenance Database 44 as well as refreshes the MAC-IP bindings in the ARP/ND database by resetting a timer for the next message exchange )  includes updating a lease expiration time for the host device in the entry. (Daun-Paragraph 23, scheduled maintenance messages for a predefined period of time before a timer expires) 

In regard to Claim 8,15,20
 Fu-Fernando-Daun-Beck disclosed (re. Claim 8,15,20) receiving an address resolution protocol (ARP) message from the host device; (Fernando-Paragraph 32, where leaf switch 22(2) receives the ARP request for host 14(2) from host 14(3) )  caching the ARP message; (Fu-Paragraph 29, If the endpoint repository returns a match, then the endpoint is to be admitted. A new ARP entry for the endpoint may then be added to the ARP cache, which in turn will result in an appropriate /32 route being populated by remote leafs, thereby ensuring optimal reachability of information distribution within the fabric, Fernando-Paragraph 60, information being tracked, sent, received, or stored could be provided in any database, register, table, cache, queue, control list, or storage structure )  and
validating the cached ARP message at least in part using the entry for the host device in the DHCP snoop database of the leaf node device.(Fu-Paragraph 29, If the endpoint repository returns a match, then the endpoint is to be admitted.)
 
 

Conclusion

Examiner’s Note: In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Please refer to the enclosed PTO-892 form.
  Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

 Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREG C BENGZON whose telephone number is (571)272-3944.  The examiner can normally be reached on Monday - Friday 8 AM - 4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571) 272-3964.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


	/GREG C BENGZON/           Primary Examiner, Art Unit 2444