To configure a Three-Tier design using Cisco commands, follow the steps below:

Configure the Core layer:

Configure the Core layer switches with high-speed links to provide the backbone of the network.
Configure the switchports connected to the Distribution layer switches as trunk ports.
Configure VLANs on the Core layer switches.

Sample Cisco commands:

interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30

Configure the Distribution layer:

Configure the Distribution layer switches with uplinks to the Core layer switches and downlinks to the Access layer switches.
Configure the switchports connected to the Core layer switches as trunk ports and the switchports connected to the Access layer switches as access ports.
Configure VLANs on the Distribution layer switches.

Sample Cisco commands:

interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30

interface GigabitEthernet0/2
switchport mode access
switchport access vlan 10

Configure the Access layer:

Configure the Access layer switches with uplinks to the Distribution layer switches.
Configure the switchports connected to end devices as access ports.
Configure VLANs on the Access layer switches.

Sample Cisco commands:

interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10

interface GigabitEthernet0/2
switchport mode access
switchport access vlan 20

Configure Spanning Tree Protocol (STP):

Configure STP to prevent loops in the network.
Configure the Core layer switches as the root bridges for each VLAN.
Sample Cisco commands:

spanning-tree mode rapid-pvst
spanning-tree vlan 10,20,30 root primary

Configure Link Aggregation Control Protocol (LACP):

Configure LACP to provide link redundancy and load balancing between switches.
Sample Cisco commands:

interface GigabitEthernet0/1
channel-group 1 mode active

Configure VLANs:

Configure VLANs on the Core, Distribution, and Access layer switches to segment the network.
Assign ports to VLANs based on the device type and location.
Sample Cisco commands:

vlan 10
name Sales
vlan 20
name Engineering
vlan 30
name Marketing

Verify the configuration:

Verify the configuration by checking the switchport settings, VLAN configuration, and STP status.
Sample Cisco commands:

show interfaces GigabitEthernet0/1 switchport
show vlan brief
show spanning-tree vlan 10,20,30

By following these steps, you can configure a Three-Tier design using Cisco commands.

Follow a previous article on building a two tier campus network.
Design and Build a Two-Tier Campus Network Architecture

Follow this Cisco Validated Design for Inspiration.

Cisco Meraki has some good validated design ideas here.

What is Routing Security?

Routing security refers to the measures taken to protect the routing infrastructure of a network from attacks or other forms of unauthorized access. This includes securing routers, switches, and other network devices that are involved in directing traffic. The goal of routing security is to ensure that traffic is routed correctly and securely, without interference or interception by unauthorized parties.

Why is Routing Security Important?

Routing security is critical to maintaining the integrity and availability of the network. A compromised routing infrastructure can result in the following:

Loss of Confidentiality: Attackers can intercept sensitive data by redirecting traffic to a malicious endpoint.
Loss of Integrity: Attackers can modify or tamper with data packets, potentially compromising the data’s authenticity and reliability.

Loss of Availability: Attackers can disrupt network traffic by blocking or redirecting packets, causing downtime for critical services.

Best Practices for Securing a Network’s Routing Infrastructure
There are several best practices that network administrators can follow to secure their routing infrastructure. These include:

Implement Access Control Lists (ACLs)
ACLs are a set of rules that determine which traffic is allowed or denied access to a network. They can be used to block traffic from specific IP addresses, protocols, or ports, and can be applied at different levels of the network. For example, an ACL can be applied to a router to block traffic from a specific IP address or port, or it can be applied to a switch to block traffic from a particular VLAN.
Here is a sample Cisco ACL configuration:

Router(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
Router(config)# access-list 100 permit ip any any
Router(config)# interface fa0/0
Router(config-if)# ip access-group 100 in

This configuration creates an ACL that denies traffic from any IP address in the 10.0.0.0/8 network and permits all other traffic. The ACL is then applied to the inbound interface of the router’s Fa0/0 interface.

Use Routing Protocols with Authentication
Routing protocols are used to exchange routing information between routers and switches. However, these protocols can be vulnerable to attacks that attempt to manipulate the routing tables. To prevent this, it is recommended to use routing protocols that support authentication, such as OSPFv3 or BGP. Authentication ensures that only authorized devices can participate in the routing process.

