50 Minuteman Rd.
Andover, MA 01810
(978) 684-1000

CUSTOMER RELEASE NOTES

Enterasys NetSight^® Policy Manager
Version 1.8.1
April, 2005

INTRODUCTION:

When updates have been obtained using the NetSight Web Update feature, the Addendum section at the end of these release notes will contain the updated release information.

The most recent version of these release notes can also be found on the NetSight Documentation web page: http://www.enterasys.com/support/manuals/netsight.html.

	NOTE:	When this topic is opened from the CD-ROM, the links from this topic to other help topics will not work Links within the topic will work and once you've installed Policy Manager, you can launch the help system and access help for all topics.

Enterasys NetSight Policy Manager is a tool that simplifies the configuration of policies on networks, and deploys the policies on multiple devices throughout the switch fabric. It may be used for any device that supports the Enterasys Networks Policy Profile MIB. Web-based authentication is available on devices with firmware that supports the Enterasys Networks PWA MIB and the Enterasys Networks RADIUS Auth Client Encrypt MIB or the Enterasys Networks RADIUS Client MIB. 802.1X authentication is available on devices with firmware that supports the EAP MIB and the Enterasys Networks RADIUS Auth Client Encrypt MIB or the Enterasys Networks RADIUS Client MIB.

With Policy Manager, you can create policy profiles, called roles, that are assigned to the ports in your network. These roles provide four key policy features: traffic containment, traffic filtering, traffic security, and traffic prioritization. When authentication is enabled, users identify themselves to the network and are given customized access capabilities based on what role they serve in the organization.

Using the Policy Manager wizards and configuration tools, you can create multiple roles tailored to your specific needs, and set a default role for all or some of your network devices and ports. Basic Policy Manager operations include creating, editing, and deleting roles. You can also view role configuration on a per device and per port basis. In addition, Policy Manager allows you to verify that the roles enforced on your network device match the roles currently configured in the application. Policy Manager supports a maximum of 1,000 devices (25,000 ports) and 50 roles, and can process a maximum of 250 unique classification rules with a maximum of 50 classification rules per role.

Policy Manager requires a list of network devices, which can be created using a text editor. Network devices can also be imported by connecting directly to NetSight Console version 1.X. There are special utility programs available that will create a device list for you based on your HP OpenView^®, NetSight Switch and Topology Manager, or NetSight Element Manager device database. Contact Support for more information.

It is recommended that you thoroughly review this document prior to installing or upgrading this product.

SOFTWARE CHANGES AND ENHANCEMENTS:

Software Changes

The following restrictions and limitations have been fixed in release 1.8.1 of NetSight Policy Manager:

General
Setting the default role for a port or ports via the right-click menu option in the device Ports tab no longer causes the application to hang.
(Matrix C2 devices with firmware version 3.00.xx only.) When you try to enforce a VLAN with a name that has a space in it, the enforce no longer fails.
(Matrix V2 devices only.) You can now configure the VLAN Authorization Egress functionality through the port Authentication Configuration tab.
(Role-Based Rate Limits.) Mapping a logical rate limit index to a rate limit that is configured as an outbound Priority-Based rate limit no longer causes Verify to fail.

The following restrictions and limitations have been fixed in release 1.8 of NetSight Policy Manager:

General

Deleting a device that is "Not Reachable," then using the Device Configuration Wizard to configure any of your devices, no longer causes the device to reappear in the Network Elements tree.

The ToS/DSCP Rewrite feature is now supported on Matrix N-Series Gold and Platinum devices running firmware version 5.01.xx.

(Matrix N-Series devices that support multiple authentication types per device.) If a user has authenticated using two or more authentication types, an active entry for each authentication type is no longer displayed in the Port Usage tab for that user. Now, only one session will be displayed as active (blue) in the Port Usage tab.

The Event Log Clean-up now functions for both the Log Directory Size Restriction and Event Log File Aging options even if the "Notify User Before Removing Logs" checkbox is deselected in the Event Log view of the Options window.

In the device-level MAC Locking tab, setting the option "Move all dynamic MACs with a Locking Cause of 'First Arrival' to a statically locked MAC" no longer fails with the following error message: "Unable to move all dynamic MAC addresses to static. See Event Log for details."

General
Deleting a device that is "Not Reachable," then using the Device Configuration Wizard to configure any of your devices, no longer causes the device to reappear in the Network Elements tree.
The ToS/DSCP Rewrite feature is now supported on Matrix N-Series Gold and Platinum devices running firmware version 5.01.xx.
(Matrix N-Series devices that support multiple authentication types per device.) If a user has authenticated using two or more authentication types, an active entry for each authentication type is no longer displayed in the Port Usage tab for that user. Now, only one session will be displayed as active (blue) in the Port Usage tab.
The Event Log Clean-up now functions for both the Log Directory Size Restriction and Event Log File Aging options even if the "Notify User Before Removing Logs" checkbox is deselected in the Event Log view of the Options window.
In the device-level MAC Locking tab, setting the option "Move all dynamic MACs with a Locking Cause of 'First Arrival' to a statically locked MAC" no longer fails with the following error message: "Unable to move all dynamic MAC addresses to static. See Event Log for details."

Software Enhancements

The following enhancements have been added to release 1.8.1 of Policy Manager:

Support for Matrix B-Series Devices. Policy Manager now supports the Matrix B2 device for 802.1X authentication.
MAC Mask for Matrix N-Series Platinum Devices. MAC address masking is now supported for MAC authentication on Matrix N-Series Platinum devices. Using a mask provides a way to authenticate end stations based on a portion of their MAC address.
PPS Rate Limits for Matrix N-Series Devices. You can now create role-based rate limits for PPS (Packets per Second) transmission rates on Matrix N-Series devices.
IP Socket Rules Support Masks. IP Socket rules (IP address plus UDP port classification rules) now let you specify an IP address mask for Matrix N-Series devices.
RFC3580 VLAN Authorization for Matrix E1 and Matrix V2 devices. Matrix E1 and Matrix V2 devices now support RFC 3580 VLAN Authorization for networks where the RADIUS server has been configured to return a VLAN ID when a user authenticates.
RFC3580 VLAN Authorization Egress for Matrix V2 devices. Allows you to modify the VLAN egress list for the VLAN ID returned by the RADIUS server when a user authenticates on the port.
Authentication-Based VLAN to Role Mapping for Matrix E1 devices. Authentication-Based VLAN to role mapping is now supported on Matrix E1 devices. This provides a way to assign a role to a user during the authentication process, based on a VLAN attribute.

The following enhancements have been added to release 1.8 of Policy Manager:

Expanded Class of Service Support. Policy Manager now supports two modes of class of service, with each mode providing a different rate limit functionality: Priority-Based Rate Limits and Role-Based Rate Limits. In addition, the Role-Based Rate Limits mode includes the ability to configure transmit queues.
DNS Configuration for the Matrix E1. You can now configure your DNS domain name and server addresses to support the Enhanced Login Mode on Matrix E1 devices supporting this in firmware.
Multi-User 802.1X for Matrix N-Series Devices. Matrix N-Series Gold and Platinum devices now support multi-user 802.1X authentication.
Network Resource Enhancements. Policy Manager now provides a Network Resources Wizard that leads you through all the steps required to create a network resource group and an Automated service with which to associate it. The wizard also lets you apply the Automated service to a role.
Single-User and Multi-User Authentication Support. Policy Manager now supports multi-user authentication for devices that support multiple authentication types and multiple users per port, and single-user authentication for devices that support only one or two authentication types and single users per port.
Launch in Tab Option. This new options lets you specify which left-panel tab is displayed when you launch Policy Manager.
Enhanced Rule Accounting. New rule accounting features for Matrix N-Series devices:
- Auto-Clear Functionality - Enable auto-clear operations and specify the ports that the clear operations will be performed on. These auto-clear operations determine when to clear the specified ports from a rule's Rule Usage tab:
  - Clear Rule Usage on Port Link-Status Change
  - Clear Rule Usage Port Role Change
  - Clear Rule Usage on Interval
- Rule Usage Tabs at Device and Port Level - A new device-level Rule Usage tab displays port information for all the rules that have been used for a selected device, and a new port-level Rule Usage tab displays all the rules that have been used on a selected port and the role they are associated with.
TCI Overwrite at Port Level. You can now enable or disable TCI Overwrite functionality for an individual port.
MAC to Role Mapping for Matrix N-Series Platinum Devices. Provides a way to assign a role to an end station based on its source MAC address. This allows you to create a specific role for a group of end stations (such as IP phones), and assign it to them based on their MAC address and a MAC mask.
IP to Role Mapping for Matrix N-Series Platinum Devices. Provides a way to assign a role to an end station based on its IP address. In networks that haven't deployed authentication, this would allow you to map an individual IP address such as an administrator's laptop, to a specific role.
Disable Traffic Classification Types for Matrix N-Series Platinum Devices. You can now disable specific classification rule types on an individual port as a way to disable policy-assignment rules used in VLAN to Role Mapping, IP to Role Mapping, MAC to Role Mapping, and Role Override. For example, you could disable the VLAN ID traffic classification type which would disable Tagged Packet VLAN to Role Mapping on the port. You could also disable all traffic classification types, which would effectively turn off policy on the port.
MAC Address Selection for MAC-based Rules. When creating a MAC-based rule, a new Select MAC Address window lets you quickly select a MAC address from a list of addresses read from a specified device or port.
Enhanced Audit Trail. Additional events were added to the Event Log to provide better auditing specifically in the areas of RADIUS configuration and authentication settings.
Support for Red Hat Enterprise Linux WS v3. Policy Manager can now be installed on the Red Hat Enterprise Linux WS v3 platform.
Support for Matrix C2. Policy Manager now supports Matrix C2 devices which now support policy features.
Save of .pmd file. Now, saving your .pmd file also automatically saves your policy information to a human-readable format (.cvs file).
Invalid Role Action for Matrix N-Series and RoamAbout R2 devices. Lets you specify what happens to a user that gets an unknown or invalid role.

SYSTEM REQUIREMENTS:

Supported Platforms

The system requirements for operating Policy Manager are listed here:

Windows^® 2000 w/ Service Pack 4, Windows XP^® w/ Service Pack 1, and Windows Server™ 2003 (qualified on the English version of the operating systems)
- Recommended P4-2.4 GHz, 1GB RAM
- Free Disk Space - 600MB

Solaris^® 2.8, and 2.9 (with latest operating system patches installed)
- Recommended Sun^® Ultra 30/60 (or equivalent), 900MHz, 1GB RAM
- Free Disk Space - 600MB

Red Hat Enterprise Linux WS, ES v3
- Recommended P4-2.4 GHz, 1GB RAM
- Free Disk Space - 600MB

UNIX^® Operating System Patches

Before installing Policy Manager on the UNIX platform, be sure to install the latest patches for your operating system. You can download the most recent operating system patches from www.sunsolve.sun.com.

