In this post, we are going to explore the OSI and TCP/IP layered model, and use some packet capture examples to illustrate the modular nature of the two models.
One of the most difficult subjects for many people beginning to learn networking or studying for the Network+ or CCNA certifications to grasp seems to be the 7 layer model used by the OSI model and the similar model used by TCP/IP. The two models do the same thing, but define slightly different layers. They are as follows:
1. Network Interface
The two models map to each other as follows:
- The TCP/IP Application layer contains the OSI Application, Presentation and Session layers
- The TCP/IP Transport layer matches the OSI Transport Layer
- The TCP/IP Internet layer matches the OSI Network layer
- The TCP/IP Network Interface layer contains the OSI Data-link and Physical layers.
Common mnemonics to remember the OSI layers are:
- All People Seem To Need Data Processing (Top to bottom)
- Please Do Not Throw Salami|Sausage Pizza Away (Bottom to top)
Both models are made to be modular, so that a change on one layer can be made independent of the other layers, and the higher layers use the services of the lower layers. Since networking these days is almost exclusively TCP/IP, it is not surprising the TCP/IP model is probably the most relevant to today’s networks, even if the OSI model is the one that is usually taught. Day to day in network administration you will work almost exclusively on the lower four layers, and the even when we touch the top three, it is usually as “the upper layers” rather than a specific layer.
Layers are designed to provide services to the layers above them. Layer 1 provides the physical media to transport Layer 2 frames. Layer 2 frames carry a Layer 3 packet over a specific part of it’s end to end journey. Layer 3 packets provide end to end transport for Layer 4 segments. Layer 4 segments carry information, with addressing information to pass it to the right client or server process on the clients or servers.
The bottom 4 layers are as follows:
Layer 1, the physical layer, specifies physical cabling, connectors, line voltages, etc. It does not provide any sort of addressing.
Layer 2, the Data Link layer, provides transport over a single data link, such as Ethernet devices on a single broadcast domain, or endpoints in a frame relay network. In cases where more than one station could access a data link, addressing is required. This includes MAC addresses in Ethernet, and DLCIs (Data Link Connection Identifier) in frame relay. Protocols like PPP and HDLC that are station to station protocols do not require addressing at Layer 2.
Layer 3, the network layer, provides end-to-end addressing, identifying the hosts, but not the process on the host that should receive the data. In TCP/IP, the addressing at this layer is the IP address, which is assigned to a network interface on a host.
Layer 4, the Transport Layer, provides process level addressing, as well as other services such as error correction and sequencing, depending on the protocol. The “addresses” at this level are usually TCP and UDP port numbers, which tells the TCP/IP stack what program or service should receive the data in the packet.
One of the sticking points when I learned this was that quite often protocols and protocol suites cross more than one layer. Is Ethernet Layer 1 or Layer 2? (it’s both.) Another question I had was if you can trade out Layer 4 protocols at will, could you have SPX running over IP? (Maybe, but why?)
The Physical and Data-Link layers work closely together, and often overlap to a certain extent. Ethernet is defined at both layers, as both the physical connections and voltages on the wire at Layer 1, and as Media Access Control (MAC) addresses and such at Layer 2. Other times they are less integrated. A T1 (Layer 1) can run HDLC or PPP over it at layer 2, and PPP can run on T1s, modems, and other Layer 1 technologies.
Layers 3 & 4 are likewise usually tied pretty closely together, IP carries TCP and UDP (and others) while IPX carries SPX. It might be possible to write an implementation of SPX over IP, but in practical implementations it is rare to see protocols crossing between suites at Layers 3 & 4. What is more common is adding a new protocol, rather than porting an existing one.
The upper layers are usually more the domain of programmers or security specialists. Beyond knowing what they are, you probably do not need to devote too much time to them for most Cisco certifications.
Let’s take a look at some real examples to see how this works. Following are some packet capture screenshots that demonstrate how different protocols can operate at each layer, and interoperate with each other.
First, a telnet packet, which uses TCP (Layer 4) on IP (Layer 3) on Ethernet (Layers 1 & 2)
An almost identical packet, except it is on an HDLC (Layer 2) serial (Layer 1) link. Note that each of the lower layers has something to identify the next layer. The Ethernet and HDLC headers (the sections labeled “Ethernet II” and “Cisco HDLC” in the screenshots) includes a type of 0x0800, to indicate that the next part of the packet is IP. The IP header (Section labeled “Internet Protocol Version 4”) has a protocol type of 6, to indicate that the next header is TCP, and TCP port numbers indicate the client or server process that the network stack should hand the data off to.
Here is another telnet packet over the same Layer 1 serial link, but now the Layer 2 protocol has been changed to PPP. In this case, the Layer 1 and Layer 3+ all stay the same, only the Layer 2 encapsulation has changed. Note that the PPP header uses a type of 0x0021, which in PPP indicates IP as the encapsulated protocol. This time, we are changing the layer 4 protocol to UDP, to support a DNS query at the upper levels. The IP Protocol field is now 17, to indicate that the next header is UDP. Note the much simpler UDP header, which includes only a source and destination port, and a checksum to verify message integrity, but without the sequence and acknowledgement numbers.
This last packet shows ICMP as the layer 4 protocol, note the protocol type of 1 in the IP header. The screenshots above are from Wireshark, captures from GNS3. It can be very helpful when you are studying any protocol to do Wireshark captures to see the details in the actual packets.
Hopefully this helps you visualize how the different layers work. The next post demonstrates end to end transport, including the changing Layer 2 encapsulation over different media.