I forgot that I actually do have a small poe+ switch for the cameras. I need a router with more interfaces though. I vlan all the crap I don't want talking to other things. I wish I could define a lan where anything on it had 0 permission to talk to anyone at all, even peers. Don't speak unless spoken to.
Maybe some fancy switches can do that.
I think this can be done at l2, I have heard of something like that but anytime you have tagged traffic access you can hijack a connection. Which I assume is the case for your hypervisor hosts (it is for mine) I need to be able to put VMs on certain vlans and the host needs to be isolated. So at that point it doesn't really matter what you do if anything on l2 can access it if it wants to.