Here is a sample Cisco OSPFv3 configuration:

Router(config)# interface fa0/0
Router(config-if)# ipv6 ospf authentication message-digest
Router(config-if)# ipv6 ospf message-digest-key 1 md5 cisco123
Router(config)# ipv6 router ospf 1
Router(config-rtr)# area 0 authentication message-digest

This configuration enables OSPFv3 authentication using MD5 encryption with the key “cisco123”. It also enables authentication for the router’s OSPFv3 area.

Use Secure Management Practices
Network devices must be securely managed to prevent unauthorized access or modifications. This includes setting strong passwords for user accounts, disabling unnecessary services, and limiting access to management interfaces.

Here is a sample Cisco configuration to enable secure management:

Router(config)# enable secret cisco123
Router(config)# line vty 0 4
Router(config-line)# login
Router(config-line)# transport input ssh
Router(config)# ip ssh version 2

This configuration sets the enable secret to “cisco123”, requiring a password to access privileged mode. It also configures the virtual terminal lines for SSH access only and enables SSH version 2 for secure remote access.

Implement Network Segmentation
Network segmentation involves dividing the network into smaller, isolated segments, each with its own security controls. This reduces the attack surface and limits the impact of a potential breach. For example, critical servers and services can be placed in a separate segment that is only accessible to authorized personnel. Here is a sample Cisco configuration for VLAN segmentation:

Switch(config)# vlan 10
Switch(config-vlan)# name Finance
Switch(config-vlan)# exit

Switch(config)# vlan 20
Switch(config-vlan)# name HR
Switch(config-vlan)# exit

Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit

Switch(config)# interface fa0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)# exit

This configuration creates two VLANs for Finance and HR, respectively. The switch’s Fa0/1 interface is assigned to the Finance VLAN, and the Fa0/2 interface is assigned to the HR VLAN. This creates a logical separation between the two segments, limiting communication between them.

Keep Software Up-to-Date
Keeping network device software up-to-date is critical to address security vulnerabilities and bugs. Regularly check for firmware and software updates from the vendor and apply them as soon as possible. Here is a sample Cisco configuration to upgrade the IOS image:

Router# copy tftp://192.168.1.10/c2960x-universalk9-mz.152-4.E6.bin flash:
Router# configure terminal
Router(config)# boot system flash:/c2960x-universalk9-mz.152-4.E6.bin
Router(config)# exit
Router# reload

This configuration copies the new IOS image from a TFTP server with the IP address of 192.168.1.10 and saves it to the device’s flash memory. It then sets the new IOS image as the default boot image and reloads the device to apply the update.

Conclusion

Routing security is critical to maintaining the integrity and availability of a network’s infrastructure. Following best practices, such as implementing access control lists, using routing protocols with authentication, implementing network segmentation, and keeping software up-to-date, can help mitigate the risks of attacks and unauthorized access. Cisco devices provide many security features and configurations to help secure a network’s routing infrastructure, and these code samples are just a few examples of how to do so. It is crucial to continuously monitor and update the network’s security to stay ahead of potential threats.

Develop a NAC Policy
The first step in implementing effective NAC is to develop a policy that outlines the rules and procedures for granting network access. This policy should be tailored to your organization’s specific needs and take into account factors such as user roles, devices, and applications. It should also include clear guidelines on how to enforce the policy, such as the use of firewalls and intrusion detection systems.

Identify and Authenticate Users
To ensure that only authorized users have access to your network, it is important to implement strong authentication methods. This can include usernames and passwords, two-factor authentication, or biometric authentication. In addition, it is important to regularly review and update user access privileges to ensure that they align with current job responsibilities.

Segment Your Network
Segmenting your network can help to limit the spread of malware and other security threats. By dividing your network into smaller subnets, you can control which users and devices have access to different areas of the network. This can help to prevent lateral movement by attackers and limit the impact of any security breaches.

Monitor and Enforce NAC Policies
Monitoring and enforcing your NAC policies is critical to maintaining the security of your network. This can include monitoring user activity, network traffic, and device usage. By analyzing this data, you can identify any suspicious activity and take appropriate action to mitigate any potential threats.

Regularly Update Your NAC Solution
Network security threats are constantly evolving, which means that your NAC solution needs to be updated regularly to stay effective. This can include updating software and firmware, adding new security features, and patching any vulnerabilities that are identified. Regular testing and validation of your NAC solution can help to ensure that it is functioning as intended and providing adequate protection for your network.

