This method has been interpreted as no communication whatsoever between any component in the CDE and any non-CDE, regardless of which device initiates the connection, and whether the communication channel is secure and is established between trusted systems.
Isolation is achieved using various methods, including:
* "Deny all" rules on routers and firewalls
* Host-based network and application access restriction
* Physical "air-gap" isolation
Due to lack of clarity, many organizations question the practical sustainability of a "full isolation model" in complex, large-scale environments.
SOURCE: VERIZON PCI SECURITY