I had a meeting with some network team members from a government entity recently. They described a configuration where all of the network ports that workstations connect to are configured with port isolation, which prevents workstations, even on the same VLAN, from communicating with each other over the network. This feature is available on most network switches.
There are not many use cases I am aware of where workstations need to directly connect to each other. At least not many that we want to encourage. Isolating systems in this way seems like a good way to limit lateral movement. Lateral movement is limited to systems that are “upstream”, enabling a convenient opportunity to monitor for and detect such attacks.
I was initially thinking about this in the context of mitigating impact of network worms in the wake of WannaCry. However, it seems like the utility in this extends far beyond just worms.