Basic Design Question - Firewall Router segment

Similar Messages

• Basic design questions

  I want to design an icon for an Android app in CS5, and there are lots of design guidelines that need to be followed, and there are a couple I am unclear of:
  1.) they have to be caricatural in nature - how would you interpret this? what does this mean?
  2.) with very little perspective - how would you interpret this? does this mean they need to be close to flat?
  Sorry, English is not my first language.
  Thanks for your input.

  wb,
  Caricaturial means that they should create a certain impression by enhancing certain features instead of being a natural/neutral photographlike appearance, likes caricatures/cartoons/mangas/satirical drawings.
  Very little perspective does mean close to flat, once again a simplified representation instead of natural/neutral photographlike.

• Very basic design question of File Adapter

  Hi Guys,
  What is the utility of assigning System Name and System Interface names (XMB.SenderInterfaceNamespace, XMB.SenderInterfaceName, XMB.SenderBusinessName) while configuring the Inbound File Adapter?
  What I am struggling to understand, that any particular inbound file adapter is already associated with one particular Sender Agreement and the message header picks up Sender System Name and Sender Interface name etc from this  Sender Agreement (from CPA Cache), but then why the above settings are required for File Adapter ?
  Thanks

  I think you have read the documentation for J2SE adapter.
  The online help for the J2EE adapter is here:
  http://help.sap.com/saphelp_nw04/helpdata/en/e3/94007075cae04f930cc4c034e411e1/frameset.htm

• WLAN 4402 Design question

  Dear Support,
  Wondering if anyone could help me, after some basic design advice on a WLAN implementation and if it is achievable.
  Summary
  VLAN 201 - Wired user LAN and 2003 Server running IAS (10.115.2.x /24)
  VLAN 201 - Secure WLAN on 10.115.2.x /24
  VLAN 60 - Management LAN for WLAN 4402 controller and 4 1130 LW (layer 2 mode) APs (172.16.31.x /24)
  WLAN 99 - Guest WLAN with web auth (192.168.252.x /24).
  I have a DSL router for the 192.168.252.x subnet for internet access for Guest users. A DHCP scope if configured on the WLAN controller
  I am wondering if I can have the same subnet (and addresses assigned via the server running IAS) for both the wired users and secure WLAN.
  Thank you for your assistance in advance.
  I always rate helpful replies.
  Best regards, Adrian.

  Hi Ankur,
  Many thanks for replying, ideally this is what I need to know is possible.
  Currently the wired users on vlan 201, get an IP address via DHCP from the server, the same server is also configured with IAS for the implementation of MS-CHAP-V2 for authentication using their AD username and password (still yet to get working).
  Ideally I would prefer that the wired and secure wireless (ms-chap-v2 on vlan 201) get their IP addresses from the same server. I need to know if it is possible to have both a wired VLAN and wireless WLAN using the same VLAN id (in this case 201).
  I?m not over concerned with using either L2 or L3 mode on the APs, they currently are set to L2, but happy to define another scope either on the WLAN controller of the IAS (w2003) server.
  Think the fundamental question I?m asking, is ;
  Is it possible to have both the Wired users (VLAN 201) and Secure WLAN users (also on vlan 201) to share the same subnet. The reason this is crucial to the design is that the 10.115.2.x subnet is routed via a third party and getting them to add additional routes (i.e. one for the wired users and one for the wireless users is a pain! And a lot of paperwork!)
  I have tried to do the config already the issues I have is that pings from the server to the management address of the WLAN controller sometimes work and sometimes don?t. I have 2 x 3560 switches doing the routing between the user (v201) and wlan management (v60). This is also the same in the opposite direction (4402 to the DHCP/IAS server). I am always able to ping the SVI of the v60 from the server. I'm also not seeing any authentication requests being passed to the IAS server.
  Thanks again in advance for your assistance.
  Best regards, Adrian.

