Guest tablets in a conference room use the same physical switches as employee devices. The security team wants guests to have internet access only, with no route to internal subnets. Which design best meets the goal?
A separate VLAN creates logical segmentation, and ACLs enforce which networks the guests can reach.
Why this answer
Option B is correct because placing guest tablets on a separate VLAN segments traffic at Layer 2, and applying ACLs on the Layer 3 interface (SVI or router) blocks all routes to internal subnets while permitting internet access. This design ensures that even though guests share the same physical switches, their traffic is isolated from employee VLANs and cannot reach internal resources.
Exam trap
The trap here is that candidates confuse authentication/encryption methods (password, WPA3, MAC filtering) with network segmentation, failing to recognize that only Layer 2 VLAN separation combined with Layer 3 ACLs can enforce routing restrictions between subnets.
How to eliminate wrong answers
Option A is wrong because relying on a separate Wi-Fi password does not provide network segmentation; devices on the same VLAN can still communicate at Layer 2, and a guest could potentially discover and access internal hosts. Option C is wrong because stronger WPA3 encryption protects wireless traffic from eavesdropping but does not prevent a guest device from routing to internal subnets if the network is flat (no VLAN segmentation). Option D is wrong because MAC address filtering only controls which devices can connect to the switch port, but it does not restrict traffic between VLANs or subnets; leaving all ports in the default network allows guests to reach internal resources directly.