The homelab grew up flat. One /24, everything on it, the IoT gear talking to the NAS talking to the servers because that's how it was when I plugged the first switch in and nobody stopped me. It worked, right up until I wanted my doorbell to stop being able to reach my backups.
So: VLANs. I'd done this professionally a dozen times, which is exactly why I was overconfident. I cut over the trunk, retagged the switch ports, and locked myself out of the management interface in about forty seconds. The switch was now expecting tagged frames on a port my laptop was sending untagged ones to. Console cable, sheepish reboot.
The lesson I keep forgetting is that a flat-to-segmented migration is not one change, it's twenty small ones, and doing them together means you can't tell which one broke things. The version that worked: create the VLANs, leave everything on the native untagged VLAN, then move one device at a time, confirming routing and firewall rules between segments as I went. The doorbell now lives on its own VLAN with a single allow rule to the one thing it legitimately needs. The backups can't see it at all. Painful, but only because I tried to be clever first.