• Design question: Scheduling a Variable-timeslot Resource

  I originally posted this in general java programming, because this seemed like a more high-level design descussion. But now I see some class design questions. Please excuse me if this thread does not belong here (this is my first time using the forum, save answering a couple questions).
  Forum,
  I am having trouble determining a data structure and applicable algorithm (actually, even more general than the data structure -- the general design to use) for holding a modifiable (but more heavily read/queried than updated), variable-timeslot schedule for a given resource. Here's the situation:
  Let's, for explanation purposes, say we're scheduling a school. The school has many resources. A resource is anything that can be reserved for a given event: classroom, gym, basketball, teacher, janitor, etc.
  Ok, so maybe the school deal isn't the best example. Let's assume, for the sake of explanation, that classes can be any amount of time in length: 50 minutes, 127 minutes, 4 hours, 3 seconds, etc.
  Now, the school has a base operation schedule, e.g. they're open from 8am to 5pm MTWRF and 10am to 2pm on saturday and sunday. Events in the school can only occur during these times, obviously.
  Then, each resource has its own base operation schedule, e.g. the gym is open from noon to 5pm MTWRF and noon to 2pm on sat. and sun. The default base operation schedule for any resource is the school which "owns" the resource.
  But then there are exceptions to the base operation schedule. The school (and therefore all its resources) are closed on holidays. The gym is closed on the third friday of every month for maintenance, or something like that. There are also exceptions to the available schedule due to reservations. I've implemented reservations as exceptions with a different status code to simplify things a little bit: because the basic idea is that an exception is either an addition to or removal from the scheduleable times of that resource. Each exception (reservation, closed for maintenance, etc) can be an (effectively) unrestricted amount of time.
  Ok, enough set up. Somehow I need to be able to "flatten" all this information into a schedule that I can display to the user, query against, and update.
  The issue is complicated more by recurring events, but I think I have that handled already and can make a recurring event be transparent from the application point of view. I just need to figure out how to represent this.
  This is my current idea, and I don't like it at all:
  A TimeSlot object, holding a beginning date and ending date. A data structure that holds list of TimeSlot objects in order by date. I'd probably also hold an index of some sort that maps some constant span of time to a general area in the data structure where times around there can be found, so I avoid O(n) time searching for a given time to find whether or not it is open.
  I don't like this idea, because it requires me to call getBeginningDate() and getEndDate() for every single time slot I search.
  Anyone have any ideas?

  If I am correct, your requirement is to display a schedule, showing the occupancy of a resource (open/closed/used/free and other kind of information) on a time line.
  I do not say that your design is incorrect. What I state below is strictly my views and should be treated that way.
  I would not go by time-slot, instead, I would go by resource, for instance the gym, the class rooms (identified accordingly), the swimming pool etc. are all resources. Therefore (for the requirements you have specified), I would create a class, lets say "Resource" to represent all the resources. I would recommend two attributes at this stage ("name" & "identifier").
  The primary attribute of interest in this case would be a date (starting at 00:00hrs and ending at 24:00hrs.), a span of 24hrs broken to the smallest unit of a minute (seconds really are not very practical here).
  I would next encapsulate the availability factor, which represents the concept of availability in a class, for instance "AvailabilityStatus". The recommended attributes would be "date" and "status".
  You have mentioned different status, for instance, available, booked, closed, under-maintainance etc. Each of these is a category. Let us say, numbered from 0 to n (where n<128).
  The "date" attribute could be a java.util.Date object, representing a date. The "status", is byte array of 1440 elements (one element for each minute of the day). Each element of the byte array is populated by the number designation of the status (i.e, 0,1,2...n etc.), where the numbers represent the status of the minute.
  The "Resource" class would carry an attribute of "resourceStatus", an ordered vector of "ResourceStatus" objects.
  The object (all the objects) could be populated manually at any time, or the entire process could be automated (that is a separate area).
  The problem of representation is over. You could add any number of resources as well as any number of status categories.
  This is a simple solution, I do not address the issues of querying this information and rendering the actual schedule, which I believe is straight forward enough.
  It is recognized that there are scope for optimizations/design rationalization here, however, this is a simple and effective enough solution.
  regards
  [email protected]

• Linksys WRT600N vs CISCO PIX 506E.... Firewall / Routing Performance

  Hi:
  I am new to the forum and was hoping to tap into some of your expertise. I have a Linksys WRT600N version 1.1 and I recently acquired a CISCO PIX 506E firewall. My question is what should I use as a firewall? Both have SPI etc. Should I:
  a) Use the 506E as a firewall and use the 600 as a wireless access point, or
  b) Use the 600 as a firewall and wireless access point.
  Do both routers have the same firewall routing performance? I want to use the storage feautre on the 600N, but if I do that and use it as a wireless access point the 600 can't get the proper time from the Internet, so my time for newly created folders and files shows they are 10 years old.
  Anyway, just thought I would post and find out what some of the experts thought and maybe someone from Linksys or CISCO. I know the 506E is discontinued and was manufactured around 2001 and the 600N is a new model.
  (Edited subject to keep threads from stretching. Thanks!)
  Message Edited by JOHNDOE_06 on 05-06-2008 10:41 AM

