Which of the following statements are true regarding a ZFW? (Select 2 choices.)

A.
A zone can contain more than one interface.

B.
An interface can reside in more than one zone.

C.
The firewall can operate in transparent mode.

D.
Stateful packet inspection is supported for multicast traffic.

E.
Stateful packet inspection is supported for IPv6 traffic.

Explanation:
With a zonebased policy firewall (ZFW), a zone can contain more than one interface and the firewall can
operate in transparent mode. ZFW is the latest iteration of Cisco’s stateful firewall implementation, which was
formerly called ContextBased Access Control (CBAC). With ZFW, virtual security zones are specified and then
interfaces are assigned to the appropriate zone. A zone may contain more than one interface? however, an
interface may not be assigned to more than one zone.
By default, all traffic is implicitly permitted to flow between interfaces that have been assigned to the same
zone? however, all traffic between zones is blocked. In addition, all traffic to and from an interface is implicitly
blocked by default when the interface is assigned to a zone, but there are a few exceptions. Traffic to or from
other interfaces in the same zone is permitted, as is traffic to or from the router itself.
In order for traffic to flow between zones, stateful packet inspection policies must be configured to explicitly
permit traffic between zones. Inspection rules can be created for a large number of traffic types, including the
following:
Domain Name System (DNS)
Internet Control Message Protocol (ICMP)
Network Basic Input/Output System (NetBIOS)
Sun Remote Procedure Call (RPC)
However, stateful inspection of IP version 6 (IPv6) traffic and multicast traffic, such as Internet Group
Management Protocol (IGMP), is not supported by a ZFW and must be handled by other security features,
such as Control Plane Policing (CoPP).
A ZFW can operate in transparent mode or in routed mode. In transparent mode, a ZFW operates as a Layer 2
firewall, bridging traffic between interfaces and filtering traffic at Layer 3 through Layer 7. The trusted and
untrusted interfaces of the firewall are connected to the same IP subnet, and the firewall bridges traffic between
the interfaces. By contrast, a ZFW in routed mode operates as a Layer 3 firewall, routing traffic between
interfaces and filtering traffic at Layer 3 through Layer 7. The trusted and untrusted interfaces of the firewall are
on different IP subnets, and the firewall routes traffic between the interfaces.

Cisco: ZoneBased Policy Firewall Design and Application Guide: Designing ZoneBased Policy Network Security
Cisco: ZoneBased Policy Firewall Design and Application Guide: Stateful Inspection Transparent Firewall