EXHIBIT 1016 - MicrosoftViptela provides a packet path selector which selects between network interfaces, using at least two known location address ranges which are respectively associated

EXHIBIT 1016

APPENDIX I

U.S. Patent No. 7,406,048

No. Claim Language Accused Instrumentality

1. A controller which controls access to multiple independent disparate networks in a parallel network configuration, the disparate networks comprising at least one private network and at least one network based on the Internet, the controller comprising:

As shown below, the accused Viptela devices are controllers that control access to multiple independent disparate networks in a parallel network configuration, the disparate networks comprising at least one private network and at least one network based on the Internet. See, e.g., Viptela Secure SD-WAN at 16 (VIPFAT0000307):

Viptela, Inc. - Exhibit 1016 Page 1

1[a]. a site interface connecting the controller to a site;

The accused Viptela devices provide a site interface connecting the controller to a site. For example, each accused instrumentality includes at least one Ethernet port that connects the controller to a LAN. See, e.g., Viptela Documentation - vEdge 100m Router (VIPFAT0008018); Viptela Documentation - vEdge 1000 Router (VIPFAT0008055); Viptela Documentation - vEdge 2000 Router (VIPFAT0008120); Viptela Secure SD-WAN at 52 (VIPFAT0000343).

See, e.g., Secure Extensible Network Solution Components - Data Components, VIPTELA, http://viptela.com/solutions/overview/ (last visited Oct. 19, 2016).

“vEdge Routers sit at the perimeter of a site (such as remote offices, branches, campuses, data centers) and provide highly secure data connectivity over any


http://viptela.com/solutions/overview/

transport.”

See, e.g., Viptela Secure SD-WAN at 8 (VIPFAT0000299):

1[b]. at least two network interfaces which send packets toward the disparate networks; and

The accused Viptela devices provide at least two network interfaces which send packets toward disparate networks. For example, each accused devices includes multiple Ethernet ports that can be configured to send packets towards different networks. See, e.g., Viptela Documentation - vEdge 100m Router (VIPFAT0008018); Viptela Documentation - vEdge 1000 Router (VIPFAT0008055); Viptela Documentation - vEdge 2000 Router (VIPFAT0008120). One of these interfaces can be configured to be the interface associated with an MPLS network and another configured to be the interface associated


with the Internet.

Below is an exemplary illustration showing the interfaces for the vEdge 1000 Viptela device. Although the other accused devices may have a different configuration of interfaces, each accused devices includes at least two network interfaces which send packets towards the disparate networks.

See, e.g., Viptela Secure SD-WAN at 52 (VIPFAT0000343)

See, e.g., Andrew Conry Murray, Startup Profile: Viptela Targets WAN Cost, Complexity, INFORMATIONWEEK (Dec. 2, 2014), http://www.informationweek.com/interop/startup-


http://www.informationweek.com/interop/startup-profile-viptela-targets-wan-cost-complexity/a/d-id/1317794

profile-viptela-targets-wan-cost-complexity/a/d-id/1317794.

“Customers place Viptela's hardware appliance, the vEdge router, at each end point that needs connectivity. Customers can run multiple connections through each appliance, including MPLS and Ethernet circuits and lower-cost options such as broadband and LTE connections.”

1[c]. a packet path selector which selects between network interfaces, using at least two known location address ranges which are respectively associated with disparate networks, according to at least: a destination of the packet, an optional presence of alternate paths to that destination, and at least one specified criterion for selecting between alternate paths when such alternate paths are present;

Viptela provides a packet path selector which selects between network interfaces, using at least two known location address ranges which are respectively associated with disparate networks, according to at least: a destination of the packet, an optional presence of alternate paths to that destination, and at least one specified criterion for selecting between alternate paths when such alternate paths are present.

See, e.g., Andrew Conry Murray, Startup Profile: Viptela Targets WAN Cost, Complexity, INFORMATIONWEEK (Dec. 2, 2014), http://www.informationweek.com/interop/startup-profile-viptela-targets-wan-cost-complexity/a/d-id/1317794.

“Customers place Viptela's hardware appliance, the vEdge router, at each end point that needs connectivity. Customers can run multiple connections through each appliance, including MPLS and Ethernet circuits and lower-cost options such as broadband and LTE connections. The appliance then merges these connections and applies customer policies to the traffic.”

Viptela vEdge routers provide path and application aware routing, taking into account, for instance, the loss and latency of the paths.







See, e.g., Viptela Secure Extensible Network - Technology Introduction at 20 (VIPFAT0000606):


Viptela vEdge routers are also capable of selecting paths based on the underlying application.


See, e.g., Viptela Documentation - Application-Aware Routing at 107 (VIPFAT0006141):

“Application-aware routing tracks network and path characteristics of the data plane tunnels between vEdge routers and uses the collected information to compute optimal paths for data traffic. These characteristics include packet loss


and packet latency, and the load, cost and bandwidth of a link. The ability to consider factors in path selection other than those used by standard routing protocols-such as route prefixes, metrics, link-state information, and route removal on the edge router-offers a number of advantages to an enterprise:

• In normal network operation, the path taken by application data traffic through the network can be optimized, by directing it to WAN links that support the required levels of packet loss and latency defined in an application's SLA.

• In the face of network brownouts or soft failures, performance degradation can be minimized. The tracking of network and path conditions by application-aware routing in real time can quickly reveal performance issues, and it automatically activates strategies that redirect data traffic to the best available path. As the network recovers from the brownout or soft failure conditions, application-aware routing automatically readjusts the data traffic paths.

• Network costs can be reduced because data traffic can be more efficiently load-balanced.

• Application performance can be increased without the need for WAN upgrades.”

1[d]. wherein the controller receives a packet through the site interface and sends the packet through the network interface that was selected by the packet path selector.

Viptela provides a controller that receives a packet through the site interface and sends the packet through the network interface that was selected by the packet path selector.

