This is a case of enterprize network design . We normally place couple of servers into a DMZ and those servers have a default gateway pointing towards the firewall interface . Lets say the servers are having a subnet of 10.10.10.0/24 . In a case ServerA wants to access another network he goes to firewall and then data flows as per the route table but in a case where ServerA accesses ServerB it will access directly because of the same subnet e.g. 10.10.10.10 tries to access 10.10.10.20 .
Which actually means that if ServerA is compromized by an attacker he can upload tools there and launch attacks from that ServerA to ServerB and ServerC .
How can we protect our network in such a situation when the attacker will launch attack from ServerA which goes directly to other servers without going to any layer 3 device . Motive is to protect other servers in case 1 server gets compromized .