For security reasons, I decided to put my IoT devices on their own network using VLANs. I also had a desire to restrict certain devices to only have access to the Internet but not any other devices on my network. This should help reduce the likelihood of a hacked device from trying to traverse through the network by hacking other devices. A good example of a device on my network that only needs Internet access would be the 3rd gen Apple TV (affiliate link). I only want that device to access various Internet streaming video services and nothing else on my home network.
By simply placing all of my IoT devices in their own network, I have effectively separated them from my other devices on my network. However, the devices within the IoT network are still able to freely communicate with one another. I eventually discovered through experimentation (since the documentation did not clearly state the possibility of this scenario) that you can use port isolation in conjunction with VLANs (at least on my TP-Link switch (affiliate link)). This allows you to keep your IoT devices on the same network with the same firewall rules but also have an extra layer of security to prevent communication among certain devices within the same IoT VLAN.
You may be able to achieve this same level of separation using private VLANs, which are like VLANs inside other VLANs, but I think configuring port isolation is easier to configure especially when only a few devices need to be isolated. It is probably best to avoid extra complexity whenever possible since it makes troubleshooting issues much less difficult. Of course, if you want to go all out for learning purposes, please do so! A home lab is a great place to test more complex configurations (remember, life is better for you and your family if you can keep your family pleased by having a stable and secure home network).
I initially started isolating ports on my IoT devices and then I started moving to other devices on the network including my wireless access points (affiliate link). I only allowed the wireless AP’s to access the router port. Since I am using VLANs, all traffic routing between the VLANs (inter-VLAN communication) will need to be directed through the router so the isolated ports can still communicate indirectly through the router. While this seemed to work perfectly fine in most scenarios, I discovered a few situations which do not work properly.
I could not ping any of my wireless devices (I allow internal pings to occur but block external pings), and I also discovered that port isolation on my wireless AP’s blocked the AirPrint functionality on my HP printer (affiliate link). Since it is convenient to be able to print from my iPhone, I wanted to ensure that AirPrint works properly.
My recommendation is to not enable port isolation on any network infrastructure devices: routers, switches (if you have other switches plugged into your main switch), and access points. Since they need to route traffic to various other devices on the network, I think it is best to let them have access to all of the ports on your switch. You may rely on VLANs and firewalls to restrict further access between network devices.