Everything at home lived on one flat /24. Laptops, the media server, IoT gadgets I don't fully trust, all sharing one broadcast domain and able to talk to each other freely. That's fine until you think about it, at which point you stop wanting your suspiciously chatty smart plug on the same segment as your laptop.
So: VLANs. The plan was tidy. A management VLAN, a trusted VLAN, an untrusted IoT VLAN, and inter-VLAN routing on the gateway with firewall rules between them. The plan is always tidy.
The pain was entirely in doing it live without an outage I'd have to explain at the dinner table. The order matters more than the config. Configure the VLAN interfaces and DHCP scopes on the router first, then create the VLANs on the switch, then move access ports one at a time. Move a port before the upstream is ready and that device just goes dark.
The bit that bit me was the trunk between switch and router. I'd set the access ports up perfectly and nothing on the new VLANs could reach the gateway. The trunk was carrying the right tagged VLANs but I'd left the native (untagged) VLAN as the default, so management traffic was landing in the wrong place. Five minutes of fix, forty minutes of staring. Tag what should be tagged, be deliberate about the native VLAN, and label everything, because future you will not remember which port is which.
It works now. The smart plug lives in its own little quarantine and can't see a thing it shouldn't. Worth it, mildly painful, and a useful reminder that the network is fine right up until you ask it to be slightly more careful.