Free GDSA Layer 1, Layer 2, and Layer 3 Defense Practice Test 2026 — GIAC Defensible Security Architect Questions

This free GDSA Layer 1, Layer 2, and Layer 3 Defense practice test covers securing OSI layers 1-3 with switch and VLAN hardening, 802.1X/NAC, routing security, and physical-layer controls. Each question includes a detailed explanation with defensible-architecture context — perfect for GDSA exam prep.

Key Topics in GDSA Layer 1, Layer 2, and Layer 3 Defense

6 Free GDSA Layer 1, Layer 2, and Layer 3 Defense Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius GDSA question bank for the Layer 1, Layer 2, and Layer 3 Defense domain (16% of the exam).

Sample Question 1 — Layer 1, Layer 2, and Layer 3 Defense

A company has many open office network jacks in shared workspaces. During a red-team exercise, a tester plugged a laptop into an unused cubicle port and immediately reached the internal user network. The company also has printers and badge readers that cannot run a supplicant. The security architect wants the best architecture change to reduce unauthorized network attachment without breaking those devices. What should the architect recommend?

  1. A. Deploy 802.1X on access ports and place non-supplicant devices into tightly restricted roles or segments (Correct answer)
  2. B. Increase perimeter firewall inspection for inbound and outbound traffic at the Internet edge
  3. C. Move all office systems into a larger shared VLAN so routing policy becomes easier to manage
  4. D. Rely on quarterly switch configuration audits to identify unauthorized endpoint connections

Correct answer: A

Explanation: Correct answer (A): 802.1X is the best architecture change because the failure occurred at the wired access layer: an attacker gained access simply by plugging into an open port. Port-based access control directly addresses that problem. In a defensible design, devices that cannot run a supplicant, such as printers and badge readers, are not left on open access ports; they are placed into tightly restricted roles or segments based on their function. This improves prevention at the point of attachment rather than relying on downstream controls. Why the other options are wrong: - Option B: Perimeter firewall inspection does not stop a device that is already plugged into an internal access port. This is a perimeter-only response to an access-layer problem. - Option C: A larger shared VLAN increases blast radius and does not add attachment control. It makes the unauthorized access problem worse, not better. - Option D: Audits can validate hardening, but they do not enforce access decisions at the port and do not prevent unauthorized attachment in real time.

Sample Question 2 — Layer 1, Layer 2, and Layer 3 Defense

An enterprise campus still uses a large flat internal address space where user workstations, application servers, management systems, and several critical services can all route to each other by default. After a phishing incident, attackers moved from a user subnet to a sensitive server network in minutes. The architect's main goal is to reduce east-west movement between trust zones. Which change is the most defensible?

  1. A. Separate departments into additional VLANs but keep broad inter-VLAN routing open across the campus
  2. B. Create routed trust zones for users, servers, management, and critical services with explicit allowed paths (Correct answer)
  3. C. Add more Internet egress filtering while leaving internal routing reachability unchanged
  4. D. Increase host logging across all endpoints while leaving network paths and trust boundaries unchanged

Correct answer: B

Explanation: Correct answer (B): The attack succeeded because broad internal routing allowed a compromised user system to reach sensitive networks with little resistance. The most defensible containment change is to create routed trust zones with explicit allowed paths between users, servers, management networks, and critical services. That creates enforceable Layer 3 boundaries. More VLANs without routing restrictions only reorganize traffic, while logging or Internet egress controls do not remove the east-west attack path. Why the other options are wrong: - Option A: Additional VLANs may organize traffic, but VLAN membership alone is not strong trust separation if inter-VLAN routing remains broadly open. - Option C: Internet egress filtering may help other risks, but it does not materially reduce internal lateral movement after compromise. - Option D: More logging improves visibility, but the question asks for the best architecture change to reduce movement. Detection alone leaves the path open.

Sample Question 3 — Layer 1, Layer 2, and Layer 3 Defense

At a branch office, users reported intermittent access issues and a security review found that an attacker on the same local subnet had redirected traffic and captured credentials by poisoning address mappings. The architect wants the best network architecture response to reduce the chance of recurrence and limit exposure if it happens again. What should be recommended?

  1. A. Encrypt all remote access traffic between the branch and the data center so local switching issues matter less
  2. B. Shrink affected broadcast domains and apply Layer 2 address-validation controls on access networks (Correct answer)
  3. C. Disable switch discovery protocols on routed uplinks and core interfaces across the enterprise
  4. D. Increase password length requirements for service accounts used at the branch site

Correct answer: B

Explanation: Correct answer (B): ARP poisoning is a local Layer 2 attack that succeeds inside a broadcast domain when hosts accept falsified address mappings. The most defensible response is to reduce the size of affected broadcast domains and add Layer 2 address-validation controls so the attack is both harder to perform and more contained if attempted. Encryption or stronger passwords do not remove the local switching weakness that enabled traffic redirection and interception. Why the other options are wrong: - Option A: Encrypting remote access traffic may protect some flows in transit, but it does not solve local ARP poisoning on the branch subnet where the interception occurs. - Option C: Discovery-protocol minimization is useful hardening, but it is not the best response to a demonstrated ARP poisoning issue in a user subnet. - Option D: Stronger passwords do not address the network-layer weakness that allowed traffic interception and redirection.

