Frankly, all we needed was a switch where you can add VLAN tags and send them to a trunk port. And I suppose a password on the "I would like this VLAN on this port, please" interface is also necessary, but I think that already concludes the grand list of requirements. Everything else we control on the router.
It doesn't have to be network equipment in the traditional sense: any old linux server will do, it's just that it needs to have a couple dozen network ports. Traffic can be limited to a gigabit per second between all the ports combined (no need for multi-gigabit backplanes or switch fabrics or what the correct term for that is). I'd almost buy a big USB hub and connect USB–Ethernet adapters, but that feels more hacky than core infrastructure is supposed to be.
It doesn't have to be network equipment in the traditional sense: any old linux server will do, it's just that it needs to have a couple dozen network ports. Traffic can be limited to a gigabit per second between all the ports combined (no need for multi-gigabit backplanes or switch fabrics or what the correct term for that is). I'd almost buy a big USB hub and connect USB–Ethernet adapters, but that feels more hacky than core infrastructure is supposed to be.