In conclusion, implementing effective network access control is critical to maintaining the security of your organization’s network. By following these best practices, you can help to prevent unauthorized access, limit the spread of malware, and protect sensitive data. Remember to regularly review and update your NAC policies and solutions to stay ahead of the evolving threat landscape.

SANS Institute has a great paper on the above subject.

In this article, Network Segmentation Best Practices to Create Secured Enterprise Environment, Senior Network Engineer, Samuel Oppong, discusses the reasons why network segmentation as a concept should be employed and implemented by enterprises in the new decade.

In The Beginning was the NAC
Network access control (NAC) was an amazing gift foundational to cyber-security efforts since the inception of networks, and it has largely remained the same for the last two decades. Organisations discovered a binary system that worked well by either allowing or denying devices access to the network. Since all devices had MAC Addresses and operated on IPV4 IP Addressing, NAC worked exceptionally well to control access to the network based on the laid down policies.
Corporate domain and guest access were in those days the only two options as the demand for innovation didn’t exist. As we have observed in recent times, there has been major changes since the revolution of internet of things (IoT).
The humongous growth and expansion in the volume of IoT devices only meant that the technology quickly posed new questions to network security that had not before been considered.
A great number of Internet of Things (IoT) and operational technology (OT) devices are not bound by the same guidelines traditional devices connected to the network follows, rendering existing NAC systems redundant and ineffective. The result of this has made companies lose visibility and control over what is connected to the network.

Then Came the Game Changer

With IT and OT devices moving away from the traditional Microsoft Windows and Linux management structure(s), NAC had had to adapt to be able to maintain high level of security. This adaptation meant NAC systems had to become agentless making it possible for its security protocol applicable to all devices across any environment. This breakthrough catapulted NAC to the next level of network security. This great advancement has been short-lived as networks have continued to grow in complexity, revealing more limitations of existing NAC models. The demand for interconnectivity across the campus, data centre, cloud and OT environments has meant that the traditional networks have outgrown the effectiveness of agentless protection and has therefore reached the threshold for innovation.

Threat actors targets large corporations and enterprises operating complex networks, such as the manufacturing industry, with increasing frequency. According to Hiscox, from 45% of businesses in 2018 to 61% in 2019 have experienced an attack. The ease at which threat actors pivot laterally across these vulnerable networks result in great disruptions and damage to both property and reputation which is critical for trust in the business circles. The Wannacry ransomware attack caused the shipping company Maersk to resort to ceasing its entire business operations and had to reinstall 4,000 servers, 45,000 computers and 2,500 applications to ensure the network was free and clear of the ransomware. This unplanned change caused severe disruption across the business and could have been averted had its network architecture limited movement once access was gained.

This has always been here – Segmentation has always been possible
Inspite of the fact that network segmentation is not a new concept, adoption across the enterprise has been very slow and, when undertaken, often tedious. This perhaps is as a result of the limitations of technologies being used in businesses such as difficulty to implement in environments outside of the data centre or blind spots such as IoT and IoT connected devices.

For an effective confrontation and onslaught of the growing combination of threats and enable zero-trust policies, network segmentation must go through an evolution to become a truly impactful approach for CISOs and IT directors in the new decade.

The initial stage or approach of this is having the full context of connected devices and applications that can be segmented across the entire enterprise from campus to data centre to cloud and OT environments. Having full visibility is the basic fundamental requirement to be able to begin segmentation and so it is paramount that you know where things are on your network. Quite simply put, if you can’t see what is there, you can’t protect it and the more granular the level of visibility is achieved, the more control you will be afforded.

Figure 1.0 -Cyber Attacks – Why Network Segmentation is Essential to Creating a Secure Enterprise Environment

Chief Information Security Officers (CISOs) at the moment encounter the real challenge of segmenting the network due to the partial context and hindered total visibility. A very handful of organisations have the ability to structure their network from the foundation and so are instead more likely to create layer network segmentation on top of the existing network. The result of such efforts only means that the underlying network is never segmented effectively and across the entire enterprise.

Although segmenting from a perspective of device context may be good, advanced network segmentation also requires traffic context. The ability to have an insight into what device(s) are communicating between each other in the existing network and what is considered legitimate traffic is paramount for Chief Information Security Officers (CISOs) today. Without the knowledge of what should be talking to what on the network, full segmentation is not possible, and you cannot guarantee that sections of the network will not break.

