4.1 VLAN Basics
4.1.7 VLANs vs. complex access lists
Routers allow administrators to introduce policies that control the flow of traffic in the network. Access lists control traffic flow and provide varied degrees of policy granularity. Through the implementation of access lists, you can prevent a specific user from communicating with another user or network, or you can prevent an entire network from accessing a user or network. You might exercise these capabilities for security reasons, or you may elect to prevent traffic from flowing through a segment to protect local bandwidth.

In any case, the management of access lists can be quite cumbersome. You must develop the access list based on your company's business and security needs.

In the network example shown in the Figure, filters in the routers attached to the engineering segment can include access lists allowing the accounting traffic to pass through the engineering segment, but never talk to any engineering devices. That does not prevent engineers from monitoring the traffic, but does prevent direct communication between the engineering and accounting devices. Accounting will not see the engineering traffic, but engineering can see all the accounting transit traffic.

VLANs can simplify the network in some cases by allowing you to keep all accounting users in one VLAN. Then their traffic does not need to pass through a router to get to peers within the VLAN. This can simplify your access-list design because you can treat networks as groups with similar or equal access requirements.