You've got it... this is precisely what I do on my own LAN at home. I have all of my IoT devices set up as subtenants. On my LAN interface, I have a neighborhood named (creatively) ""newton-lan"". Then I've created a series of tenants/subtenants for the various categories of devices on my LAN: trusted, guest, and iot are my top level categories right now. Underneath iot, for example, are subtenants for the different vendor IoT devices (e.g., nest.iot, wemo.iot).
This way you can set up services for ""internet"" and have an access policy to allow ""iot"" and all of the subtenants get it automatically. (Personally, I have my IoT devices loop through a Squid proxy en route to their destinations on the internet... just for kicks.)
I've been writing up some of my own experience with my LAN conversion to 128T on my personal blog, and covered this topic specifically:
https://blog.pepperland.cloud/2018/09/ipam-evolution-step-1.html