Managed Switch for VLANs in a Home Network
A managed switch with real 802.1Q support isolates your self-hosted services, IP cameras, IoT devices, and trusted user LAN onto separate broadcast domains on the same physical cabling. A consumer router with "VLAN support" checkbox usually does not, because its internal switch chip was not designed for the workload, and its software strips tags at the first misconfigured port. The difference shows up the first time a compromised smart bulb sits on the same subnet as your Postgres instance.
This learn more walks through what 802.1Q tagging actually does, which chipsets deliver real VLAN forwarding, how much buffer and TCAM you need for a 4K camera plus Docker workload, and the five-step trunk configuration that prevents the failure modes that kill most home deployments.
How 802.1Q Tagging Actually Works
The 802.1Q VLAN tag is a 4-byte insert between the source MAC address and the original EtherType. Two bytes hold a TPID fixed at 0x8100 (which tells the receiving device "this is a tagged frame"). The remaining two bytes hold a 3-bit priority field, a 1-bit drop-eligible indicator, and a 12-bit VLAN ID. That 12-bit VID is why the theoretical VLAN count tops out at 4094 usable values. The spec is simple. Real switches often are not.
The tag travels with the frame across any link configured as a trunk. At an access port, the switch strips the tag on egress and tags inbound untagged traffic with the port's PVID (port VLAN ID). This is what lets you plug a dumb IoT device into an access port assigned to VLAN 30, and have that device talk only to VLAN 30 without knowing tagging exists.
Three things commonly break this:
- Native VLAN mismatch. If a trunk on switch A treats VLAN 1 as native (untagged) and switch B treats VLAN 10 as native, traffic leaks between the two. Consumer switches often default every port to VLAN 1 untagged with no way to remove it. Fix: explicitly configure the native VLAN as an unused ID on every trunk, or remove native entirely if the switch allows it.
- MTU mismatch. A standard Ethernet frame is 1500 bytes. Add the tag and the frame is 1504 bytes. Many routers accept 1500 on the subinterface by default and silently drop anything larger. Docker pulls routinely exceed 1500 once TCP headers stack. Fix: set MTU to 1504 minimum end-to-end, or enable jumbo frames at 9000 everywhere.
- Firmware VLAN 1 leakage. Some consumer switches route management traffic over VLAN 1 regardless of how you configure the rest. That means the switch management web UI is reachable from any port that accepts untagged traffic. Fix: pick a switch whose management VLAN is explicitly configurable, and set it to a VID that no other port carries.
Verify trunk behavior with tcpdump -e -i eth0 vlan on the router. If you do not see 0x8100 in the Ethernet header for tagged traffic, the switch is stripping tags somewhere along the path.
Chipsets That Determine Real Forwarding Performance
Consumer "smart" switches mostly ship with one of three ASIC families. The silicon determines whether the VLAN marketing on the box is real.
Realtek RTL8380 and RTL9300. The RTL8380 is the budget workhorse. It lists 16K MAC entries, 4K VLANs, and 11.9 Mpps forwarding on an 8-port gigabit switch. In practice the TCAM (ternary content-addressable memory, where ACLs and VLAN matching live) is small and shared across features. Enable port isolation, a handful of ACLs, and multicast filtering, and the effective VLAN count collapses well below 4K. The RTL9300 doubles the buffer and adds dedicated QoS hardware. That difference separates a $45 switch from a $120 one under real load.
Broadcom BCM53xx. Ubiquiti UniFi switches use these. Larger TCAM, dedicated per-port buffers, and hardware offload for common features. Forwarding stays consistent under IGMP join storms that push Realtek units into latency spikes.
Marvell Prestera. MikroTik uses Marvell silicon on the CRS326 class. The best raw throughput-per-dollar in the consumer managed space, with genuine 4K VLAN support and reasonable buffer sizes. The tradeoff is MikroTik's CLI-first configuration, which is a steeper learning curve than a web-only switch.
None of these chipsets do Layer 3 routing at wire speed in the budget segment. Inter-VLAN routing happens on your router CPU. That matters the first time east-west traffic between two Docker subnets hits 500 Mbps and your firewall CPU saturates at 60%.
Buffer Memory and Why the Spec Sheet Hides It
A 4K IP camera can burst 300 KB of video data in 10 ms during motion events. Eight cameras doing that simultaneously is 2.4 MB of bursty traffic the switch has to absorb before the NVR port dequeues. Budget switches ship with 1-2 MB of shared packet memory across all ports. Enterprise switches ship 12 MB or more. The gap shows up as microbursts of dropped frames that appear in NVR logs as "gaps" but come from the switch, not the camera.
Shared memory allows dynamic allocation but creates head-of-line blocking. One noisy camera queue can starve a latency-sensitive container workflow. Dedicated per-port buffers prevent that at the cost of total capacity. On mixed workloads with both bursty video and steady API traffic, dedicated buffers usually win.
IGMP snooping behavior is the third hidden variable. Home Assistant's mDNS traffic publishes device discovery packets at regular intervals. Without a proper IGMP querier on the network, the switch floods those packets to every port in every VLAN. That floods the camera VLAN with irrelevant traffic and wastes buffer space. Enable IGMP snooping per VLAN and designate one device (usually the router) as the querier.
