In this paper, we propose Access Control Routing (ACR), a clean-slate and flexible approach to simplify access control configuration in large-scale enterprise networks. ACR uses a single parameter, class, to couple access control and routing. It requires that each end-host specify its access control policies at the granularity of a class. On the network side, the control plane establishes logical reachability networks for every class, and the data plane explicitly labels each packet with a class based on the source. Unlike traditional access control configuration approaches, ACR can easily adapt to network topology or routing changes and is better suited to handle network failures. ACR eliminates the need for VLANs and also provides the flexibility of automatically routing traffic through arbitrary middle-boxes without physical topology manipulation. Using a software-based router implementation of ACR and access control policies gathered from four large commercial enterprise networks, we show that ACR can easily be adopted in large enterprise environments with little additional performance overhead.