Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Much depends on just how "separate" you want the Marketing department to be, and the capabilities of your equipment.  Often you provide a different functional part of your network its own VLAN/network.  If your Marketing department's hosts are spread out, such that you need to have multiple VLANs/networks, yet you want to logically isolate/separate them, you can place their networks into their own VRF (if supported by your equipment).  VRF is sort of the L3 equivalent of a L2 VLAN.

You could put them into a separate vlan and lock the vlan down at interface level from speaking to say other subnets on the same switches and also use port security on each port in the new vlan so no random people can just connect in  , this is probably the quickest way to segregate them

You could also setup private vlans for extra security but bit more complex

No matter what you do the traffic will be ion the same data plane as its same device

Another option is use a vrf to completely give them a separate routing table

anyway just some ideas for you