PRODUCT FIRMWARE SUPPORT:

Table 1 lists the devices and firmware versions supported by this release of Policy Manager. Table 2 lists the feature sets supported by Policy Manager and the supported firmware. Table 3 lists the VLAN and Priority Classification Rule Support for the supported devices.

Table 1: Devices/Firmware Versions Supported

Device Type	Firmware Version
Matrix B2	1.00.xx
Matrix C1	1.01.xx 2.00.xx
Matrix C2	1.0 2.xx.xx 3.00.xx
Matrix E1 (1H582-51, 1G582-09)	2.00.xx 2.01.xx 2.02.xx 2.03.xx 2.04.xx 2.05.xx 3.00.xx 3.01.xx 3.02.xx 3.03.xx 3.04.xx 3.05.xx
Matrix E5	03.00.xx
Matrix E6/E7	5.00.48 5.00.49 5.01.33 5.02.02 5.03.xx 5.04.xx 5.05.xx 5.06.xx 5.07.xx 5.08.xx
Matrix N3/N5/N7/NSA Platinum	1.07.xx 1.50.xx 2.00.xx 3.00.xx 4.xx.xx 5.01.xx 5.11.xx
Matrix N3/N5/N7 Gold	3.10.xx 4.xx.xx 5.01.xx 5.11.xx
Matrix V2	2.5.x
RoamAbout R2	2.00.xx 3.01.xx 4.00.xx 4.01.xx 5.04.xx
RoamAbout AP3000	V2.0.6 V3.1.0

Table 2: Policy Manager/Firmware Feature Support

Matrix B-Series		Firmware Version
Functionality		1.00.xx
Policy Support		-
802.1X Authentication		X
MAC Auth		-
MAC+802.1X Authentication		-
Web-based Authentication		-
RADIUS Support		X
MAC Locking	Dynamic	X
MAC Locking	Static	-
VLAN Support		-
Priority (Class of Service)		-
Classification Rules	VLAN	-
Classification Rules	Priority	-
Policy-based VLAN Egress		-
Dynamic Egress		-
Rate Limiting		-
Drop VLAN Tagged Frame		-
GVRP		-
ToS/DSCP Rewrite		-

Matrix C1

Functionality 1.01.xx 2.00.xx

Policy Support X X

802.1X Authentication X X

MAC Authentication - -

MAC+802.1X Authentication - -

Web-based Authentication - -

RADIUS Support X X

MAC Locking Dynamic - X

Static - X

VLAN Support <1-4094>
1024 max <1-4094>
4094 max

Priority
(Class of Service) X X

Classification
Rules VLAN X
See Table 3 X
See Table 3

Priority X
See Table 3 X
See Table 3

Policy-based VLAN Egress X X

Rate Limiting X
Priority-Based
(8 rate limits)
Outbound Only X
Priority-Based
(8 rate limits)
Outbound Only

Dynamic Egress - X

Drop VLAN Tagged Frame X X

GVRP X X

ToS/DSCP Rewrite - -

Matrix C1
Functionality	1.01.xx	2.00.xx
Policy Support	X	X
802.1X Authentication	X	X
MAC Authentication	-	-
MAC+802.1X Authentication	-	-
Web-based Authentication	-	-
RADIUS Support	X	X
MAC Locking	Dynamic	-	X
Static	-	X
VLAN Support	<1-4094> 1024 max	<1-4094> 4094 max
Priority (Class of Service)	X	X
Classification Rules	VLAN	X See Table 3	X See Table 3
Priority	X See Table 3	X See Table 3
Policy-based VLAN Egress	X	X
Rate Limiting	X Priority-Based (8 rate limits) Outbound Only	X Priority-Based (8 rate limits) Outbound Only
Dynamic Egress	-	X
Drop VLAN Tagged Frame	X	X
GVRP	X	X
ToS/DSCP Rewrite	-	-

Matrix C2

Functionality 1.0 2.xx.xx 3.00.xx

Policy Support - X X

802.1X Authentication X X¹ X¹

MAC Authentication - X¹ X¹

MAC+802.1X Authentication - - -

Web-based Authentication - X¹ X¹

RADIUS Support X X X

MAC Locking Dynamic - X X

Static - - -

VLAN Support <1-4094>
1024 max <1-4093>
1024 max <1-4093>
1024 max

Priority
(Class of Service) - X X

Classification
Rules VLAN - X
See Table 3 X
See Table 3

Priority - X
See Table 3 X
See Table 3

Policy-based VLAN Egress - X X

Rate Limiting - X²
Priority-Based
(GE 8 rate limits)
(FE 2 rate limits)
Inbound Only X²
Priority-Based
(GE 8 rate limits)
(FE 2 rate limits)
Inbound Only

Dynamic Egress - - -

Drop VLAN Tagged Frame - - -

GVRP X X X

ToS/DSCP Rewrite - - -

Matrix C2
Functionality	1.0	2.xx.xx	3.00.xx
Policy Support	-	X	X
802.1X Authentication	X	X¹	X¹
MAC Authentication	-	X¹	X¹
MAC+802.1X Authentication	-	-	-
Web-based Authentication	-	X¹	X¹
RADIUS Support	X	X	X
MAC Locking	Dynamic	-	X	X
Static	-	-	-
VLAN Support	<1-4094> 1024 max	<1-4093> 1024 max	<1-4093> 1024 max
Priority (Class of Service)	-	X	X
Classification Rules	VLAN	-	X See Table 3	X See Table 3
Priority	-	X See Table 3	X See Table 3
Policy-based VLAN Egress	-	X	X
Rate Limiting	-	X² Priority-Based (GE 8 rate limits) (FE 2 rate limits) Inbound Only	X² Priority-Based (GE 8 rate limits) (FE 2 rate limits) Inbound Only
Dynamic Egress	-	-	-
Drop VLAN Tagged Frame	-	-	-
GVRP	X	X	X
ToS/DSCP Rewrite	-	-	-

¹All three types of authentication can be enabled at the device-level but not at the port-level.
²GE ports - 8 rate limits; FE ports - 2 rate limits (0,1,2,3 and 4,5,6,7). Inbound Only.

Matrix E1 Firmware Version

Functionality 1.00.xx 2.00.xx 2.01.xx 2.02.xx
2.03.xx
2.04.xx
2.05.xx 3.00.xx
3.01.xx 3.02.xx
3.03.xx
3.04.xx 3.05.xx

Policy Support X X X X X X X

802.1X Authentication - - X X X X X

MAC Authentication - - - X X X X

MAC+802.1X Authentication - - - X X X X

Web-based Authentication - - - - X X X

Enhanced Login Mode - - - - X X X

Redirect Time - - - - - X X

Guest Networking - - - - X X X

RADIUS Support X X X X X X X

RADIUS Accounting - - - - SNMPv3 Only SNMPv3 Only SNMPv3 Only

CEP (Convergence End Point)¹ - - - - - X X

MAC Locking Dynamic - - X X X X X

Static - - X X X X X

VLAN Support <1-3073>
3073 max <1-4094>
4094 max <1-4094>
4094 max <1-4094>
4094 max <1-4094>
4094 max <1-4094>
4094 max <1-4094>
4094 max

Priority
(Class of Service) X X X X X X X

Classification
Rules VLAN X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3

Priority X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3

Policy-based VLAN Egress - - - - - - -

Rate Limiting - - X
Priority-Based
(8 rate limits)
Inbound Only X
Priority-Based
(8 rate limits)
Inbound Only X
Priority-Based
(8 rate limits)
Inbound Only
Min = 200 Kb/s
Max = 1 Gb/s X
Priority-Based
(8 rate limits)
Inbound Only
Min = 200 Kb/s
Max = 1 Gb/s X
Priority-Based
(8 rate limits)
Inbound Only
Min = 200 Kb/s
Max = 1 Gb/s

Dynamic Egress X X X X X X X

Drop VLAN Tagged Frame - - - - - - -

GVRP X X X X X X X

ToS/DSCP Rewrite X X X X X X X

RFC3580 VLAN
Authorization - - - - - - X

Authentication-Based
VLAN to Role Mapping - - - - - - X

Matrix E1	Firmware Version
Functionality	1.00.xx	2.00.xx	2.01.xx	2.02.xx 2.03.xx 2.04.xx 2.05.xx	3.00.xx 3.01.xx	3.02.xx 3.03.xx 3.04.xx	3.05.xx
Policy Support	X	X	X	X	X	X	X
802.1X Authentication	-	-	X	X	X	X	X
MAC Authentication	-	-	-	X	X	X	X
MAC+802.1X Authentication	-	-	-	X	X	X	X
Web-based Authentication	-	-	-	-	X	X	X
Enhanced Login Mode	-	-	-	-	X	X	X
Redirect Time	-	-	-	-	-	X	X
Guest Networking	-	-	-	-	X	X	X
RADIUS Support	X	X	X	X	X	X	X
RADIUS Accounting	-	-	-	-	SNMPv3 Only	SNMPv3 Only	SNMPv3 Only
CEP (Convergence End Point)¹	-	-	-	-	-	X	X
MAC Locking	Dynamic	-	-	X	X	X	X	X
Static	-	-	X	X	X	X	X
VLAN Support	<1-3073> 3073 max	<1-4094> 4094 max	<1-4094> 4094 max	<1-4094> 4094 max	<1-4094> 4094 max	<1-4094> 4094 max	<1-4094> 4094 max
Priority (Class of Service)	X	X	X	X	X	X	X
Classification Rules	VLAN	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3
Priority	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3
Policy-based VLAN Egress	-	-	-	-	-	-	-
Rate Limiting	-	-	X Priority-Based (8 rate limits) Inbound Only	X Priority-Based (8 rate limits) Inbound Only	X Priority-Based (8 rate limits) Inbound Only Min = 200 Kb/s Max = 1 Gb/s	X Priority-Based (8 rate limits) Inbound Only Min = 200 Kb/s Max = 1 Gb/s	X Priority-Based (8 rate limits) Inbound Only Min = 200 Kb/s Max = 1 Gb/s
Dynamic Egress	X	X	X	X	X	X	X
Drop VLAN Tagged Frame	-	-	-	-	-	-	-
GVRP	X	X	X	X	X	X	X
ToS/DSCP Rewrite	X	X	X	X	X	X	X
RFC3580 VLAN Authorization	-	-	-	-	-	-	X
Authentication-Based VLAN to Role Mapping	-	-	-	-	-	-	X

¹CEP is not supported if Web Authentication is enabled.

