Abstract: With the development of LTE-R (Long Term Evolution for Railways) networks, traditional security architectures struggle to address increasingly complex security threats, particularly issues such as the blurring network boundaries and unauthorized access by "illegal users". This paper proposed a zero-trust architecture for LTE-R based on Software Defined Perimeter (SDP), by combining the zero-trust principle of "never trust, always verify". This architecture combined Single Packet Authorization (SPA), continuous authentication mechanisms, and behavioral audit strategies to implement service port invisibility, minimal privilege control, and dynamic permission management. It effectively defends against lateral infiltration, man-in-the-middle attacks, and port scanning, providing a feasible pathway to safeguard LTE-R core dispatching systems and facilitate the zero-trust transformation of railway communication networks.