b) Anti-spoofing

Layer 3 Separation
two security hole
manual address configuration
spoofing an ID (e.g. MAC address) for address assignment
Possible Solution
DHCP-based solution (DHCP snooping + DHCP auth)
Switch-based solution (Private-VLAN, MLD snooping)

Other Separation
practically okay
communication target also need be forged