Micro Segmentation Policies#
Micro Segmentation → MSMicro Segmentation Policies
The MicroSegmentationPolicy is a granular security policy designed to enforce Zero Trust principles within a network. Unlike traditional perimeter-based security that focuses on protecting the border of a network, microsegmentation divides the internal network into distinct, isolated security segments. This allows for precise control over "east-west" traffic (communication between internal resources), significantly reducing the attack surface and preventing lateral movement by unauthorized users or threats.
-
Network-Wide Scope: Instead of being applied to individual ports or interfaces one by one, the policy is defined at the network instance level and can be reused across multiple services.
-
Inheritance: Once configured, the policy is automatically inherited by all relevant connection points within that network segment, ensuring there are no "blind spots" in security coverage.
-
Network Design Agnostic: Because the policy references
GroupTagsrather than specific VLANs or IP addresses, the policy is updated automatically when group memberships or network configuration changes.
A MicroSegmentationPolicy is an ordered list of policyEntries that match certain packets and perform an action for those packets, and that are applied to one or more serviceTargets
Policy Entries#
The policyEntries are defined in an ordered list. Each packet is evaluated on ingress against all policyEntries in order. If there is no match, the packet is evaluated against the next entry and so on. Once a packet matches a particular entry, evaluation of the chain ends and the action specified in the entry is performed on the packet. This behavior is identical to Filters
Match Criteria#
Packets can be matched by their
Actions#
When a packet matches the matchCriteria of a policyEntry, the following actions can be applied to the packet
- Forwarding - Accept or Drop
- Logging - Logs the packets to the nodes logging facility
- Collect statistics - See the "Policy Entry Counters" UI dashboard under "Micro Segmentation Policies"
Service Targets#
The MicroSegmentationPolicy can be applied to one or more services by setting serviceTargets. The following type are supported:
MicroSegmentationPolicies can not be applied in the underlay
MicroSegmentatioPolicies are not supported in DefaultRouters.
OS-specific implementation notes#
Node reboot required
If an SR Linux device is deployed in a role that requires the source tag to be derived from the lookup of the source IP address in the Longest Prefix Match (LPM) table, the device will automatically be configured to operate in LPM source lookup mode ("platform.resource-management.group-based-policy.lpm-source-lookup"). Changing this setting requires a chassis reboot. See the "Node Platform Status" UI dashboard under "Micro Segmentation Policies".
Dependencies#
A MicroSegmentationPolicy must be applied to one or more serviceTargets of the following types:
These resources should be created first, before creating the MicroSegmentationPolicy.
Referenced resources#
Group Tags#
A MicroSegmentationPolicy typically refers to GroupTags as source or destination matchCriteria in the policyEntries.
These resources should be created first, before creating the MicroSegmentationPolicy.
Examples#
apiVersion: microsegmentation.eda.nokia.com/v1alpha1
kind: MicroSegmentationPolicy
metadata:
name: client-security-1
namespace: eda
spec:
entries:
- action:
collectStats: false
forward: Accept
log: false
bidirectional: true
description: allow any TCP IPv4 traffic to firewall
match:
destinationGroupTag:
- firewall
protocolName: TCP
ipVersion: IPv4
- action:
collectStats: true
forward: Accept
log: true
bidirectional: true
description: quarantined hosts allow to firewall only
match:
destinationGroupTag:
- firewall
sourceGroupTag:
- quarantine
- action:
collectStats: true
forward: Drop
log: true
bidirectional: true
description: block all other quarantine traffic
match:
sourceGroupTag:
- quarantine
- action:
collectStats: false
forward: Accept
log: false
bidirectional: true
description: allow clientgroup1 and clientgroup2 traffic
match:
destinationGroupTag:
- group-client2
sourceGroupTag:
- group-client1
- action:
collectStats: true
forward: Drop
log: false
bidirectional: true
description: drop by default
match: {}
serviceTargets:
virtualNetworks:
- vnet1
- vnet2
cat << 'EOF' | kubectl apply -f -
apiVersion: microsegmentation.eda.nokia.com/v1alpha1
kind: MicroSegmentationPolicy
metadata:
name: client-security-1
namespace: eda
spec:
entries:
- action:
collectStats: false
forward: Accept
log: false
bidirectional: true
description: allow any TCP IPv4 traffic to firewall
match:
destinationGroupTag:
- firewall
protocolName: TCP
ipVersion: IPv4
- action:
collectStats: true
forward: Accept
log: true
bidirectional: true
description: quarantined hosts allow to firewall only
match:
destinationGroupTag:
- firewall
sourceGroupTag:
- quarantine
- action:
collectStats: true
forward: Drop
log: true
bidirectional: true
description: block all other quarantine traffic
match:
sourceGroupTag:
- quarantine
- action:
collectStats: false
forward: Accept
log: false
bidirectional: true
description: allow clientgroup1 and clientgroup2 traffic
match:
destinationGroupTag:
- group-client2
sourceGroupTag:
- group-client1
- action:
collectStats: true
forward: Drop
log: false
bidirectional: true
description: drop by default
match: {}
serviceTargets:
virtualNetworks:
- vnet1
- vnet2
EOF
Custom Resource Definition#
To browse the Custom Resource Definition go to crd.eda.dev.
