This was built for a very large distributed network that consists of 5 huge buildings with office spaces, production and warehouse areas. Some LAN ports are located in weird places, so after the last expansion I became quite uneasy about the fact that it is relatively easy to access ports and attack the networks.
So I have segmented it, and firewalled everything. The last forward rule is drop all, so only explicit allow forwards traffic. Each sector have their own VLAN, and servers are in separate VLAN, as are backbone infrastructure, and also CAPs are in their own group.
From VLANs to Server VLAN I allowed the list I published here. Everything works apparently, domain services, DNS, File and Print sharing, MySQL (MariaDB) etc., and everything that was not bound to a port is blocked. - I have 800k packets dropped right now, and yet each aspect of the LAN works.
As for VLAN to VLAN communication, the idea was that one client has no business communicating with clients from other VLANs. So if there is an infected client, it can drop only clients in their own VLAN. The only traffic I allow is RDP and direct IP printing (and ICMP). Nothing else. (For RDS there is a filter on each RDS enabled computer.)
I had some trouble fixing up the firewall rules correctly, but I think I have mostly got it. At this moment I see about 350 active clients in entire network, and soon when new APs come there will be about 400-450.