1) First, create two distinct virtual networks.

2) Then, create your configuration, attaching the systems as you want to either of the two virtual networks.

3) Also, importantly, have one extra machine in your configuration. Attach this machine to both networks. Configure this machine specially as a router and your firewall.

This configuration will now be a fully self-contained unit, the VM's in one network have to go through your firewall to get to the VM's in the other network.

4) For extra bonus effort, also connecting them to the outside world is moderately tricky--if you just use the virtual to physical connections, then you'll pretty effectively bypass your firewall, I would suggest yet a third network, also attached to the router/firewall. You would have to roll your own NAT solution in this case; the one built-into lab manager would connect the vms directly, which would defeat your firewall.

Or, depending on your focus, it could actually be even easier than that. If you only do step one and two, and then simply use the virtual to physical connector on both virtual networks at deploy time, you get effectively the same result, just using the layers of indirection, and the NATing and external IP addresses, that LM implements rather than your own. This would be significantly easier if you're just interested in having them segregated but the plumbing doesn't matter that much, use the above more complicated approach if they need to be isolated, or if the plumbing itself is the item of interest.