  The PIX is a real firewall. The WRT has a firewall which mostly protects the router itself. People prefer to buy a "SPI firewall router" instead of a simple "router" even though the router firewall does nothing or little to protect the LAN. The only firewall configurations on the WRTs you can usually do is on the Access Restrictions tab. But that's usually all. The LAN itself is not protected by the firewall. You would notice this if you had a public IP subnet and ran it through the WRT: the LAN would be fully exposed to the internet. Some routers have a few functions like protection against denial of service attacks or similar. But even then this often filters only the traffic targeted at the router and not the LAN.
  The common protection of your LAN you have on the WRT is because you use private IP addresses inside your LAN and the router does NAT. However, NAT is not a security mechanism but a mechanism to solve the problem that you can only have a single public IP address but want to use multiple computers, which is why you have to use private IP addresses. Current NAT implementations usually drop unsolicited incoming traffic because they don't know to which IP address in the LAN to send it to. But the notion of NAT is to deliver and to allow connectivity. This has nothing to do with security or a firewall.
  Thus, if you want to use a real firewall use the PIX. On the PIX you can configure the traffic which is allowed to enter the LAN and which not. It is far superior in this respect to the WRT. However, as it is a older model, I cannot tell how fast the PIX is. You should be able to find the old data sheets of the PIX somewhere on the cisco website. They should mention the possible throughput. I guess it won't be an issue.
  To me another point for the PIX are the VPN capabilities which allow you to securely access your LAN while you are on the road.
  Of course, you must know how to configure the PIX correctly. It is a complex device and can be configured pretty much for anything you like. This means of course if you do it wrong you may end up with little or no security.
  BTW, there are no people from linksys in this forums except the moderators (which may be from lithium). To hear from Linksys you have to contact Linksys support.

• Centralized WLC Design Question

  Dears,
  In my scenario, i am designing CEntralized WLC deployment. I have 30 AP in Buidling X(200 Users) and 20 AP in Buidling Y(150 Users). I am planning to install HA WLC CLuster where Pimary & Secondary WLC will reside in physically different Data Centers A & B. 
  I have a wireless Design Question and i am not able to get clear answers. Please refer to the attached drawing and answer the following queries:
  If Buidling X users want to talk to building Y Users, then how Control & Data Traffic flow will happen between Buidling X & Y. Would all the traffic will go to Primary WLC from Bldg X APs first and then it will be Re Routed back to Buidling Y APs? Can i achieve direct switching between Bldg X&Y APs without going toward WLC?
  If Building X & Y Users want to access the internet, how would be traffic flow? Would the traffic from X&Y AP will go tunnel all the traffic towards WLC and then it will be routed to internet gateway?is it possible for Bldg X&Y AP to directly send traffic towards Internet Gateway without going to controllers?
  I have planned to put WLC at physically different locations in different DC A & B. Is it recommended to have such a design? What would be the Failver traffic volume if Primary WLC goes down and secondary controller takes over?
  My Reason to go for Centralized deployment is that i want to achieve Centralized Authentication with Local Switching. Please give your recommendations and feedback
  Regards,
  Rameez

  If Buidling X users want to talk to building Y Users, then how Control & Data Traffic flow will happen between Buidling X & Y. Would all the traffic will go to Primary WLC from Bldg X APs first and then it will be Re Routed back to Buidling Y APs? Can i achieve direct switching between Bldg X&Y APs without going toward WLC?
            Traffic flows to the WLC that is the primary for the AP's, then its routed over your network.
  If Building X & Y Users want to access the Internet, how would be traffic flow? Would the traffic from X&Y AP will go tunnel all the traffic towards WLC and then it will be routed to Internet gateway?is it possible for Bldg X&Y AP to directly send traffic towards Internet Gateway without going to controllers?
            The WLC isn't a router, so you would have to put the Internet traffic an a subnet and route.
  I have planned to put WLC at physically different locations in different DC A & B. Is it recommended to have such a design? What would be the Failover traffic volume if Primary WLC goes down and secondary controller takes over?
  Like I mentioned... earlier, the two HA WLC has to be on the same layer 2 subnet in order for you to use HA.  The guide mentions an Ethernet cable to connect both the HA ports on the WLC.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Dreamweaver design question