See Viptela Secure Extensible Network - Technology Introduction at 26 (VIPFAT0000612):




See Viptela Documentation - Interfaces at 5 (VIPFAT0008347):

“Interfaces on vEdge routers handle control traffic (in VPN 0), data traffic (in VPNs other than 0 and 512), and out-of-band management traffic (in VPN 512). Interface on vSmart controller and vManage NMSs handle control and management traffic.”

3. The controller of claim 1, wherein the packet path selector selects between network

As described below, Viptela devices include a controller wherein the packet path selector selects between network interfaces according to a load-balancing criterion, thereby promoting balanced loads on devices that carry packets on the selected path after the


interfaces according to a load-balancing criterion, thereby promoting balanced loads on devices that carry packets on the selected path after the packets leave the selected network interfaces.

packets leave the selected network interfaces.


“Application-aware routing tracks network and path characteristics of the data plane tunnels between vEdge routers and uses the collected information to compute optimal paths for data traffic. These characteristics include packet loss and packet latency, and the load , cost and bandwidth of a link. The ability to consider factors in path selection other than those used by standard routing protocols-such as route prefixes, metrics, link-state information, and route removal on the edge router-offers a number of advantages to an enterprise:







4. The controller of claim 1, wherein the packet path selector selects between network interfaces according to a reliability criterion, thereby promoting use of devices that will still carry packets on the selected path after the packets leave the selected network interfaces, when other devices on a path not selected are not functioning.

As described below, Viptela devices include a controller wherein the packet path selector selects between network interfaces according to a reliability criterion, thereby promoting use of devices that will still carry packets on the selected path after the packets leave the selected network interfaces, when other devices on a path not selected are not functioning.











See, e.g., Viptela Documentation - Components of Application-Aware Routing at 107 (VIPFAT0006143):

5. The controller of claim 1, wherein the controller sends packets from a selected network interface to a VPN.

As described below, Viptela devices include a controller wherein the controller sends packets from a selected network interface to a VPN.

See, e.g., Viptela Documentation - Network Interfaces at 23 (VIPFAT0005807):

“In the Viptela overlay network design, interfaces are associated with VPNs. The interfaces that participate in a VPN are configured and enabled in that VPN. Each


interface can be present only in a single VPN .

For each network interface, you can configure a number of interface-specific properties, such as DHCP clients and servers, VRRP, interface MTU and speed, and PPPoEAt a high level, for an interface to be operational, you must configure an IP address for the interface and mark it as operational (no shutdown). In practice, you always configure additional parameters for each interface.”

See, e.g., Viptela Documentation - Transport-Side NAT Operation at 153 (VIPFAT0006187):

“We use the following figure to explain how the NAT functionality on the vEdge router splits traffic into two flows (or two tunnels) so that some of it remains within the overlay network and some goes directly to the Internet or other public network.

In this figure, the vEdge router has two interfaces:

• Interface ge0/1 faces the local site and is in VPN 1. Its IP address is 10.1.12.0/24.


• Interface geO/O faces the transport cloud and is in VPN 0 (the transport VPN). Its IP address is 192.23.100.0/24, and it uses the default OMP port number, 12346, for overlay network tunnels.”


“Once NAT is enabled on the vEdge router, data traffic affected by the centralized data policy (here, the data traffic from VPN 1) is split into two flows:

• Traffic destined for another vEdge router in the overlay network remains in VPN 1, and it travels directly through the IPsec data plane tunnel from the source vEdge router to the destination vEdge router. This traffic never passes through VPN 0, and therefore it is never touched by NAT.

• Traffic destined for the public network passes from VPN 1 to VPN 0, where it is NATed. During the NAT processing, the source IP address is changed from 10.1.12.0/24 to that of geO/O, 192.23.100.0/24, and the source port is changed to 1024.”

“On a vEdge router, you can configure NAT on the service side of the router so that data traffic traverses the NAT before entering the overlay tunnel that is located in the transport VPN. The service-side NAT performs NAT to mask the IP address of data traffic it receives.”



6. The controller of claim 1, wherein the controller sends

As described below, Viptela devices include a controller wherein the controller sends


packets from a selected network interface to a point-to-point private network connection.

packets from a selected network interface to a point-to-point private network connection.

See Viptela vEdge Cloud Data Sheet at 1 (VIPFAT0004627):

“Transport independent nature of the Vipteia SD-WAN solution allows leveraging variety of connectivity methods in the active-active fashion by securely extending SD-\MAN fabric into the public cloud environment across all underlying transport networks, such as MPLS, broadband, 3G/4G LTE, satellite and point-to-point links.”

7. A method for combining connections for access to disparate parallel networks, the method comprising the steps of:

As shown below, the accused Viptela devices practice a method for combining connections for access to multiple parallel disparate networks. See Viptela Secure SD-WAN at 16 (VIPFAT0000307):


7[a]. receiving at a controller a packet which has a first site IP address as source address and a second site IP address as destination address;

As shown below, the accused Viptela devices receive at a controller a packet which has a first site IP address as source address and a second site IP address as destination address.


7[b]. selecting, within the controller on a per-packet basis, between a path through an Internet-based network and a path through a private network that is not Internet-based; and

As shown below, the accused Viptela devices select within the controller on a per-packet basis, between a path through an Internet-based network and a path through a private network that is not Internet-based.

See, e.g., Viptela Documentation - Deep Packet Inspection at 67 (VIPFAT0006101):

“In addition to examining the network- and transport-layer headers in data packets, centralized data policy can be used to examine the application information in the data packets' payload . This deep packet inspection offers control over how data packets from specific applications or application families are forwarded across the network, allowing you to assign the traffic to be carried by specific tunnels. To control the traffic flow of specific application traffic based on the traffic loss or latency properties on a tunnel, use application-aware routing.”


