Explanation From HCIA-Security documents:

A traditional packet filtering firewall mainly makes forwarding decisions based on information in the packet header, typically using fields such as source/destination IP address, protocol type, and for TCP/UDP traffic the source/destination port numbers in the transport-layer header. This works well for non-fragmented packets, because the IP header and the complete transport-layer header are present, and it can also work for initial fragments because the first fragment usually contains the transport-layer header (including ports) along with the IP header.

However, non-initial fragments (fragments after the first one) usually contain only the IP header and a continuation of the payload, but do not include the TCP/UDP header where port numbers and some key identifying fields exist. Because a packet filtering firewall relies on these transport-layer fields to match many rules, it cannot accurately apply port-based filtering to non-initial fragments. This limitation is why fragmentation can be abused to bypass basic filtering, and why more advanced firewalls/IPS features include fragment reassembly and deeper inspection. Therefore, non-initial fragments are the type that cannot be effectively filtered by a packet filtering firewall.

The incorrect statements are A and C .

A router works at the network layer and is used to connect different networks. By default, a router separates broadcast domains , because broadcasts are not forwarded from one interface to another. At the same time, each router interface also represents an independent network segment, so routers effectively separate collision domains as well. Therefore, the statement that routers can isolate broadcast domains but not collision domains is incorrect.

A Layer 2 switch works at the data link layer. Each switch port forms a separate collision domain , which is why switches can isolate collision domains. However, by default, all ports in the same VLAN still belong to the same broadcast domain , so switches forward broadcast traffic out all relevant ports. That makes statement B correct and statement D correct.

Statement C is incorrect because routers generally do not forward broadcast packets . Preventing broadcast propagation between networks is one of the key differences between routers and switches. Therefore, the incorrect options are A and C .

Huawei firewalls use security zones to group interfaces that share the same trust level and security policy requirements. In the default configuration, Huawei firewalls provide four built-in zones that cover the most common deployment scenarios.

Trust represents the internal network where users and servers are typically considered more reliable. Untrust represents external networks such as the Internet, where traffic is considered untrusted and usually requires stricter access control and security inspection. DMZ is designed for semi-public servers (for example, web or mail servers) that must be reachable from Untrust but should be isolated from the Trust network to reduce lateral movement risk if a DMZ host is compromised. Local is a special zone that represents the firewall device itself (management plane and control plane). Traffic destined to or originating from the firewall (such as management access, routing protocol packets, or local services) is associated with the Local zone and is controlled using dedicated policies.

Because these four zones are pre-defined and available by default, all listed options are correct.