The OSI model and what each layer does

Responsibility: moving raw bits (ones and zeros) between devices using electrical voltages, light pulses, or radio waves.

Everything at this layer is about the medium. Copper cables (Cat5e, Cat6, Cat6a) carry electrical signals. Fibre optic cables carry light. Wi-Fi (IEEE 802.11) uses radio frequencies at 2.4 GHz and 5 GHz.

Devices: cables, connectors (RJ-45, LC, SC), hubs, repeaters, media converters (copper to fibre). A hub is a multi-port repeater: it receives a signal on one port and copies it to all other ports. No intelligence. No MAC table. Every device on a hub shares the same collision domain.

Common problems: damaged cables, loose connectors, exceeding the 100-metre limit for copper Ethernet, electromagnetic interference from power cables or fluorescent lights, and attenuation (signal weakening over distance).

How to check: look at the link light on the NIC and switch port. Try a different cable. Try a different port. For Wi-Fi, check signal strength and channel interference.

Responsibility: delivering frames between devices on the same local network segment using MAC addresses.

Switches operate here. A switch builds a MAC address table by watching the source MAC on every incoming frame. It learns which MAC is reachable through which port. When a frame arrives for a known destination MAC, the switch sends it out only that port. If the destination is unknown, it floods the frame out all ports (except the one it arrived on). This is called "learn on source, forward on destination."

VLANs (IEEE 802.1Q) let you split one physical switch into multiple logical broadcast domains. Devices in VLAN 10 cannot talk to devices in VLAN 20 without a router in between. The 802.1Q standard adds a 4-byte tag to the Ethernet frame, including a 12-bit VLAN ID (supporting up to 4,094 VLANs).

Spanning Tree Protocol (STP, IEEE 802.1D) prevents broadcast storms. If redundant links create a physical loop, broadcast frames circulate endlessly and can crash the network in seconds. STP blocks redundant paths and keeps them as standby failovers. Rapid STP (802.1w) converges in 1-3 seconds instead of the original 30-50 seconds.

Common problems: broadcast storms (loops), incorrect VLAN assignment, STP blocking a port unexpectedly, MAC address table overflow (in rare attack scenarios).

Responsibility: addressing and routing packets across different networks using IP addresses.

Routers operate here. A router reads the destination IP address in a packet, checks its routing table, and forwards the packet toward the next hop. The routing table contains entries like: "To reach 10.0.0.0/8, send via 192.168.1.1 through interface GigabitEthernet0/1."

Routing protocols automate route discovery. OSPF (Open Shortest Path First) runs inside a single organisation and picks routes based on link cost. BGP (Border Gateway Protocol) runs between organisations and across the internet, choosing routes based on policy (AS path, preferences, agreements). Most enterprise networks use OSPF internally and BGP at the edge where they connect to ISPs.

ICMP (Internet Control Message Protocol) also lives here. It handles error reporting (ping uses ICMP Echo) and path discovery (traceroute uses ICMP Time Exceeded messages).

Common problems: missing or incorrect routes, misconfigured subnet masks, BGP route leaks (Pakistan/YouTube 2008, Vodafone Idea 2021), DHCP failure causing missing IP addresses.

Responsibility: reliable (TCP) or fast (UDP) delivery between two endpoints, identified by port numbers.

TCP guarantees delivery, ordering, and flow control. Before any data flows, TCP runs a three-way handshake: the client sends SYN, the server replies SYN-ACK, and the client confirms with ACK. On a 100ms link, that handshake alone costs 100ms before a single byte of data moves. TCP is used by HTTP, SSH, SMTP, FTP, and database connections.

UDP skips the handshake and guarantees nothing. If a packet is lost, UDP does not retransmit it. This makes it faster and lighter, which is exactly what you want for DNS lookups (a lost query is simply retried), live video (a dropped frame is better than a delayed one), online gaming, and VoIP calls.

QUIC (RFC 9000) is a modern alternative built on UDP. It combines connection setup and TLS encryption in a single round trip (0-RTT in the best case), and it multiplexes independent streams so a lost packet only blocks its own stream. HTTP/3 runs on QUIC. Google reports that QUIC carries over 25% of internet traffic.

Common problems: port blocked by firewall, TCP connection timeouts, half-open connections, port exhaustion on busy servers.

As you learned in Module 3, TCP/IP combines these three into a single Application layer. But the OSI definitions are still useful for understanding what kind of work is happening.

Layer 5, Session. Managing ongoing conversations. In practice: HTTP cookies that maintain login state across requests. WebSocket connections that stay open for real-time chat. SMB (Windows file sharing) sessions that track authentication across multiple file operations. SIP sessions that manage VoIP calls.

Layer 6, Presentation. Transforming data for the application. In practice: TLS encryption (securing HTTPS connections). JSON and XML serialisation (structuring data for APIs). Character encoding (UTF-8 ensuring text displays correctly worldwide). Compression (gzip and Brotli reducing HTTP response sizes by 60-80%).

Layer 7, Application. The protocols your software actually uses. HTTP (web), DNS (name resolution), SMTP (email sending), DHCP (automatic IP assignment), SSH (secure remote access), SNMP (network monitoring). Each runs on a well-known port: HTTP on 80, HTTPS on 443, DNS on 53, SSH on 22.

Devices at L7: Layer 7 load balancers route traffic based on HTTP content (URLs, headers, cookies). Web Application Firewalls (WAFs) inspect HTTP requests for attacks like SQL injection. Next-generation firewalls add L7 deep packet inspection to traditional L3/L4 stateful filtering.

When something breaks, work from the bottom up. Each layer depends on the one below it, so if Layer 2 is broken, everything above it fails too. Checking from the bottom catches the most common problems first.

L1: Is the link light on? Is the cable plugged in? For Wi-Fi, is there signal? Try a different cable or port.

L2: Does the NIC show UP status? Is the switch port in the correct VLAN? Is STP blocking it? Run show mac address-table on the switch.

L3: Does the device have a valid IP address (not 169.254.x.x)? Can you ping the default gateway? Can you ping the destination by IP? Run traceroute to find where packets stop.

L4: Is the destination port open? Try telnet server 443 or Test-NetConnection -Port 443. Check firewalls (both network and host-based).

L5-7: Is DNS resolving correctly? Is TLS completing? Check the certificate. Clear browser cache. Check the application logs for HTTP 500 errors.

Most network problems live at Layers 1 through 3. If the lower layers check out, the problem is usually a firewall rule, a DNS misconfiguration, or an application error.