Computer networks

Which switch to take to the access level for a small provider?

Good day to all.
The task was to upgrade the network of a small novice provider. The first thing we encountered was the replacement of unmanaged access switches with something adequate. However, I doubt the choice of model. I would like to maintain a balance of price / quality / functionality.
The requirements are as follows:
- CLI is possible even without WEB muzzle.
- VLAN, Management VLAN. I don't think it's even discussed.
- Loopback Detection in case the user makes a loop on his soap box
- Multicast. You will need to launch IPTV. Need adequate multicast support.
- IP-MAC-Port Binding. It is necessary to exclude the appearance on the network of IP addresses assigned by users themselves. And to provide authorization of users in a network. You also need to exclude ARP Spoofing.
- Traffic segmentation aka private vlan. There is no urgent need for clients to communicate with each other. If they are isolated in this way, then all sorts of spoofing attacks can be stopped in the bud.
- DHCP protection from pool exhaustion, i.e. limiting the number of DHCP requests per port. Excluding the appearance of a DHCP server from the user's side - suddenly, by chance, instead of WAN, he will connect his LAN port.
- Broadcast/multicast/unicast storm protection Highly
desirable:
- Spanning Tree protocols
- Link aggregation
- Access control lists
- CLI over SSH
- QoS. Just in case there is an overload. Some access switches are daisy-chained.
- DHCP Relay Option 82. I would like to automate user authorization and not be tied to their MAC addresses.
Can anyone tell me what other useful technologies?
This description fits the DLink DES-3200 series. Operating experience shows something they are buggy but work tolerably.
Also suitable for this description:
- DLink DES-1210/ME
- Eltex MES1124M
but I did not use them. Question to those who have used them: how is it? What other models can you offer?