Matrix E5

Functionality

Policy Support X

802.1X Authentication X

MAC Authentication -

MAC+802.1X Authentication -

Web-based Authentication -

RADIUS Support X

MAC Locking Dynamic -

Static -

VLAN Support <1-2048>
1024 max

Priority
(Class of Service) -

Classification
Rules VLAN -

Priority -

Policy-based VLAN Egress -

Rate Limiting -

Dynamic Egress -

Drop VLAN Tagged Frame -

GVRP -

ToS/DSCP Rewrite -

Matrix E5
Functionality
Policy Support	X
802.1X Authentication	X
MAC Authentication	-
MAC+802.1X Authentication	-
Web-based Authentication	-
RADIUS Support	X
MAC Locking	Dynamic	-
Static	-
VLAN Support	<1-2048> 1024 max
Priority (Class of Service)	-
Classification Rules	VLAN	-
Priority	-
Policy-based VLAN Egress	-
Rate Limiting	-
Dynamic Egress	-
Drop VLAN Tagged Frame	-
GVRP	-
ToS/DSCP Rewrite	-

Matrix E6/E7 Firmware Version

Functionality 5.00.xx 5.01.xx 5.02.xx 5.03.xx 5.04.xx 5.05.xx
5.06.xx
5.07.xx
5.08.xx

Policy Support X X X X X X

802.1X Authentication - - X X X X

MAC Authentication - - - - X X

MAC+802.1X Authentication - - - - X X

Web-based Authentication - X X X X X

RADIUS Support - X X X X X

MAC Locking Dynamic - - - - X X

Static - - - - - X

VLAN Support <1-4094>
1024 max <1-4094>
1024 max <1-4094>
1024 max <1-4094>
1024 max <1-4094>
1024 max <1-4094>
1024 max

Priority
(Class of Service) X X X X X X

Classification
Rules VLAN X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3

Priority X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3

Policy-based VLAN Egress - - - - - -

Rate Limiting X
Priority-Based
(4 rate limits)
In/Outbound X
Priority-Based
(4 rate limits)
In/Outbound X
Priority-Based
(4 rate limits)
In/Outbound X
Priority-Based
(4 rate limits)
In/Outbound X
Priority-Based
(6 rate limits)
In/Outbound X
Priority-Based
(6 rate limits)
In/Outbound
Min = 96 Kb/s
Max = 7 Gb/s

Dynamic Egress X X X X X X

Drop VLAN Tagged Frame - X X X X X

GVRP X X X X X X

ToS/DSCP Rewrite X X X X X X

Matrix E6/E7	Firmware Version
Functionality	5.00.xx	5.01.xx	5.02.xx	5.03.xx	5.04.xx	5.05.xx 5.06.xx 5.07.xx 5.08.xx
Policy Support	X	X	X	X	X	X
802.1X Authentication	-	-	X	X	X	X
MAC Authentication	-	-	-	-	X	X
MAC+802.1X Authentication	-	-	-	-	X	X
Web-based Authentication	-	X	X	X	X	X
RADIUS Support	-	X	X	X	X	X
MAC Locking	Dynamic	-	-	-	-	X	X
Static	-	-	-	-	-	X
VLAN Support	<1-4094> 1024 max	<1-4094> 1024 max	<1-4094> 1024 max	<1-4094> 1024 max	<1-4094> 1024 max	<1-4094> 1024 max
Priority (Class of Service)	X	X	X	X	X	X
Classification Rules	VLAN	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3
Priority	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3
Policy-based VLAN Egress	-	-	-	-	-	-
Rate Limiting	X Priority-Based (4 rate limits) In/Outbound	X Priority-Based (4 rate limits) In/Outbound	X Priority-Based (4 rate limits) In/Outbound	X Priority-Based (4 rate limits) In/Outbound	X Priority-Based (6 rate limits) In/Outbound	X Priority-Based (6 rate limits) In/Outbound Min = 96 Kb/s Max = 7 Gb/s
Dynamic Egress	X	X	X	X	X	X
Drop VLAN Tagged Frame	-	X	X	X	X	X
GVRP	X	X	X	X	X	X
ToS/DSCP Rewrite	X	X	X	X	X	X

Matrix N-Series Platinum Firmware Version

Functionality 1.07.xx 1.50.xx 2.00.xx 3.00.xx 4.00.xx 5.01.xx
5.11.xx
Policy Support X X X X X X

Multi-Authentication Types - - - - X X

Multi-Users per Port - - - - X¹ X

802.1X Authentication - X X X X X

MAC Authentication - - - - X X

Web-based Authentication - - - - X X

Enhanced Login Mode - - - - X X

Redirect Time - - - - X X

Guest Networking - - - - X X

RADIUS Support X X X X X X

RADIUS Accounting - - - - - X

MAC Locking Dynamic - - - X X X

Static - - - X X X

VLAN Support <1-4094>
1024 max <1-4094>
1024 max <1-4094>
1024 max <1-4094>
1024 max <1-4094>
1024 max <1-4094>
1024 max

Priority
(Class of Service) X X X X X X

Classification
Rules VLAN X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3

Priority X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3 X
See Table 3

Policy-based VLAN Egress X X X X X X

VLAN to Role Mapping - - - - X X

IP to Role Mapping - - - - - X

MAC to Role Mapping - - - - - X

Rule Accounting - - - - X X

Rate Limiting² X
Priority-Based
(16 rate limits)
In/Outbound X
Priority-Based
(16 rate limits)
In/Outbound X
Priority-Based
(16 rate limits)
In/Outbound X
Priority-Based
(16 rate limits)
In/Outbound X
Priority-Based
(16 rate limits)
In/Outbound
Min = 512 Kb/s
Max = None X
Priority-Based
or Role-Based

Dynamic Egress X X X X X X

Drop VLAN Tagged Frame X X X X X X

GVRP X X X X X X

ToS/DSCP Rewrite - - - - - X

Matrix N-Series Platinum	Firmware Version
Functionality	1.07.xx	1.50.xx	2.00.xx	3.00.xx	4.00.xx	5.01.xx 5.11.xx
Policy Support	X	X	X	X	X	X
Multi-Authentication Types	-	-	-	-	X	X
Multi-Users per Port	-	-	-	-	X¹	X
802.1X Authentication	-	X	X	X	X	X
MAC Authentication	-	-	-	-	X	X
Web-based Authentication	-	-	-	-	X	X
Enhanced Login Mode	-	-	-	-	X	X
Redirect Time	-	-	-	-	X	X
Guest Networking	-	-	-	-	X	X
RADIUS Support	X	X	X	X	X	X
RADIUS Accounting	-	-	-	-	-	X
MAC Locking	Dynamic	-	-	-	X	X	X
Static	-	-	-	X	X	X
VLAN Support	<1-4094> 1024 max	<1-4094> 1024 max	<1-4094> 1024 max	<1-4094> 1024 max	<1-4094> 1024 max	<1-4094> 1024 max
Priority (Class of Service)	X	X	X	X	X	X
Classification Rules	VLAN	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3
Priority	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3	X See Table 3
Policy-based VLAN Egress	X	X	X	X	X	X
VLAN to Role Mapping	-	-	-	-	X	X
IP to Role Mapping	-	-	-	-	-	X
MAC to Role Mapping	-	-	-	-	-	X
Rule Accounting	-	-	-	-	X	X
Rate Limiting²	X Priority-Based (16 rate limits) In/Outbound	X Priority-Based (16 rate limits) In/Outbound	X Priority-Based (16 rate limits) In/Outbound	X Priority-Based (16 rate limits) In/Outbound	X Priority-Based (16 rate limits) In/Outbound Min = 512 Kb/s Max = None	X Priority-Based or Role-Based
Dynamic Egress	X	X	X	X	X	X
Drop VLAN Tagged Frame	X	X	X	X	X	X
GVRP	X	X	X	X	X	X
ToS/DSCP Rewrite	-	-	-	-	-	X

¹Only one user per port can authenticate via 802.1X authentication. For Web-based and MAC authentication, Gigabit Ethernet supports 128 users per port and Fast Ethernet supports 8 users per port.
²There are important differences in priority-based rate limit behavior on N-Series Platinum devices. For more information, see Priority-Based Rate Limiting on N-Series Platinum Devices.

Matrix N-Series Gold Firmware Version

Functionality 3.10.xx 4.00.xx 5.01.xx
5.11.xx
Policy Support X X X

Multi-Authentication Types - X X

Multi-Users per Port - X¹ X

802.1X Authentication X X X

MAC Authentication - X X

Web-based Authentication - X X

Enhanced Login Mode - X X

Redirect Time - X X

Guest Networking - X X

RADIUS Support X X X

RADIUS Accounting - - X

MAC Locking Dynamic X X X

Static X X X

VLAN Support <1-4094>
1024 max <1-4094>
1024 max <1-4094>
1024 max

Priority
(Class of Service) X X X

Classification
Rules VLAN X
See Table 3 X
See Table 3 X
See Table 3

Priority X
See Table 3 X
See Table 3 X
See Table 3

Policy-based VLAN Egress X X X

Rate Limiting X
Priority-Based
(8 rate limits)
Inbound Only X
Priority-Based
(8 rate limits)
Inbound Only
Min = 1 Mb/s
Max = None X
Priority-Based
or Role-Based
(8 rate limits)
Inbound Only
Min = 1 Mb/s
Max = None

Dynamic Egress X X X

Drop VLAN Tagged Frame X X X

GVRP X X X

ToS/DSCP Rewrite - - X

Matrix N-Series Gold	Firmware Version
Functionality	3.10.xx	4.00.xx	5.01.xx 5.11.xx
Policy Support	X	X	X
Multi-Authentication Types	-	X	X
Multi-Users per Port	-	X¹	X
802.1X Authentication	X	X	X
MAC Authentication	-	X	X
Web-based Authentication	-	X	X
Enhanced Login Mode	-	X	X
Redirect Time	-	X	X
Guest Networking	-	X	X
RADIUS Support	X	X	X
RADIUS Accounting	-	-	X
MAC Locking	Dynamic	X	X	X
Static	X	X	X
VLAN Support	<1-4094> 1024 max	<1-4094> 1024 max	<1-4094> 1024 max
Priority (Class of Service)	X	X	X
Classification Rules	VLAN	X See Table 3	X See Table 3	X See Table 3
Priority	X See Table 3	X See Table 3	X See Table 3
Policy-based VLAN Egress	X	X	X
Rate Limiting	X Priority-Based (8 rate limits) Inbound Only	X Priority-Based (8 rate limits) Inbound Only Min = 1 Mb/s Max = None	X Priority-Based or Role-Based (8 rate limits) Inbound Only Min = 1 Mb/s Max = None
Dynamic Egress	X	X	X
Drop VLAN Tagged Frame	X	X	X
GVRP	X	X	X
ToS/DSCP Rewrite	-	-	X

¹Only one user per port can authenticate via 802.1X authentication. Web-based and MAC authentication support 2 users per port.

