I am needing to implement NIST 800-171 / CMMC level 2 for CUI in an existing environment for a few hundred endpoints.

I’ve been working on NIST controls for a couple years, but one thing I am struggling with is the networking scope and interaction with existing vs. CUI networks. Hoping someone can help me understand this better.

At a high level, would I need to create a separate, securely configured group of workstations and ALSO have them on an entirely separate subnet with all separate basic resources? Or can they exist on a subnet that has better logical security controls, firewall rules to prevent connections not initiated by the workstations, etc. and still communicate on existing IT infrastructure (other network drives, DHCP, applications, etc.)?