In an ideal world, network design should reflect work practices.
Having become a Cloud-centric organisation, without local servers, we have found that virtually all traffic is LAN to WAN and very little is LAN to LAN.
Fortunately, we had already chosen to implement multiple VLANs (to sort the sheep from the goats) and had ceased allowing catch-all values on access and link ports. So the switch to Cloud-centric was a no-brainer.
We do have a lot of VLANs; our network design/security methodology has become analogous to the Onion, with progressive "skins" of greater security. If everything is legit, its transparent, otherwise it is a quagmire, with its own Room 101. Each ring has its own unique VLAN schema (so there may be 3 Management VLANs - 11, 22, 33) and firewalls between each skin.
It is much more complicated to describe than to implement. One of the benefits is that the goats (Guest WiFi, Multicast IP TV playout, IoT devices, AV kit etc) come nowhere near anything sensitive such as personal and application work stations and is completely unaware of secure LAN-WAN traffic. We do allow HDMI connectivity between secure devices on different layers; we monitor this for vulnerabilities.
Monitoring for vulnerabilities is important, we have detected attempts by "smart" utility metering equipment to access the Internet using Zigbee.
As more organisations adopt the Cloud-centric model, we expect to see more adoption of similar architectures.
I would suggest setting your strategic IS goals (ISSP), and then implementing a network design that simplifies enabling the transformations required to achieve those goals.
@uberseehandel