Figure 1.1 – Why Network Segmentation is Essential to Creating a Secure Enterprise Environment

Make no mistake, without both levels of contextual information the policies are redundant. For network segmentation to be effective in today’s enterprise the enforcement of policies must be adaptable and automated, with considerations of device and traffic context that stay up-to-date with the ever-changing network.

Chief Information Security Officers (CISOs) do not have the easiest task when attempting to implement new security features across the entire network. They face challenges daily of growing number of threats while meeting more compliance directives. With the advancement of technology, the new era of network segmentation has been fashioned to allow businesses to automate the identification and isolation of threats, without impacting business operations. Many others think see data breaches as someone else’s problem assuming the position of thought ‘It won’t happen to me’…until it inevitably does. Being wise to eliminate the limiting risks, maximising control and enabling full visibility across a network, enterprises can more effectively prepare and manage the next wave of cyber threats which is currently on the rise.

Figure 1.2 – Cyber Threats – Why Network Segmentation is Essential to Creating a Secure Enterprise Environment

It is reported that the top 5 industries targeted by cyber attacks are as per below;

• Financial Services
• Services and Consultancies
• Telecom
• Manufacturing
• Insurance

Challenges facing enterprises in considering and deploying a segmented network

Lack of confidence to move forward
A great percentage of companies are in the preliminary stages of network segmentation projects, but the progress to a mature, enterprise-wide segmentation strategy is a totally different ballgame. Network architects and operations teams are currently finding it difficult to catch up with upcoming and emerging information technologies and software adoption such as the IoT, cloud, software-defined networking and digital transformation. The chosen teams may have differing agendas and are most often distributed across multiple geographies and depend on collaboration in order to get things done. Knowing of the tasks at hand and resource constraints, it is not surprising that most network segmentation projects are locked up in the early stages of planning.

Lack of skills, resources and tools
Delays to implementation, business disruptions and overly excessive operational costs all comes as a result of lack of skills and the proper toolsets. It’s no wonder organisations are struggling to plan, deploy, monitor and maintain network segmentation projects.
It is often observed that segmentation projects miss the expectations due to a lack of contextual understanding of the environment, which contributes to a collective inability to define and build the right business logic behind segmentation rules.
The well known segmentation solutions tend to be laborious, as they require manual analysis of traffic flows and logs to understand traffic dependencies. Disparate teams all too often try to build segmentation policies, mapping those policies to their siloed environments, which is likely to increase human error, inconsistent segmentation policies, and even business disruption. This approach can also result in months spent in identifying policy anomalies and validating segmentation hygiene in the environment.

Multivendor and multidomain environment complexity
Traditional segmentation is challenging enough when a network is basic, but when you factor in that most segmentation takes place in complex, multivendor, multidomain enterprise environments, implementation becomes a massive project to undertake.
In a Multivendor, Multidomain environment, employing traditional approaches such as virtual local area networks (VLANs), access control lists (ACLs), next-generation firewalls and agent overlays typically results in siloed segmentation rules that aren’t dynamic or granular enough to effectively reduce risk across campus, data center, cloud and OT environments. I hope you are beginning to appreciate this important concept?

Protecting critical business applications
• Protect business-critical applications, ensure controls are effectively enforced and continuously monitor to ensure continuous protection. Maintain appropriate intra- and inter business service controls across different services, applications and domains.
• Control user access to critical business services across different domains. Protect business critical applications from misuse by users, ensure controls are effectively enforced and continuously monitor ongoing protection.

Enforce privileged access to critical IT infrastructure
Restrict IT admin access to sensitive network devices (switch, NGFW, etc.) and data center/cloud workloads (Active Directory/LDAP, Domain Name System, Oracle Cluster, etc.) based on designated admins (role-based), IT admin endpoint state (encrypted, domain-joined, etc.) and secure communication (specific port/service)

Protecting enterprise IoT/OT devices (printers, cameras, VoIP, card reader, HVAC, etc.)
Protect the IT network from IoT/OT devices – as discussed in earlier paragraphs, it is best to keep IoT’s in their dedicated segment.
• Protect IoT/OT devices from attacks

Enterprise-wide segmentation assurance
Ensure all enforcement points across different domains (campus, data center and IoT), managed by other teams, are meeting segmentation policy requirements and configured as intended.

