I'm just a great fan of VLAN implementation for the following reasons

- It limits the broadcast domain to each VLAN (let's says 20 users each) thus mitigating ARP poisoning and spoofing attacks, and optimizing bdw utilization especially for GVRP applications...

- With a single ethernet backbone infrastructure you can force flows to be routed from one VLAN to another through a router and then have a low cost DMZ capability (paranoid would says that VLAN hopping attack but it's a blindf attack & I really think that threat is very low risk).

As a peronnal opinion VLAN backone coupled with 802.1x authentication is a real layer 2 secuerd solution...