“Application-aware routing tracks network and path characteristics of the data plane tunnels between vEdge routers and uses the collected information to compute optimal paths for data traffic. These characteristics include packet loss


and packet latency, and the load , cost and bandwidth of a link. The ability to consider factors in path selection other than those used by standard routing protocols-such as route prefixes, metrics, link-state information, and route removal on the edge router-offers a number of advantages to an enterprise:







7[c]. forwarding the packet along the selected path toward the second site.

As described below, the accused Viptela devices forward the packet along the selected path toward the second site.





9. The method of claim 7, wherein the selecting step selects between network interfaces according to a load-balancing criterion, thereby promoting balanced loads on devices that carry packets on the selected path after the packets leave the selected network interfaces.

See Claim 3.

10. The method of claim 7, wherein the selecting step selects

See Claim 4.


between network interfaces according to a reliability criterion, thereby promoting use of devices that will still carry packets on the selected path after the packets leave the selected network interfaces, when other devices on a path not selected are not functioning.

11. The method of claim 7, wherein the forwarding step sends packets from a selected network interface to a VPN.

See Claim 5.

12. The method of claim 7, wherein the forwarding step sends packets from a selected network interface to a point-to-point private network connection.

See Claim 6.

13. A method for controlling access to multiple independent disparate networks in a parallel network configuration, the disparate networks comprising at least one private network and at least one network based on the Internet, the method comprising the steps of:

As shown below, the accused Viptela devices practice a method for controlling access to multiple independent disparate networks in a parallel network configuration, the disparate networks comprising at least one private network and at least one network based on the Internet. See Viptela Secure SD-WAN at 16 (VIPFAT0000307):


13[a]. receiving a packet through a site interface that connects a controller to a site;



See, e.g., Secure Extensible Network Solution Components - Data Components, VIPTELA, http://viptela.com/solutions/overview/ (last visited Oct. 19, 2016):

“vEdge Routers sit at the perimeter of a site (such as remote offices, branches, campuses, data centers) and provide highly secure data connectivity over any transport.”

See, e.g, Viptela Secure SD-WAN at 8 (VIPFAT0000299):



13[b]. selecting between at least two network interfaces of the controller which use at least two known location address ranges which are respectively associated with disparate networks, according to at least: a destination of the packet, an optional presence of alternate paths to that destination, and at least one specified criterion for

Viptela devices practice a method for selecting between at least two network interfaces of the controller which use at least two known location address ranges which are respectively associated with disparate networks, according to at least: a destination of the packet, an optional presence of alternate paths to that destination, and at least one specified criterion for selecting between alternate paths when such alternate paths are present.





selecting between alternate paths when such alternate paths are present; and







Viptela vEdge routers are also capable of selecting paths based on the underlying application.


13[c]. sending the packet through the selected network interface.

As described below, the accused Viptela devices send the packet through the selected network interface.





15. The method of claim 13, wherein the method selects between network interfaces according to a load-balancing criterion, thereby promoting balanced loads on devices that carry packets on the selected path after the packets leave the selected network interfaces.

See Claim 3.

16. The method of claim 13, wherein the method selects between

See Claim 4.


network interfaces according to a reliability criterion, thereby promoting use of devices that will still carry packets on the selected path after the packets leave the selected network interfaces, when other devices on a path not selected are not functioning.

17. The method of claim 13, wherein the method sends packets from a selected network interface to a VPN.

See Claim 5.

18. The method of claim 13, wherein the method sends packets from a selected network interface to a point-to-point private network connection.

See Claim 6.

19. A controller for combining connections for access to disparate parallel networks, the controller comprising:

As shown below, the accused Viptela devices are controllers for combining connections for access to disparate parallel networks. See, e.g., Viptela Secure SD-WAN at 16 (VIPFAT0000307):


19[a]. a site interface configured for

receiving a packet which has a first site IP address as source address and a second site IP address as destination address; and

As shown below, the accused Viptela devices receive at a controller a packet which has a first site IP address as source address and a second site IP address as destination address.

See, e.g., Viptela Documentation- Default Behavior without Data Policy at 168 (VIPFAT0006203):


“An outer header is added to the packet. At this point, the packet header has these contents: TLOC source address, TLOC destination address, ESP header, destination IP address, and source IP address.”

19[b]. a packet path selector which selects, within the controller on a per-packet basis, between a path through an Internet-based network and a path through a private network that is not Internet-based;

As shown below, the accused Viptela devices select within the controller on a per-packet basis, between a path through an Internet-based network and a path through a private network that is not Internet-based.












19[c]. wherein the controller receives a packet through the site interface and sends the packet through the network interface that was selected by the packet path selector.








21. The controller of claim 19, wherein the packet path selector selects between network

See Claim 3.


interfaces according to a load-balancing criterion, thereby promoting balanced loads on devices that carry packets on the selected path after the packets leave the selected network interfaces.

22. The controller of claim 20, wherein the packet path selector selects between network interfaces according to a reliability criterion, thereby promoting use of devices that will still carry packets on the selected path after the packets leave the selected network interfaces, when other devices on a path not selected are not functioning.

See Claim 4.

23. The controller of claim 19, wherein the controller sends packets from a selected network interface to a VPN.

See Claim 5.

24. The controller of claim 19, wherein the controller sends packets from a selected network interface to a point-to-point private network connection.

See Claim 6.



U.S. Patent No. 6,775,235

No. Claim Language Accused Instrumentality

4. A controller which controls access to multiple networks in a parallel network configuration, suitable networks comprising Internet-based networks and private networks from at least one more provider, in combination, the controller comprising:

As shown below, the accused Viptela devices are controllers that control access to multiple networks in a parallel network configuration comprising at least one private network and at least one network based on the Internet. See Viptela Secure SD-WAN at 16 (VIPFAT0000307):


4[a]. a site interface connecting the controller to a site;


See, e.g., Secure Extensible Network Solution Components - Data Components, VIPTELA, http://viptela.com/solutions/overview/ (last visited Oct. 19, 2016):



“vEdge Routers sit at the perimeter of a site (such as remote offices, branches, campuses, data centers) and provide highly secure data connectivity over any transport.”

