(A) Incorrect — switches forward traffic based on MAC addresses but do not isolate devices into security zones without VLANs.

(B) Incorrect — if the entire district uses one /16 subnet, inter-building traffic stays within the same broadcast domain.

(D) Incorrect — network scanners work on any IP-connected medium, wired or wireless.

(A) Incorrect — VLANs do not encrypt traffic; they create logical boundaries, not cryptographic ones.

(C) Incorrect — VLANs separate traffic but inter-VLAN routing still needs firewall rules to enforce access control.

(D) Incorrect — while VLANs can reduce broadcast traffic, the primary benefit described here is security, not performance.

(A) Incorrect — moving the SIS to the teacher VLAN eliminates segmentation of administrative systems and exposes the SIS to all teacher-VLAN threats.

(C) Incorrect — disabling all inter-VLAN routing would break legitimate cross-zone communication (teachers need admin resources, IoT needs management, etc.).

(D) Incorrect — merging VLANs defeats the purpose of segmentation.

(A) Incorrect — ARP poisoning works within a single broadcast domain and does not require trunk port access.

(C) Incorrect — DNS spoofing targets the DNS protocol, not VLAN tagging.

(D) Incorrect — trunk ports do not inherently provide more bandwidth for attack traffic.

(B) Not contained — broadcast traffic stays within VLAN 50; the firewall does not block intra-VLAN broadcasts.

(C) Not contained — other cameras are on the same VLAN 50, so the compromised camera can reach them directly without crossing the firewall.

(D) Not contained — the firewall explicitly allows traffic to the management server on port 554.

(A) Valid reason — unmanaged devices on a shared network can introduce malware to managed devices.

(B) Valid reason — VLAN separation + firewall rules prevent guests from reaching internal systems.

(C) Valid reason — separate VLANs allow different QoS and filtering policies per network zone.