  Hi all. I'm new to the forum and ha da design question. My site took about 3 weeks to complete and after finishing what I though was a pretty error free website I noticed that dreamwever 8 was coming up with numerous errors that matched http://validator.w3.org's scans. My question is this. Why does dreamwever ( regardless of the release ) allow the designer of the website he/she is creating without pointing out the errors as they go along with simple instructions on how to fx them.  As an example My meta tags
  <META NAME="keywords" CONTENT="xxxxxxx">
  <META NAME="description" CONTENT="xxxxxxxx">
  <META NAME="robots" CONTENT="xxxxx">
  <META NAME="author" CONTENT="xxxxxx">
  <META NAME="copyright" CONTENT="xxxxxx">
  all had to be changed over to
  <meta name="keywords" xxxxxxxxxxxxx">
  <meta name="description" CONTENT="xxxxxxx">
  <meta name="robots" CONTENT="xxxxxx">
  <meta name="author" CONTENT="xxxxxxxx">
  <meta name="copyright" CONTENT="xxxxxxxx">
  all because dreamweaver didnt tell me that the <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  didnt fit the original design. Now my site ( if you wish to view the code ) is www.gamblingwhore.com and if you look at the page source you will see that the code has been corrected on dw 8 but still shows more than 30 errors on http://validator.w3.org. Does dreamwevaer not have the basic tool available to fix these errors without such hassle. Its not just my site either, many sites built in dreamwever can be checked with the http://validator.w3.org website only to find more than 20 -100 different errors.
  Dream weaver creators need to focus on these errors because they hinder seo and they create alot of extra work
  Thank you

  The w3c and XHTML have come a ways since the release of Dreamweaver 8 (I used it in late 2004 and 2005).
  Dreamweaver 8 will build transitional XHTML files as well as old style single tag HTML. It all depends on the personal preferences of the designer.
  Just for kicks, go to say... 20 random websites and see just how many get a green light when you validate them. If its half, you're lucky. This page doesn't even validate;
  Dreamweaver has the menu option (at least in CS3 an CS4) under the Commands menu to "Clean Up HTML" or "Clean Up XHTML" depending on what you're building. I make a point of running that command as I build along with Apply Source Formatting.
  I also use a local validator program to check my code before putting anything.
  That's why they call it WYSIWYG software.
  If it did everything perfectly for everyone every single time, good web designers would find themselves out of work.

• Questions on route

  Dear friends
  Friends could your please explain me the following questions regarding Route
  Where all Routes are used
  What are the impact of Change in Route
  What all things are dependent on Route
  Regards
  Prakash
  Edited by: Sprakash on Mar 11, 2009 12:46 PM

  Hi Prakash,
  1) Where all Routes are used
      Routes are basically used for Transportation module. The Route basically helps us to determine the Freight rates which will be applicable for a particular material. But you can define the Route in the IMG nodes present in Sales and Distribution, Logistics Execution. In Documents, Route is determined in the itemlevel of the Sales Documents but at the Header level of the Delivery Document and the Shipment Document.
  2)What are the impact of Change in Route
  As I said before the Change of Route may affect the Freight rates or the No. of days required to deliver the goods at the Customers place. The Route is more significant at the Delivery Document rather than in the Sales Document, since the Shipment Document is based on the Delivery document and the Vendor payment (Transporter) also depends on that.
  3)What all things are dependent on Route
  I would rather explain the data required for the Determination of the route by the system.
  The system uses the following data to determine the route for the order:
  -Country and transportation zone of the shipping point (departure zone)
  -Shipping condition
  -Transportation group of the material
  -Country and transportation zone of the ship-to party
  As far as I know the Route basically is used only for the freight charges determination.
  Regards,
  Karthik.

• OSPF Area Addition - Design Question

  Hello,
  I have a design question regarding OSPF. I am looking to add a new ospf area (1). The area will live on two Core routers and two Distribution routers. Can you please look at the attached Pics and tell me which design is better.
  I would like to be able to connect Core-01 to Dist-01 and Core-02 to Dist-02 with a connection between Dist-01 and Dist-02, but this will result in a discontiguous area, correct?
  Thanks,
  Lee

  I would say that the more common design is to have just backbone area links between the core routers. But there is no real issue with having an area 1 link between them...
  If I were you, I would not make the area a totally NSSA. Here are my reasons for that:
  - you will get sub-optimal routing out of the area since you have two ABRs and each distribution router will pick the closest one of them to get out to the backbone even though it may be more optimal to use the other one
  - in an NSSA case, one of the two ABRs will be designated as the NSSA translator, which means that if you are doing summarisation on the ABRs, all traffic destined for these summarised routes will be drawn to the area through that one ABR.
  Paresh

• SCA design question - PIX and SCA with dual logical SSL server.