See, e.g, Viptela Secure SD-WAN at 8 (VIPFAT0000299):

4[b]. at least two network interfaces which send packets toward the networks; and

The accused Viptela devices provide at least two network interfaces which send packets toward the networks. For example, each accused devices includes multiple Ethernet ports that can be configured to send packets towards different networks. See, e.g., Viptela Documentation - vEdge 100m Router (VIPFAT0008018); Viptela Documentation - vEdge 1000 Router (VIPFAT0008055); Viptela Documentation - vEdge 2000 Router


(VIPFAT0008120). One of these interfaces can be configured to be the interface associated with an MPLS network and another configured to be the interface associated with the Internet.

Below is an exemplary illustration showing the interfaces for the vEdge 1000 Viptela device. Although the other accused devices may have a different configuration of interfaces, each accused devices includes at least two network interfaces which send packets towards the networks.


See, e.g., Andrew Conry Murray, Startup Profile: Viptela Targets WAN Cost, Complexity,


INFORMATIONWEEK (Dec. 2, 2014), http://www.informationweek.com/interop/startup-profile-viptela-targets-wan-cost-complexity/a/d-id/1317794:

“Customers place Viptela's hardware appliance, the vEdge router, at each end point that needs connectivity. Customers can run multiple connections through each appliance, including MPLS and Ethernet circuits and lower-cost options such as broadband and LTE connections.”

4[c]. a packet path selector which selects between network interfaces on a per-packet basis according to at least: a destination of the packet, an optional presence of alternate paths to that destination, and at least one specified criterion for selecting between alternate paths when such alternate paths are present;

Viptela provides a packet path selector which selects between network interfaces according to at least: a destination of the packet, an optional presence of alternate paths to that destination, and at least one specified criterion for selecting between alternate paths when such alternate paths are present.

See, e.g., Andrew Conry Murray, Startup Profile: Viptela Targets WAN Cost, Complexity, INFORMATIONWEEK (Dec. 2, 2014), http://www.informationweek.com/interop/startup-profile-viptela-targets-wan-cost-complexity/a/d-id/1317794:







Viptela vEdge routers provide path and application aware routing, taking into account, for instance, the loss and latency of the paths. See, e.g., Viptela Secure SD-WAN at 35 (VIPFAT0000326):




Viptela vEdge routers are also capable of selecting paths based on the underlying application. See, e.g., Viptela Secure Extensible Network - Technology Introduction at 21 (VIPFAT0000607):

4[d]. wherein the controller receives a packet through the site inter-face and sends the packet through the network interface that was




selected by the packet path selector.



“Transport interfaces in VPN 0 connect to a WAN network of some kind, such as the Internet, a Metro Ethernet network, or an MPLS network.”




5. A method for combining connections for access to multiple parallel disparate networks, the method comprising the steps of:

As shown below, the accused Viptela devices practice a method for combining connections for access to multiple parallel disparate networks. See Viptela Secure SD-WAN at 16 (VIPFAT0000307):


5[a]. obtaining at least two known location address ranges which have associated networks;

As described below, the accused Viptela devices obtain at least two know address ranges which have associated networks.

See Viptela Documentation - Centralized and Localized Policy at 5 (VIPFAT0006039):

“Centralized data policy applies to the flow of data traffic throughout the VPNs in the overlay network. These policies can permit and restrict access based either on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol) or on VPN membership. These policies are pushed to the affected vEdge routers.”



“Localized data policy allows you to provision access lists and apply them to a specific interface or interfaces on the router. Simple access lists permit and restrict access based on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol), in the same way as with centralized data policy. Access lists also allow provisioning of class of service (CoS), policing, and mirroring, which control how data traffic flows out of and in to the router's interfaces and interface queues.”

See Viptela Documentation - Viptela Policy Framework Basics at 14 (VIPFAT0006040):

“Data policy examines fields in the headers of data packets, looking at the source and destination addresses and ports, and the protocol and DSCP values, and for matching packets, it can modify the next hop in a variety of ways or apply a policer to the packets. Data policy is configured and applied on the vSmart controller, and then it is carried in OMP updates to the vEdge routers in the site-list that the policy is applied to. The match operation and any resultant actions are performed on the vEdge router as it transmits or receives data traffic.”

See Viptela Documentation - Centralized Data Policy at 66 (VIPFAT0006100):

“Policy decisions affecting data traffic can be based on the packet header fields, specifically, on the source and destination IP prefixes, the source and destination IP ports, the protocol, and the DSCP.

This type of policy is often used to modify traffic flow in the network. Here are some examples of the types of control that can be effected with centralized data policy:

• Which set of sources are allowed to send traffic to any destination outside the local site. For example, local sources that are rejected by such a data policy can communicate only with hosts on the local network.

• Which set of sources are allowed to send traffic to a specific set of destinations


outside the local site. For example, local sources that match this type of data policy can send voice traffic over one path and data traffic over another.

• Which source addresses and source ports are allowed to send traffic to any destination outside the local site or to a specific port at a specific destination.”

See Viptela Documentation - Multicast Traffic Flow through the Overlay Network at 189 (VIPFAT0005973):

“Now, let's examine how multicast traffic flows from the sources to the receivers. The two multicast sources, Source-1 and Source-2, send their multicast streams (the blue stream from Source-1 and the green stream from Source-2) to the RP. Because the destination IP addresses for both streams are at remote sites, the RP forwards them to vEdge-3 for transmission onto the transport/WAN network. vEdge-3 has learned from the vSmart controller that the network has two replicators, vEdge-1 and vEdge-2, and so forwards the two multicast streams to them, without first replicating the streams.

