a) You are right, except that only an admin can use the --provider:network_type option. The idea is that normal users should not have access to the physical implementation of their virtual resources.