Matrix V2 Firmware Version

Functionality 2.5.x

Policy Support -

802.1X Authentication X

MAC Auth -

MAC+802.1X Authentication -

Web-based Authentication -

RADIUS Support X

MAC Locking Dynamic -

Static -

VLAN Support -

Priority
(Class of Service) -

Classification
Rules VLAN -

Priority -

Policy-based VLAN Egress -

Dynamic Egress -

Rate Limiting -

Drop VLAN Tagged Frame -

GVRP -

ToS/DSCP Rewrite -

RFC3580 VLAN Authorization X

RFC3580 VLAN Egress X

Matrix V2	Firmware Version
Functionality	2.5.x
Policy Support	-
802.1X Authentication	X
MAC Auth	-
MAC+802.1X Authentication	-
Web-based Authentication	-
RADIUS Support	X
MAC Locking	Dynamic	-
Static	-
VLAN Support	-
Priority (Class of Service)	-
Classification Rules	VLAN	-
Priority	-
Policy-based VLAN Egress	-
Dynamic Egress	-
Rate Limiting	-
Drop VLAN Tagged Frame	-
GVRP	-
ToS/DSCP Rewrite	-
RFC3580 VLAN Authorization	X
RFC3580 VLAN Egress	X

RoamAbout R2 Firmware Version

Functionality 2.00.xx 3.00.xx 4.00.xx
4.01.xx 5.04.xx

Policy Support - X X X

802.1X Authentication X X X X

MAC Authentication - - - X

MAC+802.1X Authentication - - - X

Web-based Authentication - - - -

RADIUS Support - - X X

MAC Locking Dynamic - - - -

Static - - - -

VLAN Support - Permit/Deny Traffic Only Permit/Deny Traffic Only Permit/Deny Traffic Only

Priority
(Class of Service) - - - -

Classification
Rules VLAN - X
See Table 3 X
See Table 3 X
See Table 3

Priority - - - -

Policy-based VLAN Egress - - - -

Rate Limiting - - - -

Dynamic Egress - - - -

Drop VLAN Tagged Frame - - - -

GVRP - - - -

ToS/DSCP Rewrite - - - -

RoamAbout R2	Firmware Version
Functionality	2.00.xx	3.00.xx	4.00.xx 4.01.xx	5.04.xx
Policy Support	-	X	X	X
802.1X Authentication	X	X	X	X
MAC Authentication	-	-	-	X
MAC+802.1X Authentication	-	-	-	X
Web-based Authentication	-	-	-	-
RADIUS Support	-	-	X	X
MAC Locking	Dynamic	-	-	-	-
Static	-	-	-	-
VLAN Support	-	Permit/Deny Traffic Only	Permit/Deny Traffic Only	Permit/Deny Traffic Only
Priority (Class of Service)	-	-	-	-
Classification Rules	VLAN	-	X See Table 3	X See Table 3	X See Table 3
Priority	-	-	-	-
Policy-based VLAN Egress	-	-	-	-
Rate Limiting	-	-	-	-
Dynamic Egress	-	-	-	-
Drop VLAN Tagged Frame	-	-	-	-
GVRP	-	-	-	-
ToS/DSCP Rewrite	-	-	-	-

RoamAbout AP3000 Firmware Version

Functionality V2.0.6 V3.1.0

Policy Support - -

802.1X Authentication X¹ X¹

MAC Auth - -

MAC+802.1X Authentication - -

Web-based Authentication - -

RADIUS Support X X

MAC Locking Dynamic - -

Static - -

VLAN Support - -

Priority
(Class of Service) - -

Classification
Rules VLAN - -

Priority - -

Policy-based VLAN Egress - -

Dynamic Egress - -

Rate Limiting - -

Drop VLAN Tagged Frame - -

GVRP - -

ToS/DSCP Rewrite - -

RoamAbout AP3000	Firmware Version
Functionality	V2.0.6	V3.1.0
Policy Support	-	-
802.1X Authentication	X¹	X¹
MAC Auth	-	-
MAC+802.1X Authentication	-	-
Web-based Authentication	-	-
RADIUS Support	X	X
MAC Locking	Dynamic	-	-
Static	-	-
VLAN Support	-	-
Priority (Class of Service)	-	-
Classification Rules	VLAN	-	-
Priority	-	-
Policy-based VLAN Egress	-	-
Dynamic Egress	-	-
Rate Limiting	-	-
Drop VLAN Tagged Frame	-	-
GVRP	-	-
ToS/DSCP Rewrite	-	-

¹Authentication settings must be configured via the AP3000's Web Interface.

Table 3: VLAN/Priority Classification Rule Support Table

C1 C2

VLAN Priority VLAN Priority

Layer 2 Ethertype VLAN max 8
rules per role
Deny and Priority
combined max 1000
YES¹ YES

DSAP/SSAP NO NO

MAC Address Source NO NO Permit/Deny
Only YES

MAC Address Destination NO NO Permit/Deny
Only YES

MAC Address Bilateral NO NO Permit/Deny
Only YES

VLAN NO NO Permit/Deny
Only YES

Priority NO NO NO NO

Layer 3 IP Type of Service Deny and Priority
combined max 1000 Permit/Deny
Only YES

IP Protocol Type Deny and Priority
combined max 8
rules per role Permit/Deny
Only YES

IP Address Source NO NO Permit/Deny
Only YES

IP Address Destination NO NO Permit/Deny
Only YES

IP Address Bilateral NO NO Permit/Deny
Only YES

IP Socket Source NO NO Permit/Deny
Only YES

IP Socket Destination NO NO Permit/Deny
Only YES

IP Socket Bilateral NO NO Permit/Deny
Only YES

IP Fragment NO NO NO NO

IPX Class of Service NO NO NO NO

IPX Packet Type NO NO NO NO

IPX Network Source NO NO NO NO

IPX Network Destination NO NO NO NO

IPX Network Bilateral NO NO NO NO

IPX Socket Source NO NO NO NO

IPX Socket Destination NO NO NO NO

IPX Socket Bilateral NO NO NO NO

ICMP NO NO Permit/Deny
Only YES

Layer 4 IP UDP Port Source Deny and Priority
combined max 8
rules per role Permit/Deny
Only YES

IP UDP Port Destination Deny and Priority
combined max 8
rules per role Permit/Deny
Only YES

IP UDP Port Bilateral NO NO Permit/Deny
Only YES

IP TCP Port Source Deny and Priority
combined max 8
rules per role Permit/Deny
Only YES

IP TCP Port Destination Deny and Priority
combined max 8
rules per role Permit/Deny
Only YES

IP TCP Port Bilateral NO NO Permit/Deny
Only YES

IP UDP Port Src Range NO NO Permit/Deny
Only YES

IP UDP Port Des Range NO NO Permit/Deny
Only YES

IP UDP Port Bi Range NO NO Permit/Deny
Only YES

IP TCP Port Src Range NO NO Permit/Deny
Only YES

IP TCP Port Des Range NO NO Permit/Deny
Only YES

IP TCP Port Bi Range NO NO Permit/Deny
Only YES

	C1	C2
VLAN	Priority	VLAN	Priority
Layer 2	Ethertype	VLAN max 8 rules per role Deny and Priority combined max 1000	YES¹	YES
DSAP/SSAP	NO	NO
MAC Address Source	NO	NO	Permit/Deny Only	YES
MAC Address Destination	NO	NO	Permit/Deny Only	YES
MAC Address Bilateral	NO	NO	Permit/Deny Only	YES
VLAN	NO	NO	Permit/Deny Only	YES
Priority	NO	NO	NO	NO
Layer 3	IP Type of Service	Deny and Priority combined max 1000	Permit/Deny Only	YES
IP Protocol Type	Deny and Priority combined max 8 rules per role	Permit/Deny Only	YES
IP Address Source	NO	NO	Permit/Deny Only	YES
IP Address Destination	NO	NO	Permit/Deny Only	YES
IP Address Bilateral	NO	NO	Permit/Deny Only	YES
IP Socket Source	NO	NO	Permit/Deny Only	YES
IP Socket Destination	NO	NO	Permit/Deny Only	YES
IP Socket Bilateral	NO	NO	Permit/Deny Only	YES
IP Fragment	NO	NO	NO	NO
IPX Class of Service	NO	NO	NO	NO
IPX Packet Type	NO	NO	NO	NO
IPX Network Source	NO	NO	NO	NO
IPX Network Destination	NO	NO	NO	NO
IPX Network Bilateral	NO	NO	NO	NO
IPX Socket Source	NO	NO	NO	NO
IPX Socket Destination	NO	NO	NO	NO
IPX Socket Bilateral	NO	NO	NO	NO
ICMP	NO	NO	Permit/Deny Only	YES
Layer 4	IP UDP Port Source	Deny and Priority combined max 8 rules per role	Permit/Deny Only	YES
IP UDP Port Destination	Deny and Priority combined max 8 rules per role	Permit/Deny Only	YES
IP UDP Port Bilateral	NO	NO	Permit/Deny Only	YES
IP TCP Port Source	Deny and Priority combined max 8 rules per role	Permit/Deny Only	YES
IP TCP Port Destination	Deny and Priority combined max 8 rules per role	Permit/Deny Only	YES
IP TCP Port Bilateral	NO	NO	Permit/Deny Only	YES
IP UDP Port Src Range	NO	NO	Permit/Deny Only	YES
IP UDP Port Des Range	NO	NO	Permit/Deny Only	YES
IP UDP Port Bi Range	NO	NO	Permit/Deny Only	YES
IP TCP Port Src Range	NO	NO	Permit/Deny Only	YES
IP TCP Port Des Range	NO	NO	Permit/Deny Only	YES
IP TCP Port Bi Range	NO	NO	Permit/Deny Only	YES

¹VLAN support varies depending on versions. See your firmware release notes for more information.