The two replicators have learned from a vSmart controller the locations of multicast receivers for the two streams. The vEdge-1 replicator makes one copy of the green stream and forwards it to vEdge-4, which in turns forwards it to the Receiver-3. The vEdge-2 replicator makes one copy of the green stream, which it forwards to vEdge-5 (from which it goes on to Receiver-2), and it makes two copies of the blue stream, which it forwards to vEdge-4 and vEdge-5 (and which they then forward to the two receivers).”

See Viptela Documentation - show policy service-path at 89 (VIPFAT0007613):

“show policy service-path-Determine the next-hop information for an IP packet that a vEdge router sends out a service-side interface (on vEdge routers only) . You identify the IP packet by specifying fields in the IP header. You can use this command when using application-aware routing, to determine that path taken by the packets associated with a DPI application.”


See Viptela Documentation - show policy tunnel-path at 91 (VIPFAT0007615):

“show policy tunnel-path-Determine the next-hop information for an IP packet that a vEdge router sends out a WAN transport tunnel interface (on vEdge routers only) . You identify the IP packet by specifying fields in the IP header. You can use this command when using application-aware routing, to determine that path taken by the packets associated with a DPI application.”

5[b]. obtaining topology information which specifies associated networks that provide, when working, connectivity between a current location and at least one destination location;

Viptela obtains topology information which specifies associated networks that provide, when working, connectivity between a current location and at least one destination location. As noted above, Viptela’s systems is configured to transmit data among multiple parallel networks. To do so, it must obtain topology information specifying connectivity between the current location and a destination location.

See Viptela Documentation - High Availability Overview at 181 (VIPFAT0006215):

“Software mechanisms ensure rapid recovery from a failure. To provide a resilient control plane, the Viptela Overlay Management Protocol (OMP) regularly monitors the status of all Viptela devices in the network and automatically adjusts to changes in the topology as devices join and leave the network. For data plane resiliency, the Viptela software implements standard protocol mechanisms, specifically Bidirectional Forwarding Detection (BFD), which runs on the secure IPsec tunnels between vEdge routers.”


“This article and the next offer an orientation about the architecture of the Viptela policy software used to implement overlay network-wide policies. These policies are called vSmart policy or centralized policy, because you configure them centrally on a vSmart controller. vSmart policy affects the flow of both control plane traffic (routing updates carried by OMP and used by the vSmart controllers to determine the topology and status of the overlay network) and data plane traffic (data traffic that travels between the vEdge nodes across the overlay network).”


See Viptela Secure SD-WAN at 43 (VIPFAT0000334):

5[c]. receiving at the current location a packet which identifies a particular destination location by specifying a destination address for the destination location;

Viptela receives at the current location a packet which identifies a particular destination location by specifying a destination address for the destination location.

See Viptela Documentation - Data Policy Operation at 14 (VIPFAT0006048):

“Data policy examines fields in the headers of data packets, looking at the source and destination addresses and ports, and the protocol and DSCP values, and for matching


packets, it can modify the next hop in a variety of ways or apply a policer to the packets. Data policy is configured and applied on the vSmart controller, and then it is carried in OMP updates to the vEdge routers in the site-list that the policy is applied to. The match operation and any resultant actions are performed on the vEdge router as it transmits or receives data traffic.”

See Viptela Documentation - Data Policy Based on Packet Header Fields at 66 (VIPFAT0006100):

“Policy decisions affecting data traffic can be based on the packet header fields, specifically, on the source and destination IP prefixes, the source and destination IP ports, the protocol, and the DSCP. This type of policy is often used to modify traffic flow in the network. Here are some examples of the types of control that can be effected with centralized data policy:


• Which set of sources are allowed to send traffic to a specific set of destinations outside the local site. For example, local sources that match this type of data policy can send voice traffic over one path and data traffic over another.


5[d]. determining whether the destination address lies within a known location address range;

The accused Viptela devices determine whether the destination address lies within a known location address range. When a packet is received on a port, it is typically routed to an outgoing port. This routing necessarily makes a determination if the destination address of the IP packet lies within the known location address range(s).


“We use the following figure to explain how the NAT functionality on the vEdge


router splits traffic into two flows (or two tunnels) so that some of it remains within the overlay network and some goes directly to the Internet or other public network.






• Traffic destined for another vEdge router in the overlay network remains in VPN 1, and it travels directly through the IPsec data plane tunnel from the source vEdge router to the destination vEdge router. This traffic never passes through VPN 0, and


therefore it is never touched by NAT.


5[e]. selecting a network path from among paths to disparate associated networks, said networks being in parallel at the current location, each of said networks specified in the topology information as capable of providing connectivity between the current location and the destination location;

As described below, the accused Viptela devices select a network path from among paths to disparate associated networks, said networks being in parallel at the current location, each of said networks specified in the topology information as capable of providing connectivity between the current location and the destination location.



See, e.g., Viptela Secure Extensible Network - Technology Introduction at 20


(VIPFAT0000606):

Viptela vEdge routers are also capable of selecting one of parallel paths based on the underlying application.



See, e.g., Viptela Documentation - Policy Overview at 4-5 (VIPFAT0006038- VIPFAT0006039):

“The design of the Viptela policy software distinguishes between basic and advanced policy. Basic policy allows you to influence or determine basic traffic flow through the overlay network. Here, you perform standard policy tasks, such as managing the paths along which traffic is routed through the network, and permitting or blocking traffic based on the address, port, and DSCP fields in the packet's IP header. You can also control the flow of data traffic into and out of a vEdge router's interfaces, enabling features such as class of service and queuing, mirroring, and policing. Advanced features of Viptela policy software offer specialized policy-based network


applications. Examples of these applications include the following:

• Service chaining, which redirects data traffic to shared devices in the network, such as firewall, intrusion detection and prevention (IDS), load balancer, and other devices, before the traffic is delivered to its destination. Service chaining obviates the need to have a separate device at each branch site.

• Application-aware routing, which selects the best path for traffic based on real-time network and path performance characteristics.

• Cflowd, for monitoring traffic flow.

