Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 503

A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?

Answer options

• A. Create V-Wire objects with two V-Wire interfaces and define a range of ג€0-4096ג€ in the ג€Tag Allowedג€ field of the V-Wire object.
• B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the ג€Tag Allowedג€ field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
• C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address.
• D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

Correct answer: B

Explanation

Option B is correct because it allows for each VLAN to be assigned to its own zone by using V-Wire subinterfaces, enabling separate management for both tagged and untagged traffic. Options A and D do not provide the same level of specificity for VLAN separation into zones, while option C uses Layer 3 interfaces that do not directly achieve the separation of VLANs into individual zones.