  I have a SCA design question. please correct or verify my solution.
  1. connectivity.
  <Client with port 443>--<ISP>--<PIX>--<SCA>--<SERVER(two IP on single NIC and each IP associates to WEB server) with port 81>
  * client will access WEB server with x.x.1.100 or x.x.1.101
  2. physical IP address
  - PIX outside=x.x.1.1
  - PIX inside=x.y.1.1
  - SCA device=x.y.1.2
  - SERVER NIC1=x.y.1.10
  - SERVER NIC2=x.y.1.11
  3. PIX NAT
  - static#1=x.x.1.100 map to x.y.1.10
  - static#2=x.x.1.101 map to x.y.1.11
  4. SCA configuration.
  mode one-port
  no mode one-port
  ip address x.y.1.2 netmask 255.255.255.0
  ip route 0.0.0.0 0.0.0.0 x.y.1.1
  ssl
  server SERVER1
  ip address x.y.1.10
  localport 443
  remoteport 81
  server SERVER2
  ip address x.y.1.11
  localport 443
  remoteport 81
  Thanks,

  The document http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/scacfggd/ has a link to a page which describes how to use the configuration manager command line interface to configure the Secure Content Accelerator. Several configuration examples are also included in this page.

• ACLS QUESTION - 2 LAN SEGMENTS - ISSUE

  ACLS QUESTION - 2 LAN SEGMENTS - ISSUE
  I have a scenario where 2 LAN segments are separated by a router, Admin and Students. There is a DNS server and an EMAIL server on the admin segment. Students should be able to access DNS and EMAIL services (smtp, pop3 and dns). No access to any other traffic. Admin should have full access to the student LAN segment. I managed to implement all the filtering with extended ACLS placed on the router as follows:
  access-list 105 permit tcp any any eq smtp
  access-list 105 permit tcp any any eq pop3
  access-list 105 permit tcp any any eq www
  access-list 105 permit udp any host 10.20.0.2 eq 53
  access-list 105 deny ip any any
  int e1/1
  ip access-group 105 in
  But for some reason it does not allow any access from the admin segment to the students segment.
  EMAIL AND DNS ARE WORKING FINE FROM THE STUDENTS SEGMENT AND PINGS FAIL AS EXPECTED AFTER THE COMMANDS MENTIONED WERE ISSUED.
  ADMIN SHOULD BE ABLE TO PING STUDENTS SEGMENTS
  AFTER ATTEMPTING MANY TIMES AND DIFFERENT CONFIG I TRIED THE FOLLOWING:
  access-list 106 permit ip any any
  int e1/0
  ip access-group 106 in
  I also tried
  int e1/1
  ip access-group 106 in
  BUT ADMIN STILL HAS NO ACCESS TO THE STUDENTS SEGMENTS!!!!!!
  WHY NOT?
  FEW FELLOWS TRIED IT OUT AS WELL IN PACKET TRACER WITH NO SUCCESSFUL RESULTS...
  :S
  I WOULD REALLY APPRECIATE SOME HELP ASAP!
  THANK YOU IN ADVANCE,
  MIGUEL
  Posted by WebUser Miguel Pcn

  Hi Miguel ,
  You issue is the returning packet for the session initiated by the Admin - caused by deny ip any any on access-list 105
  For the "ping" from admin to student to work add :
     access-list 105 permit any any echo-reply
  What kind of access is need it from Admin to Student ?
  Dan

• Catalyst 3850 Stack VLANs, layer 2 vs. layer 3 design question

  Hello there:
  Just a generic, design question, after doing much reading, I am just not clear as when to use one or the other, and what the benefits/tradeoffs are:
  Should we configure the switch stack w/ layer 3, or layer 2 VLANs?
  We have a Catalyst 3850 Stack, connected to an ASA-X 5545 firewall via 8GB etherchannel.
  We have about 100 servers (some connected w/ bonding or mini-etherchannels), and 30 VLANs.
  We have several 10GB connections to servers.
  We push large, (up to) TB sized files from VLAN to VLAN, mostly using scp.
  No ip phones, no POE.
  Inter-VLAN connectivity/throughput and security are priorities.
  Originally, we planned to use the ASA to filter connections between VLANs, and VACLs or PACLs on the switch stack to filter connections between hosts w/in the same VLAN.
  Thank you.