E1 (WS & GWS) E6/E7

VLAN Priority VLAN Priority

Layer 2 Ethertype YES YES YES YES

DSAP/SSAP YES YES YES YES

MAC Address Source 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

MAC Address Destination 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

MAC Address Bilateral 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

VLAN NO NO NO NO

Priority NO NO NO NO

Layer 3 IP Type of Service 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP Protocol Type 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP Address Source 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP Address Destination 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP Address Bilateral 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP Socket Source NO NO NO NO

IP Socket Destination NO NO NO NO

IP Socket Bilateral NO NO NO NO

IP Fragment NO NO YES YES

IPX Class of Service 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IPX Packet Type 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IPX Network Source 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IPX Network Destination 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IPX Network Bilateral 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IPX Socket Source 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IPX Socket Destination 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IPX Socket Bilateral 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

ICMP NO NO NO NO

Layer 4 IP UDP Port Source 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP UDP Port Destination 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP UDP Port Bilateral 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP TCP Port Source 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP TCP Port Destination 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP TCP Port Bilateral 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP UDP Port Src Range 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP UDP Port Des Range 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP UDP Port Bi Range 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP TCP Port Src Range 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP TCP Port Des Range 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

IP TCP Port Bi Range 3.2 and newer
Permit/Deny Only
Prior firmware
Discard Only YES YES YES

	E1 (WS & GWS)	E6/E7
VLAN	Priority	VLAN	Priority
Layer 2	Ethertype	YES	YES	YES	YES
DSAP/SSAP	YES	YES	YES	YES
MAC Address Source	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
MAC Address Destination	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
MAC Address Bilateral	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
VLAN	NO	NO	NO	NO
Priority	NO	NO	NO	NO
Layer 3	IP Type of Service	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP Protocol Type	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP Address Source	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP Address Destination	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP Address Bilateral	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP Socket Source	NO	NO	NO	NO
IP Socket Destination	NO	NO	NO	NO
IP Socket Bilateral	NO	NO	NO	NO
IP Fragment	NO	NO	YES	YES
IPX Class of Service	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IPX Packet Type	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IPX Network Source	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IPX Network Destination	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IPX Network Bilateral	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IPX Socket Source	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IPX Socket Destination	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IPX Socket Bilateral	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
ICMP	NO	NO	NO	NO
Layer 4	IP UDP Port Source	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP UDP Port Destination	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP UDP Port Bilateral	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP TCP Port Source	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP TCP Port Destination	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP TCP Port Bilateral	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP UDP Port Src Range	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP UDP Port Des Range	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP UDP Port Bi Range	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP TCP Port Src Range	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP TCP Port Des Range	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES
IP TCP Port Bi Range	3.2 and newer Permit/Deny Only Prior firmware Discard Only	YES	YES	YES

N-Series Platinum N-Series Gold R2

VLAN Priority VLAN Priority VLAN Priority

Layer 2 Ethertype YES YES YES YES NO NO

DSAP/SSAP YES YES YES YES NO NO

MAC Address Source YES YES YES YES NO NO

MAC Address Destination YES YES YES YES NO NO

MAC Address Bilateral YES YES YES YES NO NO

VLAN YES YES NO NO NO NO

Priority YES YES NO NO NO NO

Layer 3 IP Type of Service YES YES YES YES NO NO

IP Protocol Type YES YES YES YES Permit/Deny Only NO

IP Address Source YES YES YES YES NO NO

IP Address Destination YES YES YES YES Permit/Deny Only NO

IP Address Bilateral YES YES YES YES NO NO

IP Socket Source YES YES NO NO NO NO

IP Socket Destination YES YES NO NO NO NO

IP Socket Bilateral YES YES NO NO NO NO

IP Fragment YES YES YES YES NO NO

IPX Class of Service YES YES NO NO NO NO

IPX Packet Type YES YES NO NO NO NO

IPX Network Source YES YES NO NO NO NO

IPX Network Destination YES YES NO NO NO NO

IPX Network Bilateral YES YES NO NO NO NO

IPX Socket Source YES YES NO NO NO NO

IPX Socket Destination YES YES NO NO NO NO

IPX Socket Bilateral YES YES NO NO NO NO

ICMP YES YES NO NO NO NO

Layer 4 IP UDP Port Source YES YES YES YES Permit/Deny Only NO

IP UDP Port Destination YES YES YES YES Permit/Deny Only NO

IP UDP Port Bilateral YES YES YES YES Permit/Deny Only NO

IP TCP Port Source YES YES YES YES Permit/Deny Only NO

IP TCP Port Destination YES YES YES YES Permit/Deny Only NO

IP TCP Port Bilateral YES YES YES YES Permit/Deny Only NO

IP UDP Port Src Range YES YES YES YES 4.00.xx and newer
Permit/Deny Only NO

IP UDP Port Des Range YES YES YES YES 4.00.xx and newer
Permit/Deny Only NO

IP UDP Port Bi Range YES YES YES YES 4.00.xx and newer
Permit/Deny Only NO

IP TCP Port Src Range YES YES YES YES 4.00.xx and newer
Permit/Deny Only NO

IP TCP Port Des Range YES YES YES YES 4.00.xx and newer
Permit/Deny Only NO

IP TCP Port Bi Range YES YES YES YES 4.00.xx and newer
Permit/Deny Only NO

The following devices do not support VLAN/Priority traffic classification rules:

	N-Series Platinum	N-Series Gold	R2
VLAN	Priority	VLAN	Priority	VLAN	Priority
Layer 2	Ethertype	YES	YES	YES	YES	NO	NO
DSAP/SSAP	YES	YES	YES	YES	NO	NO
MAC Address Source	YES	YES	YES	YES	NO	NO
MAC Address Destination	YES	YES	YES	YES	NO	NO
MAC Address Bilateral	YES	YES	YES	YES	NO	NO
VLAN	YES	YES	NO	NO	NO	NO
Priority	YES	YES	NO	NO	NO	NO
Layer 3	IP Type of Service	YES	YES	YES	YES	NO	NO
IP Protocol Type	YES	YES	YES	YES	Permit/Deny Only	NO
IP Address Source	YES	YES	YES	YES	NO	NO
IP Address Destination	YES	YES	YES	YES	Permit/Deny Only	NO
IP Address Bilateral	YES	YES	YES	YES	NO	NO
IP Socket Source	YES	YES	NO	NO	NO	NO
IP Socket Destination	YES	YES	NO	NO	NO	NO
IP Socket Bilateral	YES	YES	NO	NO	NO	NO
IP Fragment	YES	YES	YES	YES	NO	NO
IPX Class of Service	YES	YES	NO	NO	NO	NO
IPX Packet Type	YES	YES	NO	NO	NO	NO
IPX Network Source	YES	YES	NO	NO	NO	NO
IPX Network Destination	YES	YES	NO	NO	NO	NO
IPX Network Bilateral	YES	YES	NO	NO	NO	NO
IPX Socket Source	YES	YES	NO	NO	NO	NO
IPX Socket Destination	YES	YES	NO	NO	NO	NO
IPX Socket Bilateral	YES	YES	NO	NO	NO	NO
ICMP	YES	YES	NO	NO	NO	NO
Layer 4	IP UDP Port Source	YES	YES	YES	YES	Permit/Deny Only	NO
IP UDP Port Destination	YES	YES	YES	YES	Permit/Deny Only	NO
IP UDP Port Bilateral	YES	YES	YES	YES	Permit/Deny Only	NO
IP TCP Port Source	YES	YES	YES	YES	Permit/Deny Only	NO
IP TCP Port Destination	YES	YES	YES	YES	Permit/Deny Only	NO
IP TCP Port Bilateral	YES	YES	YES	YES	Permit/Deny Only	NO
IP UDP Port Src Range	YES	YES	YES	YES	4.00.xx and newer Permit/Deny Only	NO
IP UDP Port Des Range	YES	YES	YES	YES	4.00.xx and newer Permit/Deny Only	NO
IP UDP Port Bi Range	YES	YES	YES	YES	4.00.xx and newer Permit/Deny Only	NO
IP TCP Port Src Range	YES	YES	YES	YES	4.00.xx and newer Permit/Deny Only	NO
IP TCP Port Des Range	YES	YES	YES	YES	4.00.xx and newer Permit/Deny Only	NO
IP TCP Port Bi Range	YES	YES	YES	YES	4.00.xx and newer Permit/Deny Only	NO

Device VLAN/Priority Classification Rule Support

Matrix B2 Not Supported

Matrix E5 Not Supported

Matrix V2 Not Supported

AP3000 Not Supported

Device	VLAN/Priority Classification Rule Support
Matrix B2	Not Supported
Matrix E5	Not Supported
Matrix V2	Not Supported
AP3000	Not Supported

INSTALLATION:

Policy Manager can be installed on the following platforms:

Windows:
- Windows^® 2000
- Windows^® XP
- Windows^® 2003 Server
UNIX^®
- Solaris^® 2.8
- Solaris^® 2.9
Linux
- Red Hat Enterprise Linux WS, ES v3

The Policy Manager Installer (InstallAnywhere® by Zero G Software, Inc.) leads you through a series of windows that ask you for all the information required in order to install NetSight Policy Manager. When you finish with the series of windows, Policy Manager is installed according to your specification. For complete installation information and instructions, refer to the Installation help file, and the instructions available on the web site: www.enterasys.com/netsight/. Select the download evaluation software link.

Evaluation Copy

When you install Policy Manager, you can elect to install a 30-day evaluation copy. Once your evaluation copy has expired or been uninstalled, you cannot install another evaluation copy. To upgrade from an evaluation copy of Policy Manager to a purchased copy, contact your Enterasys Networks Representative to purchase the software and receive a License Key. You do not need to reinstall the software to perform the conversion.

	Warning:	If you have installed an evaluation copy of this software, be sure to remove all policies from your devices prior to letting your evaluation copy expire. Without Policy Manager, there is no way to remove policies from your devices short of clearing non-volatile RAM.

Small Business Edition

The Policy Manager Small Business Edition provides the same policy configuration capability as the full version of Policy Manager, but limits the ability to deploy the policy to a maximum of 10 devices. The information provided in these release notes pertains to both the Small Business Edition and the full version of Policy Manager. To upgrade from the Small Business Edition to a full version of Policy Manager, contact your Enterasys Networks Representative to purchase the software and receive a License Key. You do not need to reinstall the software to perform the upgrade. See Installation for more information.

