Untrusted devices behind one router, trusted devices behind another router, both routers behind a third. The routers should be dumb, rock hard, and nat. If the untrusted devices were behind just the outer router they could potentially intercept trusted traffic traversing that network. If the trusted devices were behind just the outer router, I guess the untrusted devices might somehow use IP tricks to enumerate devices or something.

They mention vlans, and say it's basically a homemade vlan. Why not use vlans then? No mention of DMZs. Or if you have a single router with configurable firewall, couldn't you just firewall traffic between untrusted and trusted ports? I'm not sure of the context of this idea. Do they make cheap routers with enterprise-level hardening that don't support firwalls?