(B) Incorrect — DMZs provide network isolation, not encryption; TLS handles encryption.

(C) Incorrect — DMZs do not patch servers; that requires a separate patch management process.

(D) Incorrect — DMZ placement is a security architecture decision, not a performance optimization.

(A) Incorrect — the firewall specifically blocks port 445 between VLANs, preventing cross-VLAN SMB spread.

(C) Incorrect — firewalls block traffic; they do not remove malware from infected devices.

(D) Unlikely — ARP spoofing operates within a single broadcast domain (VLAN); it cannot cross VLAN boundaries without router access.

(A) Incorrect — VLAN hopping occurs at the switch level; endpoint antivirus cannot detect or prevent it.

(C) Incorrect — physical locks prevent unauthorized connections but do not protect against misconfigurations on authorized ports.

(D) Incorrect — MAC filtering can be bypassed with MAC spoofing and does not prevent VLAN hopping on trunk ports.

(A) Functional but not best — creating three new VLANs adds administrative overhead and complexity for what is essentially an intra-VLAN isolation problem.

(B) Incorrect — separate physical switches are expensive, inflexible, and unnecessary when logical isolation tools exist.

(D) Incorrect — devices on the same VLAN can communicate directly at Layer 2 regardless of IP subnet; gateway ACLs only control routed traffic.

(A) Important — data sensitivity determines which systems need stronger isolation.

(B) Important — regulatory mandates (FERPA, HIPAA, PCI-DSS) often require specific network isolation.

(D) Important — trust level determines access control policies between zones.