• Converting a vEdge router into a NAT device, to allow traffic destined for the Internet or other public network can exit directly from the vEdge router.”

5[f]. forwarding the packet on the selected network path.

As described below, the accused Viptela devices forward the packet on the selected path.





6. The method of claim 5, further comprising the step of modifying the packet destination address to lie within a known location address range associated with the selected network before the forwarding step.

As described below, Viptela devices modify the packet destination address to lie within a known location address range associated with the selected network before forwarding.

See, e.g., Viptela Documentation - Using a vEdge Router as a NAT Device at 154 (VIPFAT0006186):

“The NAT functionality on a vEdge routers operates in a standard end-point independent fashion . The NAT software performs both address and port translation (NAPT). It establishes a translation entry between a private address inside the overlay network and a public address outside the overlay network. Once this translation entry is created, the NAT software allows any incoming connection from any external host to be established with the private address inside the overlay network. The NAT


software filters out packets that are not destined for an IP address and port in the overlay network regardless of the external IP address and port source.”

7. The method of claim 5, wherein the forwarding step forwards the packet toward the Internet when the packet's destination address does not lie within any known location address range.

As described below, the accused Viptela devices forwards the packet toward the Internet when the packet’s destination address does not lie within any known location address range.


“Here are the configuration components that set up the NAT function on the vEdge routers so that traffic passing destined for the Internet can travel directly from the vEdge router to the Internet, without having to go to a centralized or other site before exiting to the Internet:

data-prefix-list identifies the source IP prefixes whose traffic is destined for the NAT, and hence for the Internet

vpn-list identifies the affected VPNs.

site-list groups together the three sites that participate in VPN 1.

data-policy in the policy section directs matching traffic towards the NAT, and hence towards the Internet.

data-policy in the apply-policy section is applied in the from-service direction to match incoming traffic from the service side to the vEdge router.”

8. The method of claim 5, wherein the destination address identifies a destination location to which only a single associated network provides connectivity from the current location, and the forwarding step forwards the

As described below, Viptela devices practice a method wherein the destination address identifies a destination location to which only a single associated network provides connectivity from the current location, and the forwarding step forwards the packet to that single associated network.



packet to that single associated network.

“Here are the configuration components that set up the NAT function on the vEdge routers so that traffic passing destined for the Internet can travel directly from the vEdge router to the Internet, without having to go to a centralized or other site before exiting to the Internet:

data-prefix-list identifies the source IP prefixes whose traffic is destined for the NAT, and hence for the Internet

vpn-list identifies the affected VPNs.

site-list groups together the three sites that participate in VPN 1.

data-policy in the policy section directs matching traffic towards the NAT, and hence towards the Internet.

data-policy in the apply-policy section is applied in the from-service direction to match incoming traffic from the service side to the vEdge router.”

9. The method of claim 5, wherein repeated instances of the selecting step make network path selections on a packet-by-packet basis.

As described below, Viptela devices practice a method wherein repeated instances of the selecting step make network path selections on a packet-by-packet basis.



10. The method of claim 5, wherein repeated instances of the

As described below, Viptela devices practice a method wherein repeated instances of the


selecting step make network path selections on a per session basis.

selecting step make network path selections on a per session basis.

See, e.g., Viptela Documentation - Centralized Control Policy Overview at 39 (VIPFAT0006073):

“All centralized control plane traffic, including route information, is carried by OMP peering sessions that run within the secure, permanent DTLS connections between vEdge routers and the vSmart controllers in their domain. The end points of an OMP peering session are identified by the system IDs of the Viptela devices, and the peering sessions carry the site ID, which identifies the site in which the device is located. A DTLS connection and the OMP session running over it remain active as long as the two peers are operational.

Control policy can be applied both inbound, to the route advertisements that the vSmart controllers receives from vEdge routers, and outbound, to advertisements that it sends to them. Inbound policy controls which routes and route information are installed in the local routing database on the vSmart controller, and whether this information is installed as-is or is modified. Outbound control policy is applied after a route is retrieved from the routing database, but before vSmart controller advertises it, and affects whether the route information is advertised as-is or is modified.”

11. The method of claim 5, wherein the selecting step selects the network path at least in part on the basis of a dynamic load-balancing criterion.

As described below, Viptela devices practice a method wherein the selecting step selects the network path at least in part on the basis of a dynamic load-balancing criterion.










12. The method of claim 11, wherein repeated instances of the selecting step select between network paths at least in part on the basis of a dynamic load-balancing criterion which tends to balance line loads by distributing packets between lines.

As described below, Viptela devices practice a method wherein repeated instances of the selecting step select between network paths at least in part on the basis of a dynamic load-balancing criterion which tends to balance line loads by distributing packets between lines.



• In normal network operation, the path taken by application data traffic


through the network can be optimized, by directing it to WAN links that support the required levels of packet loss and latency defined in an application's SLA.






13. The method of claim 11, wherein repeated instances of the selecting step select between network paths at least in part on the basis of a dynamic load-balancing criterion which tends to balance network loads by distributing packets between disparate networks.

As described below, Viptela devices practice a method wherein repeated instances of the selecting step select between network paths at least in part on the basis of a dynamic load-balancing criterion which tends to balance network loads by distributing packets between disparate networks.










14. The method of claim 5, wherein the selecting step selects the network path at least in part on the basis of a reliability criterion.

As described below, Viptela devices practice a method wherein the selecting step selects the network path at least in part on the basis of a reliability criterion.



• In normal network operation, the path taken by application data traffic through the network can be optimized, by directing it to WAN links that


support the required levels of packet loss and latency defined in an application's SLA.







See, e.g., Viptela Documentation - Components of Application-Aware Routing at 107 (VIPFAT0006143):

15. The method of claim 5, wherein the selecting step selects the network path at least in part on the basis of a security criterion.

As described below, Viptela devices practice a method wherein the selecting step selects the network path at least in part on the basis of a security criterion.