Upgrading from a Previous Version

If you are upgrading from a previous version of Policy Manager (version 1.5 or newer) to version 1.8.1, follow these instructions:

Exit Policy Manager.
Install Policy Manager 1.8.1 according to the Installation instructions.
Launch Policy Manager 1.8.1.
If you are upgrading Policy Manager in conjunction with a firmware upgrade, download the firmware to your devices and reset them. Then, be sure to Refresh your devices in Policy Manager (select the Devices folder in the Network Elements tab and choose View > Refresh from the menu).
Use the Authentication Configuration Guide to configure your network for authentication.

Upgrade Considerations

Well-known identifiers (IDs). If you have edited the pre-defined list of well-known identifiers (IDs) (Version 1.5 or newer), you may see the following Event Log message when launching Policy Manager 1.8.1: "Policy Manager has found a newer version of the Well Known IDs file. The new file will not be overwritten by the old one. Please update the new file with IDs defined in the older file." To update your new file you can either:
-- recreate your older version well-known IDs in version 1.8.1 or
-- copy your old wellknowns file from C:\Documents and Settings\[username] to C:\Documents and Settings\[username]\Users\AllUsers. Be aware that this will overwrite any well-known IDs in the new file.

CONSIDERATIONS

Class of Service Mode Support

The following Role-Based Rate Limit functions are not supported in release 1.8.1 of Policy Manager:

"Counting" role-based rate limits
"Reprioritize to CoS" role-based rate limits
Outbound role-based rate limits
Flood rate limit
Low latency queuing
Rate shaping algorithm

These will be available in a future release.

Authenticating without Policy

This section discusses how authentication works in a network where end users must authenticate, but there are no roles (policy) for authenticated users defined on the network devices.

The following table shows Authentication Behavior for each device type when the authenticated role is not defined on the device:

Authentication
Type Matrix N-Series
Gold and Platinum Matrix E6/E7 Matrix E1 Matrix E5 Matrix C1 RoamAbout R2
RoamAbout AP3000 Matrix C2

802.1X Successful Successful Successful Successful Successful Successful Successful

MAC Successful Successful Successful MAC Auth
Not Supported MAC Auth
Not Supported Successful Successful

Web-Based Successful Successful on firmware
version 5.06.x.
Failed on older
firmware versions. Successful Web-Based Auth
Not Supported Web-Based Auth
Not Supported Web-Based Auth
Not Supported Successful

Authentication Type	Matrix N-Series Gold and Platinum	Matrix E6/E7	Matrix E1	Matrix E5	Matrix C1	RoamAbout R2 RoamAbout AP3000	Matrix C2
802.1X	Successful	Successful	Successful	Successful	Successful	Successful	Successful
MAC	Successful	Successful	Successful	MAC Auth Not Supported	MAC Auth Not Supported	Successful	Successful
Web-Based	Successful	Successful on firmware version 5.06.x. Failed on older firmware versions.	Successful	Web-Based Auth Not Supported	Web-Based Auth Not Supported	Web-Based Auth Not Supported	Successful

The following table shows Authenticated Traffic Behavior for each device type when the authenticated role is not defined on the device:

Authentication
Type Matrix N-Series
Gold and Platinum
4.11 and earlier Matrix N-Series
Gold and Platinum
5.01 and later Matrix E6/E7 Matrix E1 Matrix E5 Matrix C1 RoamAbout R2
RoamAbout AP3000 Matrix C2

802.1X 1 3 2 2 2 2 3 2

MAC 1 3 2 2 MAC Auth
Not Supported MAC Auth
Not Supported 3 2

Web-Based 1 3 2 2 Web-Based Auth
Not Supported Web-Based Auth
Not Supported Web-Based Auth
Not Supported 2

Authentication Type	Matrix N-Series Gold and Platinum 4.11 and earlier	Matrix N-Series Gold and Platinum 5.01 and later	Matrix E6/E7	Matrix E1	Matrix E5	Matrix C1	RoamAbout R2 RoamAbout AP3000	Matrix C2
802.1X	1	3	2	2	2	2	3	2
MAC	1	3	2	2	MAC Auth Not Supported	MAC Auth Not Supported	3	2
Web-Based	1	3	2	2	Web-Based Auth Not Supported	Web-Based Auth Not Supported	Web-Based Auth Not Supported	2

1 - Traffic is forwarded based on the 802.1Q PVID and 802.1p priority for the port, regardless of whether the port has been assigned a default role. Authenticated users will display a current role of "None" in the Port Usage tab.

2 - Traffic is forwarded based on the port's default role and authenticated users will display the default role as their current role in the Port Usage tab. If no default role has been assigned to the port, the port's 802.1Q PVID and 802.1p priority are used, and the current role will be "None."

3 - Traffic is forwarded based on the Invalid Role Action configuration at the device level in Policy Manager.

Terminating Role Override Sessions

On Port Usage tabs, you cannot terminate Role Override (IP) or Role Override (MAC) sessions that were created through the CLI (command line interface).

IP Socket Rules with Masks

IP Socket rules (IP address plus UDP port classification rules) let you specify an IP address mask for Matrix N-Series devices. However, when you enforce the rule to the device, the actual rule created on the device is an IP UDP Port rule. This means that if you create an IP Socket Source rule with a mask (other than the default mask of 255.255.255.255) Policy Manager will display the rule as an IP Socket Source rule, while the device CLI will display the rule as a udpPortSource rule with an IP appended to it.

NOTE: Although Matrix N-Series devices support appending an IP address to a TCP classification type as well as a UDP classification type, Policy Manager only creates UDP classifications with an appended IP through its IP Socket rule type.

	NOTE:	Although Matrix N-Series devices support appending an IP address to a TCP classification type as well as a UDP classification type, Policy Manager only creates UDP classifications with an appended IP through its IP Socket rule type.

Rule Precedence for the Matrix N-Series Platinum

The following rule precedence determines the role (policy) that is being applied on a user/port on a Matrix N-Series Platinum device. The precedence used depends on whether the device is configured for multi-user authentication or single user authentication.

Multi-User Authentication:
Devices configured with multi-user authentication use the following precedence when applying a role on a user/port (starting with the highest precedence):
     MAC override policy (created by ASM)
     Authenticated role
     MAC-to-Role mapping
     IP override policy (created by ASM)
     IP-to-Role mapping
     Default role

Single User Authentication:
Devices configured with single user authentication use the following precedence when applying a role on a user/port (starting with the highest precedence):
     MAC override policy (created by ASM)
     MAC-to-Role mapping
     IP override policy (created by ASM)
     IP-to-Role mapping
     Authenticated role
     Default role

MATRIX C1 POLICY SUPPORT:

Policy support on Matrix C1 devices utilizes both a port-level role and a device-level role. In Policy Manager, a role is a set of network access services made up of traffic classification rules. It may also contain default Access Control (VLAN) and/or Class of Service settings that will be applied to traffic not handled specifically by the rules contained in the role. Although both the device-level and port-level roles may contain all of these components, only certain portions of each role are used when applied to a port on a C1 device.

On the Matrix C1, classification rules are implemented at the device level through a device-level role. Policy Manager allows you to set a unique device-level role for each C1 device. The device-level role is a regular role that defines how inbound traffic is handled in terms of classification rules and default Class of Service assignment. In other words, all classification rules are taken from the device-level role, and any rules defined in the port-level role are ignored when applied to a port. The Class of Service setting is also implemented through the device-level role and ignored in the port-level role. However, the default Access Control setting of the device-level role is ignored, and is defined through the port-level role.

Classification rules from the device-level role are only applied to ports which also have a port-level role applied (either statically or dynamically). This allows you to exclude the device-level role from uplink ports and hosts ports, by not applying a port-level role to these ports and not enabling authentication on them.

When a port-level role is applied to a port, it overrides any PVID and Class of Service settings defined on the port through Console or local management. When a device-level role is applied to a port, it also overrides these PVID and Class of Service settings, and overrides any Class of Service setting defined in the port-level role. It does not override any default Access Control setting defined in the port-level role.

In addition, if the port-level role's default Access Control is configured to deny traffic (discard VLAN) then all inbound traffic will be discarded even if it matches a (forward) classification rule.

C1 Considerations

Review the following considerations prior to configuring policy on Matrix C1 devices:

C1 devices limit the number of rules you can create for some classification types. Refer to the C1 information in Table 3 to see which classification types limit the number of rules.

MATRIX C2 CONSIDERATIONS:

Review the following considerations prior to configuring policy on Matrix C2 devices.

Matrix C2 devices let you enable all three authentication types (802.1X, Web-Based, and MAC) at the device level, but only one authentication type at the port level. The order in which authentication types are enabled at the device level may affect authentication settings that are already configured on the port. Because of this, it is important to configure authentication types at the device level first, and then configure your port-level authentication settings second. When you configure device-level authentication types (via the device Authentication Tab,) you must use the Multi-User section even though the device only supports single user authentication per port.
Matrix C2 devices do not support TCI Overwrite.
On Matrix C2 gigabit and 10/100 ports, the number of rules per port is restricted. Refer to your C2 firmware release notes for the maximum number of rules that can be utilized on a port.
Matrix C2 10/100 ports support two priority-based rate limits (inbound only). When creating a rate limit to be used on Matrix C2 10/100 ports, create the limit with either Low priority to associate the rate limit with priorities 0-3 or High priority to associate the rate limit with priorities 4-7. You can specify both Low and High priorities if you want to associate the rate limit with priorities 0-7.
Matrix C2 devices do not support setting a default role on a logical port.
On Matrix C2 Stackable devices, it is strongly recommended that you do not enforce rules that assign a Class of Service (CoS) that includes Priority 7. Doing so will interfere with stack communication.

NETSIGHT COMPATIBILITY:

Policy Manager�s interoperability and concurrent application capabilities are listed below:

NMS Platform	Version No.	Support
NetSight Atlas Console	1.0	Yes
NetSight Atlas Console	1.1	Yes
NetSight Atlas Console	1.2	Yes
NetSight Atlas Console	1.3	Yes
NetSight Atlas Console	1.4	Yes
NetSight Atlas Console	1.5	Yes

KNOWN RESTRICTIONS AND LIMITATIONS:

The known restrictions and limitations for this release of NetSight Policy Manager are listed below. Solutions for these restrictions and limitations are noted, if available.

Install/Uninstall

Problem 1:	(Windows only.) An evaluation of your system is not automatically performed during the installation. If system requirements are not met, the install will take place, but results will be unpredictable.
Solution:	Verify that all Windows system requirements are met prior to installing Policy Manager.
Problem 2:	(Solaris only.) The Installer may not come up, due to path problems.
Solution:	Ensure that `/usr/ucb` does not precede `/bin` in your path. To do this, in a UNIX window, type `which chown`. If the result is `/usr/ucb/chown`, replace `/usr/ucb` with `/bin` in your path. If the result is `/bin/chown`, the path is not the problem.
Problem 3:	Policy Manager does not start after you have run the Installer or Uninstaller.
Solution:	Be sure that Policy Manager is not running when you do an installation or an uninstallation.

