Well you need to write and implement a security policy before that.
You of course need move all servers to the dedicated network and all the clients to the different network.
Then you need to configure your router to allow only allowed requests (HTTP, FTP, DNS, ICMP, etc.) from clients to the servers, but I need to repeat: it should be implemented and tested in your local security policy.
You shouldn't do it on your own responcibility.