OSI Model
The OSI (Open Systems Interconnection) Model is a conceptual framework that describes how data moves across a network. It breaks communication into seven layers, each with a distinct role—from physical signals up to human-facing applications.
By separating responsibilities, the OSI model makes it easier to design, troubleshoot, and scale networks. Each higher layer builds on the services of the one below, while remaining logically independent.
1. The 7 Layers
| Layer | Example Protocols | Data Unit | What It Adds / Handles | Notes |
|---|---|---|---|---|
| L7 Application | HTTP, DNS, SMTP, FTP | Data | User-facing services | Browser → HTTP, Mail → SMTP. |
| L6 Presentation | TLS/SSL, JPEG, JSON | Record | Data format, encryption, compression | Often merged into L7. |
| L5 Session | NetBIOS, RPC | – | Session setup & teardown | Rarely explicit today. |
| L4 Transport | TCP, UDP | Segment | Reliable (TCP) vs fast (UDP) | TCP = handshake, ports, seq/ack. UDP = stateless. |
| L3 Network | IP, ICMP | Packet | Logical addressing & routing | Routers forward packets. Uses ARP for MAC resolution. |
| L2 Data Link | Ethernet, Wi-Fi, PPP | Frame | Local delivery | Frames = MAC headers + payload + CRC. |
| L1 Physical | Copper, Fiber, Wi-Fi PHY | Bits | Transmission of raw signals | Voltage, RF, or optical light. |
🔁 Encapsulation order:
Application Data → Segment → Packet → Frame → Bits
2. Devices at Each Layer
| Device | Layer | What It Does | Protocols | Authentication |
|---|---|---|---|---|
| Load Balancer | L4–L7 | Distributes traffic | TCP, HTTP/S, gRPC | TLS certs, tokens |
| Firewall | L3–L4 (sometimes L7) | Filters packets/flows | IP, TCP/UDP, HTTP | Rules, TLS interception, VPN |
| Router | L3 | Routes IP packets | IP, ICMP, BGP, OSPF | BGP MD5, IPsec |
| Switch | L2 | Forwards frames by MAC | Ethernet, VLAN, ARP | 802.1X, MAC binding |
| Hub | L1 | Repeats bits blindly | – | None |
3. Layer Interactions
3.1 Layer 2 – ARP
Maps IP → MAC via broadcast request and unicast reply.
🖼️ ARP – Address Resolution Protocol Sequence
3.2 Layer 2 – VLANs & Trunks
VLANs, trunks, and QinQ are needed to segment traffic, reduce broadcast domains, and efficiently carry multiple logical networks over the same physical infrastructure.
- VLAN (802.1Q):
- Adds a VLAN ID tag inside Ethernet frames.
- Splits one physical switch into multiple broadcast domains → improves scalability & security.
- Trunks:
- A single link between switches that carries multiple VLANs using tagging.
- Avoids needing one cable per VLAN.
- QinQ (802.1AD):
- VLAN stacking (two tags: S-Tag + C-Tag).
- Lets ISPs carry customer VLANs over their own backbone.
- Expands VLAN ID space beyond the 4096 limit.
👉 All three work at Layer 2 (Frames) to logically separate traffic over shared physical networks.
3.3 Layer 3 – Routing
Routers strip old frames, keep IP header, attach new MAC header for next hop.
🖼️ L3 Routing – Packet Routing Sequence
3.4 Layer 3 & 5–6 - IPsec
IPsec = encrypted network tunnels.
- IKE (control plane) negotiates SAs and keys (Layer 5–6, over UDP/500 or UDP/4500 for NAT-T).
- ESP/AH (data plane) protects IP packets at Layer 3.
- Commonly used for site-to-site and remote-access VPNs.
- Protects all traffic (HTTP, SSH, DNS, ICMP, etc.), independent of app protocol.
🖼️ IPsec – IKE Handshake Sequence
Elliptic Curve Diffie–Hellman Ephemeral provides Perfect Forward Secrecy (PFS) by using a fresh, temporary key pair per session. Even if a server’s long-term private key is later compromised, past sessions remain confidential. Both TLS and IPsec commonly prefer ECDHE for key exchange.
3.5 Layer 5–6 - TLS
TLS = encrypted application sessions.
- Runs above TCP (L4) and below Application (L7).
- Provides confidentiality, integrity, authentication.
- Examples: HTTPS, SMTPS, IMAPS.
- Protects specific app protocols, not all traffic.
🖼️ TLS – Secure Handshake Sequence
3.6 Traffic Addressing Modes (Unicast, Broadcast, Multicast, Anycast, Geocast)
How frames/packets are addressed determines who receives them and how the network treats them.