General

Problem 1:	In the Print window, the Print Range area has a Pages option with the default values of "from 1 to 9999".
Solution:	Enter the desired values.
Problem 2:	When no printer is configured, clicking the Print button on the toolbar or selecting File > Print results in a Printing Error message; closing the error message results in repeated error messages.
Solution:	Close the error message box three times.
Problem 3:	Periodically, when you try to access local management or when a user tries to log in via a browser, access is denied although the RADIUS Server log shows that access has been granted.
Solution:	Log in again and access will be successful.
Problem 4:	Selecting a SmartTrunk port in the Network Elements tab produces error messages in the Event Log.
Solution:	Policies cannot be configured on logical ports such as SmartTrunk ports. You can prevent logical ports from being displayed in the Network Elements tab by opening the Options window (Tools > Options), selecting the Port view, and checking the Hide Logical Ports checkbox.
Problem 5:	Selecting a SmartTrunk port in Policy Manager produces the following error messages in the Policy Manager Event Logs similar to these: Jul 23, 2001 17:53:47 EDT : ERR� - Failed getting port authentication data. Jul 23, 2001 17:53:55 EDT : ERR� - Contacting device [172.20.3.58]. ERROR : Pdu NoSuchName In MIB Tools, the SmartTrunk port is not shown in the etsysPwaAuthPwaState attribute. This only occurs if the SmartTrunk port has been activated/configured.
Solution:	Web-based authentication operates only on physical (bridge) ports; it is not supported on trunking ports. This is consistent with how 802.1X handles port aggregation; it requires authentication of the individual ports rather than the aggregated port.
Problem 6:	After you create multiple rate limits, enforcing may cause SNMP timeouts.
Solution:	Create and enforce one rate limit at a time.
Problem 7:	(Policy VLAN Islands) If the complete Local VLAN name (for example, [VLAN_Island + Local_VLAN_Name]) has more than 32 characters, the VLAN ID, but not the VLAN name, will be written to the device upon enforcing, and a Pdu Bad Value error will be displayed in the Event Log. In addition, because the VLAN name was not written to the device, Verify will fail, even though all the roles are written to the device correctly.
Solution:	When choosing Local VLAN names and VLAN island names for use with the naming convention "VLAN_Island-Name", keep in mind that the combined number of characters should equal no more than 32. This limitation applies to the other Local VLAN naming conventions as well, although exceeding the limit is less likely to occur with those options.
Problem 8:	(Policy VLAN Islands Wizard) If you increase a previously set Offset value, and the maximum number of Local VLANs exists for the previous Offset, you can't increase the number of Local VLANs through the Wizard.
Solution:	Finish the Wizard with the current number of Local VLANs, and create the additional Local VLANs using the Create VLAN menu option (Left panel VLANs tab > Local VLANs folder > right mouse).
Problem 9:	The following issues have been identified with regard to the RoamAbout R2: Authenticated R2 users cannot be terminated through Policy Manager. The status of an 802.1X client on the R2 is not updated if reauthentication is disabled, and the supplicant either: moves out of range of the wireless network while authenticated, or terminates the wireless session without logging off or shutting down the client gracefully. The R2 will only remove these entries after a timeout period has expired having not heard from the supplicant. Both the primary and secondary RADIUS servers must have the same password.
Solution:	These issues will be addressed in a future release.
Problem 10:	(Windows XP only.) A Web-based Authentication user fails to connect to the switch for the Web Authentication web page, and an error message states that the Microsoft Java VM (Virtual Machine) must be downloaded before the page will be displayed. This occurs because, while most XP systems are set up with the Java VM, this particular machine was not.
Solution:	Download the Microsoft Java VM from `www.microsoft.com` and install it.
Problem 11:	Matrix E7 Rate Limiting: The Matrix E7 with 5.00.xx-5.04.09 firmware uses the incorrect transmit rate for Rate Limiting. The rate is in kilobits instead of kilobytes. For example, if you set a rate limit of 5 MB (megabytes) using Policy Manager, it only transmits 5 megabits, or approximately 625 kilobytes.
Solution:	Upgrade your firmware version.
Problem 12:	On the RoamAbout R2, ICMP (Ping) and Telnet deny rules still allow ICMP and Telnet to the R2's IP address itself.
Solution:	This is a known issue that has been identified with regard to the RoamAbout R2.
Problem 13:	On the RoamAbout R2, configuring port-based 802.1X through Policy Manager does not configure tumbling keys. 802.1X under XPSPI will not allow 802.1X without tumbling keys enabled. Therefore, the default port state will not allow the client to "associate" with the R2.
Solution:	Use NetSight Atlas Console, AP Manager, CLI, or Telnet to set up tumbling keys when configuring 802.1X on the RoamAbout R2.
Problem 14:	If the RoamAbout R2 acquires an IP address via BOOTP, and the user then adds an IP address statically and saves the configuration, RADIUS client requests will continue to use the original IP address.
Solution:	Reboot the device and the new IP address will be used by the RADIUS client portion of the firmware.
Problem 15:	E1 devices do not support rate limits in excess of 125 MB/S, and any rate limits over 125 MB/S should fail on E1 devices when enforced. However, if you create a rate limit of 537 MB/S or more, when you enforce the rate limit, it succeeds on E1 devices. In addition, the rate limit actually set on the device is incorrect and does not match the rate limit that was enforced, causing a verify to fail.
Solution:	To avoid a false success on enforce of rate limits exceeding 536MB/S, add your E1 devices to the Exclusion list in the rate limit's General tab, and re-enforce the rate limit. To avoid enforce failing on E1 devices for rate limits exceeding 125 MB/S, add your E1 devices to the exclusion list prior to enforce. This will be fixed in a future E1 firmware release.
Problem 16:	Even though Layer 3 Priority rules are not supported on Matrix N-Series Gold devices, if you have created a TCI rule through local management on a Gold device, you will be able to import that rule using the Import From Device wizard. However, when you perform an Enforce, the rule will be Excluded, and will be deleted from the device.
Solution:	This issue will be addressed in a future release.
Problem 17:	(Matrix E1 and E6/E7 devices configured for web-based authentication only.) Ports configured for Active/Discard mode display the temporary IP address assigned to the user prior to authentication (instead of the permanent IP address assigned after authentication) in the IP Address column of the right-panel Port Usage tabs.
Problem 18:	Renaming a role causes the role to not be assigned properly during authentication.
Solution:	When you rename a role in Policy Manager, the role name in the filter-id also needs to be updated in the RADIUS configuration.
Problem 19:	On Matrix C1 devices, when enforcing IP Protocol Type or IP TCP/UDP Port Source and Port Destination rules, the following two problems may be encountered: The enforce succeeds, but no rules are created on the device, even though the maximum number of rules allowed has not yet been reached. The enforce fails when writing or deleting these rules.
Solution:	For the first problem, be sure to perform a verify on C1 devices after an enforce, and then check the event log to ensure that the correct rules were written to the device. For the second problem, perform the enforce twice. This will be fixed in a future C1 firmware release.
Problem 20:	(Linux and UNIX only.) You cannot specify a range of pages when printing on UNIX or Linux systems. If you right-click and select Print or use File > Print, the resulting print settings window does not open to a sufficient size (and cannot be resized) to allow access to the page range fields.
Solution:	For these systems, the only option is to print the entire table.
Problem 21:	(Matrix N-Series devices only.) After downgrading from firmware version 4.00.xx to an earlier firmware version, a device Refresh does not update the device correctly. This causes the following problems: All the fields in the device Authentication tab are grayed out. The two checkboxes in the Port Mode section of the port Authentication Configuration tab become active. These two checkboxes should not be active because the older firmware version does not support multiple authentication types.
Solution:	Delete and re-create the device. This problem will be fixed in a future release.
Problem 22:	(Matrix N-Series devices running 4.00.xx firmware only. These devices support multiple authentication types.) If you use other tools to enable multiple authentication with 802.1X authentication only, the device will be configured in Policy Manager as "strict 802.1X," (802.1X without multiple authentication enabled.) This results in two problems: The Port Mode may be displayed incorrectly in the slot Details View tab and the device Ports tab. The Unauthenticated Behavior buttons in the Port Mode section of the port Authentication Configuration tab are grayed out.
Solution:	Use Policy Manager to configure the authentication types for your devices.
Problem 23:	If you delete a device that is "Not Reachable," then use the Device Configuration Wizard to configure any of your devices, the deleted device will reappear in the Network Elements tree and error messages will be displayed in the Event Log.
Solution:	Delete the device again. This problem will be fixed in a future release.
Problem 24:	(Matrix N-Series devices running 4.00.xx firmware only. These devices support multiple authentication types.) If the Authentication Behavior is set to Inactive (in the Port Mode section of the port Authentication Configuration tab), MAC authentication cannot be enabled on the port, even though Policy Manager appears to let you enable MAC authentication. This is because setting the Authentication Behavior to Inactive turns off all authentication, including MAC authentication.
Solution:	The Port Mode Authentication Behavior must be set to Active when you enable MAC authentication.
Problem 25:	(Matrix V2 devices only.) When setting the Number of Retry Attempts and the Retry Timeout Duration in the device RADIUS tab, the values are not applied to the RADIUS server(s).
Solution:	Use the CLI to set these values for each RADIUS server.
Problem 26:	(RoamAbout AP3000 devices only.) When setting the Number of Retry Attempts and the Retry Timeout Duration in the device RADIUS tab, the values are only applied to the primary RADIUS server.
Solution:	Use the CLI to set these values for each RADIUS server.
Problem 27:	(RoamAbout R2 devices only.) If the R2's community names are set to the factory default settings, the device cannot be created in Policy Manager using SNMPv1. In addition, if an existing R2 is reset to factory defaults, it will be removed from Policy Manager (if it is set to the factory default SNMPv1 community names) when it is recontacted.
Solution:	If you are creating the device with SNMPv1 (SNMPv3 is recommended), the default community names on the device must be updated. There are four SNMPv1 community names on the R2: Community #1 -- allows limited read-only access (MIB II system group) Community #2 -- allows creation of new views Community #3 -- allows read-only access to all MIBs Community #4 -- allows read/write access to all MIBs Policy Manager will create the device based on community names #3 and #4. For read-only access, set community name #3 on the device (using CLI or AP Manager) and then use that community name for the Read Only community name in your device list or the Create Device window. For read/write access, set community name #4 on the device, and then use that community name for the Read Write and Super User community names in your device list, or the Read Write community name in the Create Device window.
Problem 28:	(Matrix C2 devices running firmware version 2.xx.xx and 3.00.xx.) You cannot terminate an active 802.1X session using the Terminate button in the Port Usage tab.
Problem 29:	(RoamAbout AP3000 devices only.) Due to recent firmware changes, the port-level RFC3580 VLAN Authorization enable/disable option is not supported.
Solution:	Use the Web or CLI to set this option at the port level.
Problem 30:	Matrix C2 devices running firmware version 2.00.xx do not implement the attribute required for Policy Manager to detect or display a Role Override in the Type column of the Port Usage tab.
Problem 31:	(Matrix C2 devices only.) Rate limits only work for Priority 0.
Solution:	This will be fixed in a future firmware release.
Problem 32:	(2nd Generation devices only.) Modifying the port mode on a port configured for 802.1X authentication terminates an active session; however, the terminated session is still displayed in the Port Usage tab as a blue active session. If you try to terminate this session using the Terminate button, you get a successful message, but the session continues to be displayed in the table as a blue active session.
Solution:	This will be fixed in a future firmware release.
Problem 33:	Verify fails and the following message is displayed in the Event Log: "The Tagged Packet VLAN to Role Mapping for the following Role (<role name>) on xx.xx.xx.xx is out of sync with the corresponding Role in the app."
Solution:	Verify will fail with this message when CLI or MIB tools has been used to create a VLAN to Role Mapping that has a port. This is because Policy Manager does not support port-based VLAN to Role Mapping. You can remove the mapping (via CLI or MIB tools) if desired, or leave the mapping knowing that Verify will fail.
Problem 34:	Matrix B2 devices only. Terminating an 802.1X session results in the Duration field being reset to "497+2:27:51" on the Port Usage tab.
Solution:	This will be fixed in a future firmware release.
Problem 35:	Selecting a role or rule in the left panel and the Device Support tab in the right panel causes a java exception in the Event Log.
Solution:	This will be fixed in a future release.
Problem 36:	Matrix B2 and Matrix V2 devices. When you disable 802.1X authentication by setting the Authentication Type to "None" on the device Authentication tab, the ports will not be displayed in the Ports Details View tab.
Solution:	In the device Authentication tab, set the Authentication Type to "Single User - 802.1X" and the Authentication Status to "Disabled."
Problem 37:	Matrix B2 and Matrix V2 devices. Performing a Set/Clear Frozen (ports) or Terminate Sessions action is not successful when initiated from the right-click menu on the Ports icon in the left-panel Network Elements tree, and errors are displayed in the Event Log.
Solution:	Select the desired ports in the right-panel Ports Details View, and use the right-click menu to perform the operations.