Sample Question 4 — Layer 1, Layer 2, and Layer 3 Defense

A company allows visitors to connect laptops in conference rooms on the corporate wired network after reception approval. During an incident, an attacker exhausted the local address pool and then answered lease requests from a rogue system, causing users to receive bad network settings. The architect wants the best access-layer change to reduce this risk without redesigning the entire office. What is the best recommendation?

  1. A. Extend DHCP lease times and expand the address pools used at each office location
  2. B. Add Layer 2 protections and port-level controls to block unauthorized DHCP behavior (Correct answer)
  3. C. Replace internal DHCP with static addressing for all office workstations and printers
  4. D. Move all conference room ports into the main corporate VLAN to simplify client handling

Correct answer: B

Explanation: Correct answer (B): This incident combined DHCP starvation with rogue DHCP responses, so the best response is targeted access-layer enforcement. Layer 2 protections and port-level controls are designed to stop unauthorized systems from exhausting address pools or answering lease requests on user-facing ports. Increasing pool size or moving to static addressing changes operations, but it does not directly address the attacker path as effectively. Why the other options are wrong: - Option A: A larger pool or longer lease time may delay exhaustion, but it does not directly prevent unauthorized DHCP behavior from an attacker on the local network. - Option C: Static addressing for all office devices is operationally heavy and still does not solve the broader issue of unauthorized attachment and access-layer abuse. - Option D: Moving conference room ports into the primary corporate VLAN increases exposure and does not mitigate DHCP starvation or rogue DHCP behavior.

Sample Question 5 — Layer 1, Layer 2, and Layer 3 Defense

A manufacturing site relies on simple port security that trusts previously seen hardware addresses on access ports. An attacker cloned an approved device address and gained the same network access as a legitimate endpoint. The environment also includes printers and specialized devices with mixed capabilities. The architect wants a more defensible access decision model. What should be recommended?

  1. A. Keep MAC-based port security and shorten inactivity timers on access ports across the site
  2. B. Use NAC based on device identity, posture, role, and placement, with alternates for devices that cannot authenticate (Correct answer)
  3. C. Create a larger allowlist of approved hardware addresses and centralize updates for each access switch
  4. D. Depend on endpoint antivirus alerts to detect unauthorized device connections after they occur

Correct answer: B

Explanation: Correct answer (B): MAC-only trust is weak because attackers can spoof approved hardware addresses. A more defensible design bases network access on stronger identity signals, device posture, role, and placement, while providing alternate handling for devices that cannot authenticate normally. That shifts the architecture away from easily cloned MAC addresses and toward policy-driven access decisions that better fit mixed-capability environments. Why the other options are wrong: - Option A: This still treats the MAC address as the primary identity signal, which is the exact weakness the attacker exploited. - Option C: A larger MAC allowlist increases administrative effort but does not solve the core problem that MAC addresses are weak identity evidence. - Option D: Endpoint alerts may help detection, but the requirement is a more defensible access decision model that prevents or limits unauthorized attachment.

Sample Question 6 — Layer 1, Layer 2, and Layer 3 Defense

During an investigation, the network team discovered that device timestamps did not line up across sites, making log correlation difficult. The same review found that several switches exposed weakly configured monitoring interfaces to user networks. The architect wants the best single recommendation to improve both infrastructure security and incident response reliability. What should be done?

  1. A. Leave management protocols broadly reachable but forward logs to a central platform more frequently
  2. B. Minimize SNMP exposure, restrict management access paths, and use protected reliable NTP sources (Correct answer)
  3. C. Disable infrastructure monitoring and rely only on endpoint telemetry for investigations
  4. D. Move network devices into a separate VLAN while keeping current SNMP reachability and time settings

Correct answer: B

Explanation: Correct answer (B): This is the strongest answer because it addresses both identified weaknesses. The blueprint states that SNMP should be minimized, strongly authenticated where possible, and restricted to authorized management paths. It also states that reliable and protected NTP sources are important for authentication consistency, log correlation, and incident investigation. Option B improves both management-plane exposure and the quality of response and investigation. Why the other options are wrong: - Option A: More frequent log forwarding does not fix weakly exposed management protocols or poor time-source trust. - Option C: Disabling infrastructure monitoring removes useful telemetry and does not solve SNMP exposure or unreliable time synchronization. - Option D: A separate VLAN may change placement, but it does not by itself minimize SNMP exposure or ensure protected reliable NTP.

How to Study GDSA Layer 1, Layer 2, and Layer 3 Defense

Combine these GDSA Layer 1, Layer 2, and Layer 3 Defense practice questions with hands-on lab work and the SANS SEC530 course. The GDSA exam emphasizes practical defensible-architecture decisions, so always ask which option is most defensible, most resilient, and aligned with Zero Trust principles.

About the GDSA Exam

Other GDSA Domains

Start the free GDSA Layer 1, Layer 2, and Layer 3 Defense practice test now | 10-question quick start | All GDSA domains | All Sample Tests