| Mode | Who Receives | OSI Context | Typical Uses | Key Notes |
|---|---|---|---|---|
| Unicast | Exactly one host | L2 (MAC→MAC), L3 (IP→IP) | Web browsing, API calls, SSH | Most traffic is unicast. Switched at L2, routed at L3. |
| Broadcast | All hosts in the L2 broadcast domain | L2 (FF:FF:FF:FF:FF:FF) | ARP, DHCP DISCOVER | Routers block broadcasts by default. |
| Multicast | Members of a subscribed group | L3 (224.0.0.0/4 IPv4; ff00::/8 IPv6) | IPTV, conferencing, OSPF | Uses IGMP/MLD (hosts), PIM (routers). |
| Anycast | “Nearest” one of many identical endpoints | L3 (same IP announced in multiple sites) | CDNs, DNS resolvers | Routing selects the closest service. |
| Geocast | Hosts in a geographic region | L3 concept | Vehicular alerts, ITS | Conceptual; app-layer in practice. |
4. Commands by OSI Layer
| Layer | Command | Purpose | Example |
|---|---|---|---|
| L2 | arp |
Show ARP cache | arp -a |
| L3 | ping |
Test ICMP reachability | ping 8.8.8.8 |
| L3 | traceroute |
Show hop path | mtr 8.8.8.8 |
| L4 | ss |
List sockets | ss -ant |
| L4 | tcpdump |
Capture packets | tcpdump -i eth0 port 443 |
| L7 | dig |
DNS lookup | dig example.com |
| L7 | curl |
Test HTTP | curl -vk https://site |
| Cross | nmap |
Port scan | nmap -sS 10.1.2.3 |
5. IP Addressing Basics
5.1 IPv4 Classes & Reservations
- Class A: 0.0.0.0 – 127.255.255.255 (10.0.0.0/8 private, 127/8 loopback)
- Class B: 128.0.0.0 – 191.255.255.255 (172.16.0.0/12 private)
- Class C: 192.0.0.0 – 223.255.255.255 (192.168/16 private, TEST-NETs)
- Class D: 224.0.0.0 – 239.255.255.255 (multicast)
- Class E: 240.0.0.0 – 255.255.255.255 (experimental)
👉 Today we use CIDR instead of classful boundaries.
5.2 Convert Binary to Decimal
- Take the binary
10000100. -
Multiply each bit by its place value:
- 1×128 + 0×64 + 0×32 + 0×16 + 0×8 + 1×4 + 0×2 + 0×1
- Add them up → 132.
| Position | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | Sum |
|---|---|---|---|---|---|---|---|---|---|
| Decimal | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 | |
| Bit | 1 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | |
| Value | 128 | 0 | 0 | 0 | 0 | 4 | 0 | 0 | 132 |
👉 So 10000100 in decimal = 132
5.3 Convert Decimal to to Binary
Take the first octet of 132.12.1.23.
- Start from 128 → 132 ≥ 128 → put 1, remainder = 132 − 128 = 4.
- Next (64) → 4 < 64 → 0.
- Next (32) → 4 < 32 → 0.
- Next (16) → 4 < 16 → 0.
- Next (8) → 4 < 8 → 0.
- Next (4) → 4 ≥ 4 → 1, remainder = 0.
- Next (2) → 0 < 2 → 0.
- Next (1) → 0 < 1 → 0.
Result row: 1 0 0 0 0 1 0 0
| Position | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
|---|---|---|---|---|---|---|---|---|
| Decimal | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| Representation | 1 | 0 | 0 | 0 | 0 | 1 | 0 | 0 |
👉 So 132 in binary = 10000100
6. Advanced Networking Topics
6.1 NAT (Network Address Translation)
- Allows private IPs (RFC1918) to communicate with public networks.
- Originally designed to conserve IPv4 addresses, also adds a basic security layer by hiding internal hosts.
- Types:
- Static NAT → Fixed 1:1 mapping (one private ↔ one public). Useful for servers that must be reachable externally.
- Dynamic NAT → Private IPs mapped temporarily to an available public IP from a pool. Mapping changes each session.
- PAT (Port Address Translation) → Many private hosts share a single public IP. NAT device rewrites source IP+Port to track flows. Example: home routers, AWS NAT Gateway.
6.2 DDoS Attacks (3 categories)
- Volumetric → Flood bandwidth with massive traffic (e.g., UDP floods, DNS/NTP amplification).
- Protocol → Exploit L3/L4 weaknesses, exhausting connection state (e.g., SYN flood, Smurf attack, Ping of Death).
- Application → Target app layer (L7) with valid-looking requests that overwhelm servers (e.g., HTTP floods, Slowloris).
6.3 BGP (Border Gateway Protocol)
The internet is a network of networks (Autonomous Systems, or AS):
- AS (Autonomous System): Collection of IP prefixes under one admin domain.
- ASN (Autonomous System Number): Unique ID (Google = AS15169, Amazon = AS16509).
- BGP Basics: Protocol to exchange routing info between ASes (runs over TCP/179).
- iBGP → Routing inside an AS (e.g., Google’s internal backbone).
- eBGP → Routing between ASes (e.g., ISP ↔ Cloudflare).
- ASPATH: List of AS hops; shortest usually preferred.
- Policies & Tricks:
- ASPATH prepending → make a path look less attractive.
- Route filtering → accept/export only selected prefixes.
- Peering vs Transit → prefer cheap/free peer routes over costly transit.
6.4 Jumbo Frames
- Default MTU = 1500 bytes, Jumbo Frames = ~9000 bytes.
- Benefits: Less overhead, fewer packets, higher throughput for large data transfers.
- Limitations: Must be supported end-to-end; mismatches cause fragmentation or drops.
- Supported in: Local networks, datacenter links, AWS Direct Connect, TGW, same-region peering.
- Not supported in: General internet, VPN over public internet, cross-region cloud traffic.
6.5 Layer 7 Firewalls
- Extend firewalls beyond L3/L4 (IP, port) to application-aware filtering at L7.
- Parse and inspect protocols (HTTP, DNS, SMTP, gRPC).
- Capabilities:
- Block/allow traffic based on URLs, headers, payloads.
- Detect and stop application-layer DDoS (HTTP floods, bots).
- Enforce auth/security policies (tokens, TLS inspection).
- Examples: AWS WAF, Cloudflare WAF, Palo Alto NGFW, F5 ASM.