Help System

Problem 1:	The back arrow (previous) button and the forward arrow (next) button on the Help toolbar may not perform consistently.
Problem 2:	A graphic hotspot may not work correctly the first time you click it unless the graphic is fully displayed on the screen.
Problem 3:	When you print a help file from a browser, the graphics may not print.
Solution:	Updating your printer driver may solve this problem.
Problem 4:	When you print a help file from a browser, the text may not wrap correctly.
Solution:	This will be fixed in a future release.
Problem 5:	(Windows XP Only) When printing multiple collated copies of a Help file, only one copy of the first page is printed, and double the number of requested copies of the remaining pages are printed.
Solution:	Either print one copy at a time, or deselect the Collate option in the Print window Properties > Advanced > Paper/Output > Copy Count setting and collate the copies manually.

IEEE STANDARDS LEVERAGED:

Policy Manager addresses the following IEEE standards:

Standard	Title
IEEE 802.1D	Transparent Bridging Specifications (ISO/IEC 10038)
IEEE 802.1p	Traffic Class Expediting and Dynamic Multicast Filtering
IEEE 802.1Q	Virtual Bridged Local Area Networks
IEEE 802.1X	Port-Based Network Access Control

IETF MIBS REQUIRED:

Policy Manager requires the following MIBs:

RFC No.	Title	Groups Supported
1157	Simple Network Management Protocol (SNMP)
1213	MIB-II	System, Interfaces and IP
1493	Bridge MIB	dot1dBase group
2674	Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions	dot1qBase group and dot1qVlan group (specifically the static VLAN Database) dot1qBase OBJECT IDENTIFIER ::= { qBridgeMIBObjects 1 } dot1qVlan OBJECT IDENTIFIER ::= { qBridgeMIBObjects 4 }
	IEEE8021-PAE-MIB	dot1qBase group and dot1qVlan group (specifically the static VLAN Database) dot1xPaeSystem dot1xPaeAuthenticator

ENTERASYS NETWORKS PRIVATE ENTERPRISE MIB SUPPORT:

Policy Manager supports the Enterasys Networks Private Enterprise MIBs listed below. These IETF and Private Enterprise MIBs enumerate the minimum set of MIBs that a hardware device must implement in order to be supported by this application. Implementation of these MIBs may not be sufficient to assure that an unsupported hardware device will function properly with this software.

Enterasys Networks Private Enterprise MIBs are available in ASN.1 format from the Enterasys Networks web site at: http://www.enterasys.com/support/mibs/. Indexed MIB documentation is also available.

Title Version

CTIF-EXT-MIB version 1.06.01

CTRON-AP3000-MIB revision 200404200755Z

CTRON-CDP-MIB revision 01.00.02

CTRON-MIB-NAMES revision 1.04.15

CTRON-OIDS revision 1.19.12

CTRON-PRIORITY-CLASSIFY-MIB revision 01.00.01 0009210000Z

CTRON-Q-BRIDGE-MIB-EXT revision 200104161816Z

CTRON-VLAN-CLASSIFY-MIB version 01.00.01 0009210000Z

ENTERASYS-8021X-EXTENSIONS-MIB revision 200203072010Z

ENTERASYS-CLASS-OF-SERVICE-MIB revision 200411091552Z

ENTERASYS-CONVERGENCE-END-POINT-MIB revision 200311051942Z

ENTERASYS-MAC-AUTHENTICATION-MIB revision 200207181812Z

ENTERASYS-MAC-LOCKING-MIB revision 20020718183ZZ

ENTERASYS-MIB-NAMES revision 200010051300Z

ENTERASYS-MIB-ORG revision 200207181531Z

ENTERASYS-MULTI-AUTH-MIB revision 200403101356Z

ENTERASYS-MULTI-USER-8021X-MIB revision 200411111531Z

ENTERASYS-POLICY-PROFILE-MIB revision 200503142134Z

ENTERASYS-PWA-MIB revision 200106050000Z

ENTERASYS-RADIUS-ACCT-CLIENT-EXT-MIB revision 200209131930Z

ENTERASYS-RADIUS-AUTH-CLIENT-MIB revision 200011080000Z

ENTERASYS-RADIUS-AUTH-CLIENT-ENCRYPT-MIB revision 200010180000Z

ENTERASYS-UPN-TC-MIB revision 200402032200Z

ENTERASYS-VLAN-AUTHORIZATION-MIB revision 200406021922Z

TMS-COMMON-MIB revision 200011020000Z

Title	Version
CTIF-EXT-MIB	version 1.06.01
CTRON-AP3000-MIB	revision 200404200755Z
CTRON-CDP-MIB	revision 01.00.02
CTRON-MIB-NAMES	revision 1.04.15
CTRON-OIDS	revision 1.19.12
CTRON-PRIORITY-CLASSIFY-MIB	revision 01.00.01 0009210000Z
CTRON-Q-BRIDGE-MIB-EXT	revision 200104161816Z
CTRON-VLAN-CLASSIFY-MIB	version 01.00.01 0009210000Z
ENTERASYS-8021X-EXTENSIONS-MIB	revision 200203072010Z
ENTERASYS-CLASS-OF-SERVICE-MIB	revision 200411091552Z
ENTERASYS-CONVERGENCE-END-POINT-MIB	revision 200311051942Z
ENTERASYS-MAC-AUTHENTICATION-MIB	revision 200207181812Z
ENTERASYS-MAC-LOCKING-MIB	revision 20020718183ZZ
ENTERASYS-MIB-NAMES	revision 200010051300Z
ENTERASYS-MIB-ORG	revision 200207181531Z
ENTERASYS-MULTI-AUTH-MIB	revision 200403101356Z
ENTERASYS-MULTI-USER-8021X-MIB	revision 200411111531Z
ENTERASYS-POLICY-PROFILE-MIB	revision 200503142134Z
ENTERASYS-PWA-MIB	revision 200106050000Z
ENTERASYS-RADIUS-ACCT-CLIENT-EXT-MIB	revision 200209131930Z
ENTERASYS-RADIUS-AUTH-CLIENT-MIB	revision 200011080000Z
ENTERASYS-RADIUS-AUTH-CLIENT-ENCRYPT-MIB	revision 200010180000Z
ENTERASYS-UPN-TC-MIB	revision 200402032200Z
ENTERASYS-VLAN-AUTHORIZATION-MIB	revision 200406021922Z
TMS-COMMON-MIB	revision 200011020000Z

IMPORTANT URLS:

The following Enterasys URLs provide access to NetSight software products and product information.

To download the latest NetSight software products*, use the NetSight Software Download at http://sweval.enterasys.com/
To download previously released NetSight products*, use the Download Library at http://www.enterasys.com/download/
To receive information on Enterasys NetSight management products, including the availability of new versions and new product releases, sign up for ProActive Notification at http://sweval.enterasys.com/notify/
To register any NetSight products that are covered under a service contract, use the NetSight Service Contract Product Registration form at http://sweval.enterasys.com/netsight/

*Software license keys are version dependent and will only operate with the version of software related to the license key.

GLOBAL SUPPORT:

By Phone: (603) 332-9400
By Email: support@enterasys.com
By Web: www.enterasys.com/support
By Fax: (603) 337-3075
By Mail: Enterasys Networks, 35 Industrial Way, P.O. Box 5005, Rochester, NH 03867-5005

For information regarding the latest software available, recent release note revisions, or if you require additional assistance, please visit the Enterasys Networks Support web site.

ADDENDUM:

This section provides updated release information, available to current Policy Manager customers through the web update operation. Use the Check for Updates feature to determine if updates are currently available. The updates are listed by date, with the most recent updates listed first.

4/2005 P/N: 9038095-11 Subject to Change Without Notice F0615-E