Segment Routing Micro-segmentation
Segment Routing SR-MPLS SRv6 Source Routing Segments Labels SIDs Micro-segmentation Zero Trust East-West Traffic Lateral Movement Policy Enforcement Network Security
| Technology | Layer | Use Case | Tools |
|---|---|---|---|
| SR-MPLS | L2.5 (MPLS) | WAN Traffic Engineering | Cisco IOS-XR, Junos |
| SRv6 | L3 (IPv6) | End-to-end Routing | Linux, Cisco, Nokia |
| Micro-seg | L3-L7 | Workload Isolation | VMware NSX, Illumio |
| Zero Trust | All | Complete Security | Zscaler, Cloudflare |
Segment Routing Configuration
# === Segment Routing Configuration ===
# Cisco IOS-XR — SR-MPLS Configuration
# router isis CORE
# address-family ipv4 unicast
# segment-routing mpls
# !
# interface Loopback0
# address-family ipv4 unicast
# prefix-sid index 100
# !
# !
# interface GigabitEthernet0/0/0/0
# address-family ipv4 unicast
# prefix-sid index 101
# !
# !
# !
#
# segment-routing
# traffic-eng
# segment-list SL-TO-PE2
# index 10 mpls label 16002
# index 20 mpls label 16003
# !
# policy SR-POLICY-1
# color 100 end-point ipv4 10.0.0.2
# candidate-paths
# preference 100
# explicit segment-list SL-TO-PE2
# !
# !
# !
# !
# !
# !
# Linux SRv6 Configuration
# ip -6 route add fc00:2::/48 encap seg6 mode encap \
# segs fc00:1::100, fc00:3::200 dev eth0
#
# # SRv6 End function
# ip -6 route add fc00:1::100/128 encap seg6local \
# action End dev eth0
#
# # SRv6 End.DX4 (Decapsulate to IPv4)
# ip -6 route add fc00:1::200/128 encap seg6local \
# action End.DX4 nh4 10.0.0.1 dev eth0
from dataclasses import dataclass, field
from typing import List, Dict
@dataclass
class SRSegment:
sid: str
type: str
node: str
action: str
@dataclass
class SRPolicy:
name: str
color: int
endpoint: str
segments: List[SRSegment]
bandwidth_mbps: int
priority: int
policies = [
SRPolicy("Voice-Traffic", 10, "10.0.0.5", [
SRSegment("16001", "Prefix-SID", "PE1", "Forward"),
SRSegment("16003", "Prefix-SID", "P1", "Forward"),
SRSegment("16005", "Prefix-SID", "PE2", "Forward"),
], 100, 1),
SRPolicy("Data-Traffic", 20, "10.0.0.5", [
SRSegment("16001", "Prefix-SID", "PE1", "Forward"),
SRSegment("16002", "Prefix-SID", "P2", "Forward"),
SRSegment("16004", "Prefix-SID", "P3", "Forward"),
SRSegment("16005", "Prefix-SID", "PE2", "Forward"),
], 1000, 2),
]
print("=== SR Policies ===")
for p in policies:
path = " -> ".join([s.node for s in p.segments])
print(f"\n [{p.name}] Color: {p.color} | Priority: {p.priority}")
print(f" Endpoint: {p.endpoint} | BW: {p.bandwidth_mbps} Mbps")
print(f" Path: {path}")Micro-segmentation Policy
# === Micro-segmentation Implementation ===
# VMware NSX Micro-segmentation Rules (DFW)
# - name: "Web to App"
# source: "web-tier"
# destination: "app-tier"
# service: "TCP/8080, TCP/8443"
# action: "Allow"
# logged: true
#
# - name: "App to DB"
# source: "app-tier"
# destination: "db-tier"
# service: "TCP/5432, TCP/3306"
# action: "Allow"
# logged: true
#
# - name: "Web to DB"
# source: "web-tier"
# destination: "db-tier"
# service: "Any"
# action: "Deny"
# logged: true
#
# - name: "Default Deny"
# source: "Any"
# destination: "Any"
# service: "Any"
# action: "Deny"
# logged: true
# Kubernetes Network Policy
# apiVersion: networking.k8s.io/v1
# kind: NetworkPolicy
# metadata:
# name: allow-app-to-db
# namespace: production
# spec:
# podSelector:
# matchLabels:
# tier: database
# policyTypes:
# - Ingress
# ingress:
# - from:
# - podSelector:
# matchLabels:
# tier: application
# ports:
# - protocol: TCP
# port: 5432
from dataclasses import dataclass