Containment of vulnerable devices
Limit access from/to vulnerable devices (WannaCry, unpatched, end of life, etc.) to the rest of the network.

Protecting legacy applications/OS devices
Reduce the attack surface by segregating devices with legacy operating systems and applications installed on them
• Mitigate risk of threats to devices running end-of-life operating systems

Why modern enterprises need network segmentation
As businesses become more digital and connected, and cyber attacks become more sophisticated and destructive, it is becoming increasingly clear that enterprises need a new approach to security.

Welcome to Network Segmentation
Network segmentation is arguably one of the most powerful but underestimated security steps and a cornerstone of a successful information security program. This concept when implemented directly addresses the realities of today’s threat landscape—that you cannot prevent a cyber breach, but you can isolate one. Segmentation makes it possible to isolate or quarantine a breached zone without crippling your entire enterprise network.
The focus of Network segmentation is in separating parts of the network from one another with barriers or controls.

It makes applying policies to segmented zones much easier and effective. Imagine the ability to monitor all traffic coming in and out of the Human Resources Department and applying the appropriate policies so you are able to create baselines based on expected behaviours? Where the segmentation effort covers function — for example, the DevOps system is segmented from the HR system, this also makes it possible to apply policies or rules to the functions. In another approach, the segmentation occurs by data classification — for example, sensitive or regulated data, such as personally identifiable information (PII), is isolated from the rest of the network.

By implementing network segmentation, modern enterprises can help address today’s major cyber security challenges far better than with flat networks. When a proper network segmentation is implemented, it lays down the groundwork for controls which defends and protects against (East-West) lateral movement on the network by ill intending malicious software and actors, preventing a potential infection or compromise from spreading across the entire network. This allows for additional control points across the network, making significant increase in visibility and control over traffic on the network.

Since the vast majority of breaches are thought to occur toward the network periphery, it is clear that proper network segmentation should be the starting point for protecting modern enterprises.

Flat Networks – Flat networks focus on providing reliable and fast connectivity for all devices on the network, meaning all devices have equal access to the network and all services and information that reside on it.

In fact, one of the most infamous corporate data breaches to date—the massive hack of a major retailer in 2015—was partially blamed on improper network segmentation. According to Computerworld, hackers broke into the retailer’s network using login credentials stolen from a third-party contractor. They then leveraged that access to move through the network, eventually accessing the company’s point-of-sale systems (POS), which handled sensitive consumer payment card data.

A framework for implementing network segmentation
I have read through KPMG’s framework document and pleased with the laid down recommendations. View resource | A framework for implementing network segmentation.

According to research commissioned by Avaya, although virtually all information technology professionals believe network segmentation is an essential security measure, less than one-quarter of organisations actually implement it. The biggest stumbling block? Complexity.
There is no getting around it: Implementing network segmentation is a vital but incredibly significant organisational effort. Businesses may need to add or replace hardware and software. They may need to integrate existing solutions in different and new ways. The people who manage the network may need to change, as may the processes governing the network. Even the users of the network may need to transform.

Below, describes 10 components of trusted framework for network segmentation.
Businesses challenged to phase out outdated network infrastructure and update their network to handle the security challenges of today and tomorrow can use this framework as a basic guide to getting started on network segmentation.

Figure 1.2 – Network Segmentation Framework – Why Network Segmentation is Essential to Creating a Secure Enterprise Environment

Strategy
The plan of action
Creating a network segmentation strategy is essentially the guiding document for the overall network segmentation effort. This strategy helps to document the organisation’s goals and defines the parameters for the segmentation. A tier of segmentation could be initiated from the regional level that is creating subnetworks based on the geographical location of the business and afterwards moving down to the functional level where the divisions of departments or functions like HR Systems from Finance Systems). The last bit would be to and finally segment at the data level that is ensuring that sensitive data types like intellectual property are well protected in secured zones segmented well away from other zones.

Network architecture
The blueprint
To build things right, it’s best to have a design or an idea on paper what you want to see. The network architecture foundational to network segmentation or the implementation blueprint of the network segmentation strategy. This design or architecture shows the number of segments and the number and type of control points between segments, see Figure 1.2.

IT asset management
Defining who is on the network
To thoroughly validate and authorise devices for the network, a comprehensive IT asset management programme must be instituted. With the implementation of IT asset management, the network segmentation effort helps to define the requirements for segmentation and network authorisation levels based on the user, device and location.

