How would you design network segmentation to limit the blast radius of a potential compromise at T-Mobile?