19. A method for combining connections for access to parallel networks, the method comprising the steps of:

As shown below, the accused Viptela devices practice a method for combining connections for access to parallel networks. See, e.g., Viptela Secure SD-WAN at 16 (VIPFAT0000307):


19[a]. sending a packet to a site

interface of a controller, the controller comprising the site interface which receives packets, at least two network interfaces to parallel networks, and a packet path selector which selects between the network interfaces on a per-session basis to promote load-balancing; and

Viptela devices practice sending a packet to a site interface of a controller, the controller comprising the site interface which receives packets, at least two network interfaces to parallel networks, and a packet path selector which selects between the network interfaces on a per-session basis to promote load-balancing.


“Customers place Viptela's hardware appliance, the vEdge router, at each end point that needs connectivity. Customers can run multiple connections through each appliance, including MPLS and Ethernet circuits and lower-cost options such as




broadband and LTE connections. The appliance then merges these connections and applies customer policies to the traffic.”




“Application-aware routing tracks network and path characteristics of the data plane tunnels between vEdge routers and uses the collected information to compute optimal paths for data traffic. These characteristics include packet loss and packet latency, and the load , cost and bandwidth of a link. The ability to consider factors in path selection other than those used by standard routing protocols-such as route prefixes,


metrics, link-state information, and route removal on the edge router-offers a number of advantages to an enterprise:





19[b]. forwarding the packet-through the network interface selected byte packet path selector; wherein the step of sending a packet to the controller site interface is repeated as multiple packets are sent, and the controller sends different packets of a given message to different parallel networks.

As described below, the accused Viptela devices forwarding the packet-through the network interface selected by the packet path selector:

See Viptela Secure Extensible Network - Technology Introduction at 26 (VIPFAT0000612).


See, e.g., Viptela Documentation - Policy Overview at 4 (VIPFAT0006038):

“Application-aware routing, which selects the best path for traffic based on real-time network and path performance characteristics.”

See, e.g., Viptela Documentation - Application-Aware Routing Policies at 23 (VIPFAT0006057):

“Application-aware routing tracks packet loss and latency on the data plane connections between vEdge routers, to compute optimal paths for data traffic in the overlay network. The loss and latency data supplements the standard routing parameters-such as route prefixes, metrics, and link-state information-in determining traffic paths through the network.”








• Network costs can be reduced because data traffic can be more efficiently


load-balanced.





“Characteristics of the MPLS offload Service:

MPLS network is one or more of: Oversubscribed, Expensive, Unable to respond to customer service requirements

Viptela network can intelligently distribute applications across multiple networks as required

MPLS networks generally deliver guaranteed SLAs so Viptela endpoint is instructed to use MPLS as primary carrier for Applications requiring strict SLAs, e.g. VoIP

Other applications are offloaded from the MPLS network and use the second carrier across the Internet

Bandwidth is preserved across the MPLS network while a complete service portfolio is delivered using Viptela SEN across MPLS and Internet both

Value: Intelligent load-distribution across multiple networks, increased agility of services, multi-domain transport, increased redundancy

Problem solved: Overcomes challenges with MPLS scale, agility and time to service delivery, returns control of WAN to the Enterprise to match business requirements, enables multi-domain transport”

22. A computer storage medium having a configuration that represents data and instructions which will cause performance of a method for combining connections for access to multiple parallel disparate networks, the method

As shown below, the accused Viptela devices comprise a computer storage medium having a configuration that represents data and instructions which will cause performance of a method for combining connections for access to multiple parallel disparate networks See, e.g., Viptela Secure SD-WAN at 16 (VIPFAT0000307):


comprising the steps of:

22[a]. obtaining at least two known

location address ranges which have associated networks;

As described below, the accused Viptela devices obtain at least two know address ranges which have associated networks.


“Centralized data policy applies to the flow of data traffic throughout the VPNs in the overlay network. These policies can permit and restrict access based either on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol) or on VPN membership. These policies are pushed to the affected vEdge routers.”



“Localized data policy allows you to provision access lists and apply them to a specific interface or interfaces on the router. Simple access lists permit and restrict access based on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol), in the same way as with centralized data policy. Access lists also allow provisioning of class of service (CoS), policing, and mirroring, which control how data traffic flows out of and in to the router's interfaces and interface queues.”


“Data policy examines fields in the headers of data packets, looking at the source and destination addresses and ports, and the protocol and DSCP values, and for matching packets, it can modify the next hop in a variety of ways or apply a policer to the packets. Data policy is configured and applied on the vSmart controller, and then it is carried in OMP updates to the vEdge routers in the site-list that the policy is applied to. The match operation and any resultant actions are performed on the vEdge router as it transmits or receives data traffic.”

See Viptela Documentation - Centralized Data Policy at 66 (VIPFAT0006100):

“Policy decisions affecting data traffic can be based on the packet header fields, specifically, on the source and destination IP prefixes, the source and destination IP ports, the protocol, and the DSCP.

This type of policy is often used to modify traffic flow in the network. Here are some examples of the types of control that can be effected with centralized data policy:


• Which set of sources are allowed to send traffic to a specific set of destinations outside the local site. For example, local sources that match this type of data policy


can send voice traffic over one path and data traffic over another.


22[b]. obtaining topology information which specifies associated networks that provide, when working, connectivity between a current location and at least one destination location;

Viptela obtains topology information which specifies associated networks that provide, when working, connectivity between a current location and at least one destination location. As noted above, Viptela’s systems is configured to transmit data among multiple parallel networks. To do so, it must obtain topology information specifying connectivity between the current location and a destination location.

See Viptela Documentation - High Availability Overview at 181 (VIPFAT0006215):

“Software mechanisms ensure rapid recovery from a failure. To provide a resilient control plane, the Viptela Overlay Management Protocol (OMP) regularly monitors the status of all Viptela devices in the network and automatically adjusts to changes in the topology as devices join and leave the network. For data plane resiliency, the Viptela software implements standard protocol mechanisms, specifically Bidirectional Forwarding Detection (BFD), which runs on the secure IPsec tunnels between vEdge routers.”