  If all of your servers are going to the 3850 then I'd say you've got the wrong switch model to do DC job.  If you don't configure QoS properly, then your servers will start dropping packets because Catalyst switches have very, very shallow memory buffers.  These memory buffers get swamped when servers do non-stop traffic. 
  Ideally, Cisco recommends the Nexus solution to connect servers to.  One of the guys here, Joseph, regularly recommends the Catalyst 4500-X as a suitable (and financial) alternative to the more expensive Nexus range.
  In a DC environment, if you have a lot of VM stuff, then stick with Layer 2.  V-Motion and Layer 3 don't go hand-in-hand.

• Design question: methods returning objects

  I have a general design question. When, in general (and why), should you have a method alter an object via it's methods but not return the object as opposed to doing the same operation in a method and then return it.
  Consider the two below methods which do basically the same thing. When is one desireable over the other, and why?
  Cheers--
  public void setMyIntField(SomeObject pObj){
  pObj.setSomeInt(5);
  public SomeObject setMyIntField(SomeObject pObj){
  pObj.setSomeInt(5);
  return pObj;
  }

  Let me give a better example:
  class FruitWorker{
    private void someMethod(){
      HashMap myCitrus = new HashMap();
      HashMap myTropicals = new Hashmap();
      // use my no return obj method
      addFruitProps1(myCitrus,
                     "tartnes",
                     new FruitProperty("very!" ));
      // use my return object method
      myTropicals =  addFruitProps2(myCitrus,
                                    "sweetness",
                                     new FruitProperty("little bit" ));
    }// end method
    private void addFruitProperties1(HashMap pFruitProps,
                                     String pProp
                                     FruitProperty pVal){
      pFruitProps.add( pProp,pVal);
    }// end method
    private HashMap addFruitProperties2(HashMap pFruitProps,
                                     String pProp
                                     FruitProperty pVal){
      pFruitProps.add( pProp,pVal);
      return pFruitProps;
    }// end method
  }// end class

• LDAP design question for multiple sites

  LDAP design question for multiple sites
  I'm planning to implement the Sun Java System Directory Server 5.2 2005Q1 for replacing the NIS.
  Currently we have 3 sites with different NIS domains.
  Since the NFS over the WAN connection is very unreliable, I would like to implement as follows:
  1. 3 LDAP servers + replica for each sites.
  2. Single username and password for every end user cross those 3 sites.
  3. Different auto_master, auto_home and auto_local maps for three sites. So when user login to different site, the password is the same but the home directory is different (local).
  So the questions are
  1. Should I need to have 3 domains for LDAP?
  2. If yes for question 1, then how can I keep the username password sync for three domains? If no for question 1, then what is the DIT (Directory Infrastructure Tree) or directory structure I should use?
  3. How to make auto map work on LDAP as well as mount local home directory?
  I really appreciate that some LDAP experta can light me up on this project.

  Thanks for your information.
  My current environment has 3 sites with 3 different NIS domainname: SiteA: A.com, SiteB:B.A.com, SiteC:C.A.com (A.com is our company domainname).
  So everytime I add a new user account and I need to create on three NIS domains separately. Also, the password is out of sync if user change the password on one site.
  I would like to migrate NIS to LDAP.
  I want to have single username and password for each user on 3 sites. However, the home directory is on local NFS filer.
  Say for userA, his home directory is /user/userA in passwd file/map. On location X, his home directory will mount FilerX:/vol/user/userA,
  On location Y, userA's home directory will mount FilerY:/vol/user/userA.
  So the mount drive is determined by auto_user map in NIS.
  In other words, there will be 3 different auto_user maps in 3 different LDAP servers.
  So userA login hostX in location X will mount home directory on local FilerX, and login hostY in location Y will mount home directory on local FilerY.
  But the username and password will be the same on three sites.
  That'd my goal.
  Some LDAP expert suggest me the MMR (Multiple-Master-Replication). But I still no quite sure how to do MMR.
  It would be appreciated if some LDAP guru can give me some guideline at start point.
  Best wishes