The short version: I put cheap WiFi bulbs on the same subnet as my NAS for too long. Nothing bad happened, but the guilt was motivational.
I carved out:
- Trusted: workstations, NAS, wired AP backhaul
- IoT: cameras, random ESP things, guest gadgets
- Lab: VMs and experiments that should not touch production DHCP
Big lesson: label switch ports before you move cables. I spent an evening convinced a trunk was broken when I had simply plugged into the wrong patch panel row.
DNS filtering on the IoT VLAN is next. I am trying not to turn this into a second job.