Managed switch with VLAN, WLAN AP with VLAN. My Ubiquiti networking stuff does this but if you want decent priced 10 gbit managed switch you're SOL. You'll end up with China stuff.
I do have Ubiquiti, actually, including two 8x10G SFP+ USW-Aggregation, but AFAIK all devices within a VLAN can still communicate with one another. In an ideal world I'd want them to be completely isolated from one another unless I explicitly set up an ACL allowing access.
Within a VLAN, sure, but that is why you should use separate VLANs. Because when you use the same one, you explicitly say: I want those devices to be able to connect to each other.
I just use two.
One for IoT, guest WiFi, etc.
And one for our server, laptops/PC, and mobile devices.
Right, so one VLAN per group of IoT devices you want to segregate together, e.g. a bunch of security cameras and their NVR would go in one VLAN, a sprinkler controller on a separate VLAN, and so on.
I'm on a single VLAN and associated WLAN for all my IoT devices but I would also like to segregate them further. The 4-WLAN limit on Unifi does limit what can be done, however.
You can do client isolation on the WAP. If you do this, the clients cannot contact each other. Then, on the switch you can assign like 4k VLANs. But I'm not sure how to do that. Because all the data arrives on the same port. But in theory, you have a DHCP server for say a /24 and you could give each of those IPs their own VLAN.
FWIW, I try to use wired as much as possible. Although for security cameras people like to use PoE and I think if you can get physical access to the PoE port, you can also try a MITM or a physical sniffer for examples see the stuff Hak5 sells.
