We have in our main building a relatively flat, easily managed LAN encompassing all our servers, printers, copiers, switches, storage, and PCs/notebooks in the building. Other wireless devices have their own VLANs.
With regard to the main wired LAN, I'm seeking suggestions or advice where and how it would be good to somehow segment the network to reduce which devices can talk to each other, as a way to potentially reduce the risk of ransomware, in addition to our firewall and anti-malware software and limiting which devices have any Internet access.
What would be good ways to segment this LAN but not make it excessively difficult to manage?
I didn't find the right solution from the Internet