A switch can pass VLAN tagged packets through it even if it doesn’t understand VLANS itself.

The switch only has to be VLAN aware if you want the switch port itself to assign the VLAN tag.

As long as you’re access point is capable of VLAN tagging, that should be sufficient for your scenario. Some access points like ubiquity can handle multiple SSIDs with different VLANs. If your device supports it then it should be fine

A managed switch will make your life easier, but it’s optional. Especially if the hardware you’re going to plug into the switch can do its own VLAN management like Linux

Depending on your threat model, you might require the switch itself to be vlan aware so that sensitively tagged packets are not exposed physically to untrusted devices.

If you’re choosing your switch, how many devices do you want to plug into it, how many devices might you grow into in the future, what throughput requirements do you have, do you want manager unmanaged, does it need to be able to deliver POE? The more things you say yes to you the more expensive the switch

Depending on how much you want to learn, vs things just working: Most Learning - A linux machine with a bunch of ethernet ports (you can get 4x/8x ethernet pcie cards dirt cheap now) do everything for your switch in linux. The most reliable and hands off “it just works” - A unifi managed switch.

The level one techs KVMs look interesting to me