Network access control, firewalls and intrusion prevention systems
The core security controls
A good number of technology solutions works hand in hand to prevent malicious actors and malware from entering and moving through the segmented network. Intrusion prevention systems monitors and detects the presence of bad actors on the network. Routers and firewalls direct the flow of traffic between segments based on user and device criteria. Finally, network access control limits admission to the network based on compliance to the organisation’s security policies. For example, it validates that only authorised users and devices—those which meet the network segment’s security requirements—are allowed on that particular network segment.

Behavior-based protections
Dynamic, next-generation security controls
The ability to leverage advanced user analytics, makes organisations able to make behavioral analysis a next-level control on the network. This enables more sophistication in how the network prevents, detects and responds to cyber threats. With user analytics, the organisation is able to map out a baseline profile of each user —i.e., who they are, what device they use, where they connect from, and how they authenticate their identity. Once the profile is in place, the network can spot deviations from normal user behavior—even if it is within the allowed traffic—and dynamically adjust how they treat that user based on that change in behavior. For example, if a user who normally never transmits any data externally suddenly starts transmitting large amounts, it may be a valid action—or it may indicate a breach, malware infection or insider threat. Having detected this change in behavior, the network would automatically quarantine the potentially compromised user to allow for further investigation, prevent a possible breach in progress, and expedite any required remediation effort.

Network policy management tools
Automating security rule improvement
Network policy management tools continuously analyze the traffic on the network and compare it to the control rules. Based onoutcome of these analysis, the tools inteliigently suggest improvements to the rules to provide a more granular filtering. This empowers the ability to migrate to a strategically segmented network by initially leveraging a relatively open rule base and then automatically defining more granular rules based on traffic flows – flows determined from careful observation and analysis.

Data center micro segmentation
Protecting the highest-priority systems
The security of data centers, which house the network’s most critical systems, is a top priority for organisations. As common practice, data centers are one segment of the larger network, fenced securely by perimeter security technologies. Only authorised devices are permitted to access the data center and resources tied to that segment. Interestingly, inventive cyber actors have now demonstrated the ability to compromise even authorised devices which was not possible in the past. Once they gain entry, they can often wreak havoc across the data center. Micro segmentation is one great way helping in recent times to prevent the spread of intrusions by dividing the data center into even smaller zones, enabling organisations to stop intruders from moving freely about the data center segment, sandboxing for lack of a better term breaches within the most crucial enterprise systems hence preventing an explosion of sudden attacks or infections due to the breach.

Data classification
Enabling data center micro segmentation
Network segmentation based on data classification, a common approach in the data center, requires a comprehensive data classification program. With the data classification program, it is possible to not only define micro segments, but also define different authorization levels based on the user, device, location and data being accessed.

Keeping Everything on Track

A dedicated programme management and an architecture management are critical pieces of a network segmentation project, in place to keep the project on track from the get-start-go. These functions provide directives and leading over network architecture decisions throughout the course of the project. This dedicated programme management, provide quality assurance, maintain schedule, budget and resources, and provide status reporting for stakeholders.

Organisational Change Management
Getting the organisation aligned
Implementing network segmentation is really about transforming the network from a flat network to a modern and secure network. As with any technology transformation, the people and processes connected to the network have to transform, too. These changes should be handled through an organisational change management function, which drives the changes throughout the organisation. This function helps ensure end users are informed, engaged and able to make the required behavioral changes. It also develops strategies, plans and tactics to obtain key stakeholder buy-in, communicate effectively, mitigate stakeholder resistance, and train and educate impacted people.

Final Thoughts
If your organisation has not implemented network segmentation, now is the time to consider it. Just as the smart king would never depend on a single gate to secure his kingdom, a smart business leader would never rely on a single control point to protect the organisation’s assets.
Network segmentation—which limits the damage of a breach—is arguably the leading defense against the latest, sophisticated security threats. As corporate hacks become more frequent and devastating, impacting large and small businesses in every industry, network segmentation has become an imperative for the modern enterprise. Effective network segmentation is a huge undertaking. But if you break it down to its basic pieces—the 10 components as in the above framework—it becomes significantly more manageable to implement proper network segmentation to better protect your enterprise.

Other Good Reads:
Configuring the Routed Enterprise Campus Network
Network Segmentation How To Tips
Creating a Secured Azure Network Framework