from typing import List
from enum import Enum
class Action(Enum):
ALLOW = "Allow"
DENY = "Deny"
LOG = "Log & Allow"
@dataclass
class MicroSegRule:
name: str
source: str
destination: str
ports: str
action: Action
logged: bool
rules = [
MicroSegRule("Web -> App", "web-tier", "app-tier", "8080,8443", Action.ALLOW, True),
MicroSegRule("App -> DB", "app-tier", "db-tier", "5432,3306", Action.ALLOW, True),
MicroSegRule("App -> Cache", "app-tier", "cache-tier", "6379", Action.ALLOW, True),
MicroSegRule("Web -> DB", "web-tier", "db-tier", "Any", Action.DENY, True),
MicroSegRule("External -> DB", "external", "db-tier", "Any", Action.DENY, True),
MicroSegRule("Default Deny", "Any", "Any", "Any", Action.DENY, True),
]
print("\n=== Micro-segmentation Rules ===")
for r in rules:
print(f" [{r.action.value}] {r.name}")
print(f" {r.source} -> {r.destination} : {r.ports} "
f"{'(Logged)' if r.logged else ''}")Zero Trust Architecture
# === Zero Trust Network Architecture ===
zt_pillars = {
"Identity": {
"desc": "ยืนยันตัวตนทุก User และ Device",
"tools": "Azure AD, Okta, Auth0",
"controls": "MFA, SSO, Conditional Access",
},
"Device": {
"desc": "ตรวจสอบสถานะอุปกรณ์",
"tools": "Intune, CrowdStrike, Carbon Black",
"controls": "Device Health, Compliance, EDR",
},
"Network": {
"desc": "แบ่งส่วนและควบคุม Traffic",
"tools": "NSX, Illumio, Calico, Cilium",
"controls": "Micro-segmentation, Encryption, SR",
},
"Application": {
"desc": "ควบคุมการเข้าถึง Application",
"tools": "ZTNA, Service Mesh, API Gateway",
"controls": "mTLS, RBAC, Rate Limiting",
},
"Data": {
"desc": "ปกป้องข้อมูลทุกที่",
"tools": "DLP, Encryption, Tokenization",
"controls": "Classification, Access Control, Audit",
},
}
print("Zero Trust Pillars:")
for pillar, info in zt_pillars.items():
print(f"\n [{pillar}]")
for k, v in info.items():
print(f" {k}: {v}")
# Implementation Steps
steps = [
"1. Map — ระบุ Assets, Data Flows, Dependencies ทั้งหมด",
"2. Identify — กำหนด Protect Surface (ข้อมูล/ระบบสำคัญ)",
"3. Architect — ออกแบบ Micro-perimeters รอบ Protect Surface",
"4. Policy — สร้าง Granular Access Policies (Who, What, When, How)",
"5. Monitor — ติดตาม Traffic, Anomaly, Compliance ตลอดเวลา",
"6. Automate — Automate Policy Enforcement, Response",
"7. Iterate — ปรับปรุง Policies ต่อเนื่องจาก Analytics",
]
print(f"\n\nZero Trust Implementation:")
for step in steps:
print(f" {step}")เคล็ดลับ
- Default Deny: เริ่มจาก Deny All แล้วค่อยเปิด Allow ตามที่จำเป็น
- East-West: ควบคุม East-West Traffic ไม่ใช่แค่ North-South
- Logging: Log ทุก Rule สำหรับ Troubleshooting และ Audit
- Automate: ใช้ Automation สร้าง Policies จาก Application Dependencies
- SRv6: พิจารณา SRv6 สำหรับ Network ใหม่ ยืดหยุ่นกว่า SR-MPLS
Segment Routing คืออะไร
Network Architecture Segments Labels SIDs Source Routing SR-MPLS SRv6 ลดความซับซ้อน ลด Protocol State
Micro-segmentation คืออะไร
Network Security แบ่งส่วนเล็ก ควบคุม East-West Traffic Zero Trust ทุก Communication อนุญาต ป้องกัน Lateral Movement
SR-MPLS กับ SRv6 ต่างกันอย่างไร
SR-MPLS Labels Hardware เดิม MPLS Network SRv6 IPv6 Headers Network Programming ยืดหยุ่น End-to-end อนาคต
Zero Trust Network คืออะไร
ไม่เชื่อใจโดยปริยาย Authenticate Authorize ทุก Request Verify Explicitly Least Privilege Assume Breach Micro-segmentation
สรุป
Segment Routing SR-MPLS SRv6 Source Routing Micro-segmentation Zero Trust East-West Traffic Network Policy Kubernetes VMware NSX Default Deny Lateral Movement Identity Device Application Data