“This article and the next offer an orientation about the architecture of the Viptela policy software used to implement overlay network-wide policies. These policies are called vSmart policy or centralized policy, because you configure them centrally on a vSmart controller. vSmart policy affects the flow of both control plane traffic (routing updates carried by OMP and used by the vSmart controllers to determine the topology and status of the overlay network) and data plane traffic (data traffic that travels between the vEdge nodes across the overlay network).”



22[c]. receiving at the current location a packet which identifies a particular destination location by specifying a destination address for the destination location;

Viptela receives at the current location a packet which identifies a particular destination location by specifying a destination address for the destination location.

See Viptela Documentation - Data Policy Operation at 14 (VIPFAT0006048):

“Data policy examines fields in the headers of data packets, looking at the source and destination addresses and ports, and the protocol and DSCP values, and for matching packets, it can modify the next hop in a variety of ways or apply a policer to the packets. Data policy is configured and applied on the vSmart controller, and then it is


carried in OMP updates to the vEdge routers in the site-list that the policy is applied to. The match operation and any resultant actions are performed on the vEdge router as it transmits or receives data traffic.”

See Viptela Documentation - Data Policy Based on Packet Header Fields at 66 (VIPFAT0006100):

“Policy decisions affecting data traffic can be based on the packet header fields, specifically, on the source and destination IP prefixes, the source and destination IP ports, the protocol, and the DSCP. This type of policy is often used to modify traffic flow in the network. Here are some examples of the types of control that can be effected with centralized data policy:


• Which set of sources are allowed to send traffic to a specific set of destinations outside the local site. For example, local sources that match this type of data policy can send voice traffic over one path and data traffic over another.


22[d]. determining whether the destination address lies within a known location address range;

The accused Viptela devices determine whether the destination address lies within a known location address range. When a packet is received on a port, it is typically routed to an outgoing port. This routing necessarily makes a determination if the destination address of the IP packet lies within the known location address range(s).


“We use the following figure to explain how the NAT functionality on the vEdge router splits traffic into two flows (or two tunnels) so that some of it remains within


the overlay network and some goes directly to the Internet or other public network.






• Traffic destined for another vEdge router in the overlay network remains in VPN 1, and it travels directly through the IPsec data plane tunnel from the source vEdge router to the destination vEdge router. This traffic never passes through VPN 0, and therefore it is never touched by NAT.



22[e]. selecting a network path from among paths to disparate associated networks, said networks being in parallel at the current location, each of said networks specified in the topology information as capable of providing connectivity between the current location and the destination location;

As described below, the accused Viptela devices select a network path from among paths to disparate associated networks, said networks being in parallel at the current location, each of said networks specified in the topology information as capable of providing connectivity between the current location and the destination location.





Viptela vEdge routers are also capable of selecting one of parallel paths based on the underlying application.



See, e.g., Viptela Documentation - Policy Overview at 4-5 (VIPFAT0006038- VIPFAT0006039):

“The design of the Viptela policy software distinguishes between basic and advanced policy. Basic policy allows you to influence or determine basic traffic flow through the overlay network. Here, you perform standard policy tasks, such as managing the paths along which traffic is routed through the network, and permitting or blocking traffic based on the address, port, and DSCP fields in the packet's IP header. You can also control the flow of data traffic into and out of a vEdge router's interfaces, enabling features such as class of service and queuing, mirroring, and policing. Advanced features of Viptela policy software offer specialized policy-based network


applications. Examples of these applications include the following:

• Service chaining, which redirects data traffic to shared devices in the network, such as firewall, intrusion detection and prevention (IDS), load balancer, and other devices, before the traffic is delivered to its destination. Service chaining obviates the need to have a separate device at each branch site.

• Application-aware routing, which selects the best path for traffic based on real-time network and path performance characteristics.

• Cflowd, for monitoring traffic flow.

• Converting a vEdge router into a NAT device, to allow traffic destined for the Internet or other public network can exit directly from the vEdge router.”

22[f]. modifying the packet destination address to lie within a known location address range associated with the selected network if it does not already do so; and

As described below, Viptela devices modify the packet destination address to lie within a known location address range associated with the selected network.


“The NAT functionality on a vEdge routers operates in a standard end-point independent fashion . The NAT software performs both address and port translation (NAPT). It establishes a translation entry between a private address inside the overlay network and a public address outside the overlay network. Once this translation entry is created, the NAT software allows any incoming connection from any external host to be established with the private address inside the overlay network. The NAT software filters out packets that are not destined for an IP address and port in the overlay network regardless of the external IP address and port source.”

22[g]. forwarding the packet on the selected network path.

As described below, the accused Viptela devices forward the packet on the selected path.





23. The configured storage medium of claim 22, wherein the selecting step selects the network path at least in part on the basis of a dynamic load-balancing criterion.

As described below, the accused Viptela devices comprise a computer storage medium wherein the selecting step selects the network path at least in part on the basis of a dynamic load-balancing criterion.


“Application-aware routing tracks network and path characteristics of the data plane tunnels between vEdge routers and uses the collected information to compute optimal paths for data traffic. These characteristics include packet loss and packet latency, and the load , cost and bandwidth of a link. The ability to consider factors in path selection other than those used by standard routing protocols-such as route prefixes, metrics, link-state information, and route removal on the edge router-offers a number


of advantages to an enterprise:







24. The configured storage medium of claim 22, wherein repeated instances of the selecting step make network path selections on a packet-by-packet basis.

As described below, the accused Viptela devices comprise a computer storage medium wherein repeated instances of the selecting step make network path selections on a packet-by-packet basis.




EXHIBIT 1016 - MicrosoftViptela provides a packet path selector which selects between network interfaces, using at least two known location address ranges which are respectively associated

Documents