PoE Switches and Camera Loads
If the managed switch is also powering IP cameras over PoE, the power budget becomes a second variable. Realistic load math:
| Load | Typical draw | Peak draw (dusk IR + motor) |
|---|---|---|
| 4K fixed bullet | 3-8 W | 11-13 W |
| PTZ with IR | 15-25 W | 35-45 W |
| Doorbell camera | 4-6 W | 8-10 W |
A 120 W PoE+ switch marketed for "up to 8 cameras" realistically powers 5-6 cameras once you include peak draw and the 15% loss through cable resistance. The switch will shed lower-priority ports first when total draw crosses the PSU limit. Enable per-port monitoring so you catch the shed events before residents notice a camera went offline at 8 PM for three minutes.
Power Draw at the Switch Itself
An 8-port gigabit managed switch idles at 5-8 W. Load with four PoE cameras at 7 W each and total draw hits 33-40 W at the wall. Annual electricity for the switch alone runs $8-12. The switch is almost never the biggest line item in a home network's power budget. The router and the NVR usually are.
Cost Bands That Actually Ship in 2026
| Model | Chipset | Ports | PoE Budget | Max VLANs | Idle | Street Price |
|---|---|---|---|---|---|---|
| TP-Link TL-SG108E | RTL8380 | 8×1G | None | 32 usable | 6 W | $40 |
| Ubiquiti USW-Lite-8-PoE | Broadcom BCM53xx | 8×1G | 52 W | 4K | 9 W | $130 |
| MikroTik CRS326-24G-2S+ | Marvell | 24×1G + 2×10G | None | 4K | 12 W | $180 |
| TP-Link TL-SG2210MP | Realtek | 8×1G + 2 SFP | 150 W | 4K | 11 W | $160 |
The SG108E is a reasonable starter for a 5-device VLAN setup if you accept that 32 VLANs is the real ceiling. The UniFi Lite hits the sweet spot for cameras plus self-hosting on one box. The MikroTik is the enthusiast pick when port count and 10 GbE uplink matter more than GUI polish.
Configuring Trunks and Access Ports
- Define the VLANs on the switch. Create at minimum VLAN 10 (services), VLAN 20 (cameras), VLAN 30 (IoT), VLAN 40 (trusted user LAN). Do not reuse VLAN 1 for anything. Set the management VLAN to an unused ID (e.g., 99) if the switch supports it.
- Configure the uplink port as a trunk. Tag VLANs 10, 20, 30, and 40. Remove the native VLAN or set it to an unused ID. The uplink goes to your router, which needs matching sub-interfaces.
- Assign access ports. Each access port receives untagged membership in exactly one VLAN, with that VLAN set as the PVID. Disable spanning tree on ports connected to the router. Enable STP only between multiple switches.
- Mirror the setup on the router. Create sub-interfaces (em0.10, em0.20, em0.30, em0.40 on OPNsense or pfSense). Assign IP ranges. Write firewall rules that allow only the flows you need. Default deny between VLANs. Allow the services VLAN to reach upstream DNS. Allow the IoT VLAN to reach only specific cloud endpoints.
- Save and verify. Write the switch config to flash. Reboot the switch. Run
show vlan briefandshow interfaces switchport. Confirm every trunk carries exactly the VIDs you expect and no more. Capture withtcpdump -i em0.10and confirm the 0x8100 tag is present on the router side.
That sequence takes 45 minutes the first time. Every subsequent device that joins the network slots into an existing VLAN without reconfiguring anything.
Failure Modes That Kill Home VLAN Deployments
Native VLAN leak. Untagged traffic lands in VLAN 1 by default, which acts as an invisible second network that crosses all your careful segmentation. Fix: remove VLAN 1 from every trunk. Set the native VLAN to an unused ID.
STP loops. If you connect two switches with trunks on both ends and forget to prune unused VLANs, a single loop floods the entire Layer 2 domain. Lights blink in unison across every device for seconds at a time. Enable STP, prune unused VLANs from every trunk, and pick a root bridge deliberately.
MTU black holes. Docker image pulls stall at 80% completion because large TCP segments cross a path with a 1500 MTU router subinterface on a 1504 frame. Enable jumbo frames end-to-end or bump the router subinterface MTU to 1504.
Orphaned mDNS. Home Assistant publishes mDNS on VLAN 10 (services) but the light bulbs live on VLAN 30 (IoT). Without an mDNS reflector, HA never discovers the bulbs. Install Avahi or pfSense's mDNS reflector and whitelist the specific service types you want to cross.
Diagnostic commands worth knowing: show spanning-tree, show vlan brief, show mac address-table, tcpdump -vv -i any vlan. The fix sequence when VLANs misbehave is always the same: verify trunks carry the right tags, verify the router has matching sub-interfaces, verify firewall rules permit the expected flows, verify MTU is consistent, save the config.
The Counterintuitive Reliability Win
A home network with one flat VLAN and 40 IoT devices plus eight cameras generates thousands of mDNS and SSDP discovery packets per minute. Every host sees every packet. The router CPU spends cycles processing traffic the host will ignore anyway. Split the network into four VLANs and each host sees only its own segment's chatter. Router CPU drops from 18% average idle to 6%. That headroom goes to actual workloads.
The tag is not decoration. It is the only thing keeping the compromised smart plug on VLAN 30 from reaching the Postgres instance on VLAN 10 over the same physical cable. A $120 managed switch plus 45 minutes of config is the cheapest security improvement available for a self-hosting home network.
Related: Security Camera Local Storage: No Cloud, No Subscription, No Problem | Raspberry Pi Home Automation: A Practical Setup Guide
