pix (Score 1)

completely seperate the servers by creating a seperate vlan, this will keep all layer 2 traffic away from them. then give them their own subnet and put them behind a pix. then you can filter whaterver traffic you want and only allow what you need. then you can customize what area's get access to what services with access lists