Welcome to the Community - You are correct the traffic will need to be tagged at some point - it can be done at the three points you indicated - You will only have to do this at on of the three points. Ideally you will want to do the tagging at the virtual switch or virtual port group level.
But this is not the only thing you will need to do:
- You will also have to configure the physical switch ports so that they know they will be getting different tagged packets.
- You will need to set up a gateway for that vlan on your router/firewall so that traffic can move between different vlans/LAN segments.