MicroSegmentationPolicy
SPEC
Micro Segmentation Policy applies a set of Policy Entries to a set of Virtual Networks, Routers, and Bridge Domains. Each entry consists of match criteria and actions to take when traffic matches the criteria. The policy is applied to all interfaces within the network-instance automatically.
-
A list of entries defining the match criteria and actions for this policy.
-
-
Actions to take when traffic matches the defined criteria. If not specified, matching traffic will be allowed by default.
-
Collecting stats on matching traffic.
default: false -
Allow or drop the matching traffic.
enum: "Accept", "Drop" -
Log matching traffic to the nodes' logging facility.
default: false
-
-
If bidirectional is set to true, the entry is duplicated with source and destination match criteria reversed. Default is true.
default: true -
Describes the microsegmentation policy entry
-
A set of criteria to determine whether traffic matches this entry. If traffic matches all specified criteria, the defined actions will be applied to the traffic. If not specified, all traffic will match by default.
-
Destination GroupTag to match.
-
Destination port to match by name.
enum: "ACAP", "AFP-TCP", "ARNS", +164 more -
Destination port to match by numerical value.
range: 0 to 65535 -
Operator to use when matching destinationPort, either Equals, GreaterOrEquals, or LessOrEquals.
enum: "Equals", "GreaterOrEquals", "LessOrEquals" -
Range of destination ports to match, in the format n-m, e.g. 100-200, The start and end of the range must be port numbers.
-
Match on IP version, either IPv4 or IPv6.
enum: "IPv4", "IPv6" -
Match a specific IP protocol name (specified in the type field of the IP header).
enum: "TCP", "UDP", "AH", +24 more -
Match a specific IP protocol number (specified in the type field of the IP header).
range: 0 to 255 -
Source GroupTag to match.
-
Source port to match by name.
enum: "ACAP", "AFP-TCP", "ARNS", +164 more -
Source port to match by numerical value.
range: 0 to 65535 -
Operator to use when matching sourcePort, either Equals, GreaterOrEquals, or LessOrEquals.
enum: "Equals", "GreaterOrEquals", "LessOrEquals" -
Range of source ports to match, in the format n-m, e.g. 100-200. The start and end of the range must be port numbers.
-
Match TCP flags, usable with !, &, | and the flags RST, SYN, and ACK.
-
-
-
-
The set of services to which this policy applies. At least one of Virtual Networks, Virtual Network Selectors, Routers, Router Selectors, Bridge Domains, or Bridge Domain Selectors must be set. The use of Virtual Networks is recommended. Advanced If Virtual Networks are used, the policy will automatically apply to all interfaces in the Virtual Network. If Routers or Bridge Domains are used to compose a L3 service without using Virtual Networks, Group Tags with a *global scope* should be used as with a *local scope* Group Tag would result in the IDs being allocated per individual Router or Bridge Domain.
-
Bridge Domains (label selectors) to which this policy applies.
-
Bridge Domains to which this policy applies.
-
Routers (label selectors) to which this policy applies.
-
Routers to which this policy applies.
-
Virtual Networks (label selectors) to which this policy applies.
-
Virtual Networks to which this policy applies.
-
STATUS
MicroSegmentationPolicyStatus defines the observed state of MicroSegmentationPolicy