This post gives a practical, step-by-step blueprint for small businesses to implement VLAN-based segmentation and a DMZ (demilitarized zone) to host publicly accessible systems while meeting the intent of FAR 52.204-21 and CMMC 2.0 Level 1 control SC.L1-B.1.XI — isolating public-facing services from internal networks that handle sensitive data.
What this control requires and why it matters
At its core the requirement is simple: publicly accessible systems — web servers, VPN gateways, public APIs, kiosks — must be placed in subnetworks that are isolated from internal networks that store or access Controlled Unclassified Information (CUI) or other sensitive business data. For small businesses this reduces blast radius from internet-exposed hosts and creates enforceable boundaries where firewalls, access controls and logging can be focused. The risk of not implementing segmentation includes lateral movement by attackers, unauthorized access to internal data stores, loss of contracts or penalties under FAR 52.204-21, and failure to meet CMMC 2.0 basic hygiene controls.
Step-by-step implementation
1) Plan and design the segmentation
Start with a simple logical design: define at least three VLANs/subnets — WAN (internet), DMZ (public hosts), and LAN (internal users and servers). Add a management VLAN for network gear. Example small-business addressing: DMZ = 10.10.10.0/24, LAN = 10.10.20.0/24, MGMT = 10.10.254.0/24. Key objectives: (a) allow only necessary inbound ports from the internet to the DMZ, (b) prevent DMZ hosts from initiating sessions to LAN hosts except for tightly controlled management, (c) centralize logging and monitoring, and (d) document the design (network diagram, ACL lists, IP inventory) as compliance evidence for FAR/CMMC. Implementation notes: choose one firewall/router to be the enforcement point between VLANs and the internet, and avoid hairpin routing through multiple unmanaged devices.
2) Configure your switches (VLAN tagging and port roles)
On managed switches create VLANs and assign ports as access (end devices) or trunk (uplinks). Use 802.1Q tagging for trunk links. Example Cisco commands: vlan 10 name DMZ, vlan 20 name LAN, and on an access port interface Gi0/2; switchport mode access; switchport access vlan 10. For uplinks: interface Gi0/1; switchport trunk encapsulation dot1q; switchport mode trunk; switchport trunk allowed vlan 10,20,254. Best practices: avoid using the native VLAN for production traffic (set a dedicated native VLAN or disable), enable port-security or MAC limits on access ports, and enable BPDU guard/loop guard on end-user ports. For small-business gear like Ubiquiti or Netgear Pro, the same principles apply via the UI: create VLANs, tag SSIDs for wireless, and assign ports accordingly.
3) Configure firewall/router and DMZ routing rules
Place a stateful firewall between the WAN and DMZ and between the DMZ and LAN (it can be the same appliance with zone rules). Minimal rule set: allow inbound from WAN to DMZ only for required services (e.g., TCP 80,443 to 10.10.10.10), allow DMZ to WAN for updates (HTTP/HTTPS) but block DMZ->LAN except for a specific management host using strict ACLs, and allow LAN->DMZ if internal users need legitimate access. Example pfSense-style rules: on WAN allow proto TCP dst WANIP:443 -> NAT to 10.10.10.10:443; on DMZ firewall block any to 10.10.20.0/24 except management host 10.10.254.10. Use explicit deny rules and log them. If using Cisco IOS subinterfaces: interface Gi0/0.10; encapsulation dot1Q 10; ip address 10.10.10.1 255.255.255.0 and then apply access-lists to control inter-VLAN traffic.
4) Host hardening, NAT, and service-specific controls
Public servers in the DMZ should be single-purpose, hardened, and patched. Use host-based firewalls to restrict outbound and inbound ports, remove unnecessary services, and keep an up-to-date OS and application stack. Use NAT/port-forwarding on the firewall for public IP mapping and consider reverse proxies or a Web Application Firewall (WAF) in front of web services. For services requiring inbound connections (web, mail, VPN), only forward the precise ports needed (e.g., 443 for HTTPS) and avoid exposing management ports like SSH/RDP directly to the internet — use a bastion host in the DMZ with MFA or require VPN to a hardened access point. For DNS, implement split-horizon DNS so internal clients resolve internal addresses while public DNS points to the public IP(s) of DMZ services.
5) DHCP, monitoring, testing and compliance evidence
Allocate DHCP scopes per VLAN with reservations for servers where possible; do not run a DHCP server for the management VLAN unless tightly controlled. Implement centralized logging (syslog/ELK/papertrail) and keep logs for an appropriate retention (e.g., 90 days) to demonstrate monitoring and incident response capability for compliance. Run regular segmentation tests: verify that ports are blocked as expected with tools like Nmap from outside and inside the DMZ, perform vulnerability scans on DMZ hosts, and conduct periodic penetration tests. Capture evidence: network diagrams, ACL lists, firewall rule exports, scan reports and change logs. These artifacts support FAR 52.204-21 documentation and CMMC Level 1 self-attestation or assessments.
Compliance tips and best practices
Keep the design simple and well-documented — small businesses succeed with clear, maintainable rules rather than overly complex microsegmentation. Automate backups of firewall/switch configurations and store them in a version-controlled secure repository. Apply the principle of least privilege to network rules and apply MFA for any remote administrative access. Use VLAN naming and IP address conventions that make audits straightforward (e.g., DMZ-10.10.10.0/24). Schedule monthly reviews of firewall rules and quarterly vulnerability scans; log and retain evidence of these activities to meet audit expectations. Finally, include the segmentation architecture in your System Security Plan or equivalent compliance documentation and map each control to the configuration artifacts.
Conclusion
Implementing VLANs and a DMZ is a practical, high-impact control for small businesses to reduce exposure of sensitive systems, and it directly supports compliance with FAR 52.204-21 and CMMC 2.0 Level 1 SC.L1-B.1.XI. By planning your subnets, properly configuring switch trunking and access ports, enforcing strict firewall rules, hardening DMZ hosts, and documenting/testing the environment, you create a defensible boundary that limits attacker movement and produces the evidence auditors expect. Start small, document everything, and iterate: even modest segmentation will significantly lower risk and help satisfy compliance obligations.
