Compare and Contrast the OSI Model Layers and Encapsulation Concepts for Network+ (N10-008)
1. Introduction: Why the OSI Model Still Matters
If you’re studying for CompTIA Network+ and the OSI model feels like a stack of terms to memorize, the fix is simple: stop treating it like trivia and start using it like a troubleshooting framework. The OSI model is a reference model, not a literal software stack you configure line by line. Its value is that it helps you isolate where communication is failing.
That matters on the exam and in real work. A user says, “the network’s down,” but in my experience that could mean almost anything: a dead cable, the wrong VLAN, a missing default gateway, TCP 443 being blocked, a bad DNS record, or even a certificate mismatch. That’s where the OSI model helps. It gives you a structured way to separate those possibilities instead of guessing. It also gives you a common language: frames, packets, ports, MAC addresses, IP addresses, encapsulation, and routing.
This guide is written for Network+ OSI and encapsulation objectives, with practical precision. Real protocols do not always map perfectly to one layer, and CompTIA sometimes simplifies boundary cases such as ARP, TLS, Session, and Presentation. That’s normal. Your goal is to understand the model well enough to answer exam questions and troubleshoot logically.
2. OSI 7-Layer Overview Table
| Layer | Name | Primary Function | PDU | Identifier | Examples | Devices / Controls |
|---|---|---|---|---|---|---|
| 7 | Application | User-facing network services | Data | Names, service requests | HTTP and HTTPS, along with DNS, DHCP, SMTP, IMAP, SSH, and SNMP | Proxies, web application firewalls, and application gateways — basically the tools that sit in the middle and inspect or steer application traffic |
| 6 | Presentation | Formatting, encryption, compression | Data | Encoding, certificates, ciphers | TLS, UTF-8, JPEG, JSON | TLS offload devices, gateways |
| 5 | Session | Dialog control, persistence, teardown | Data | Session state, tokens | Session cookies, RPC-style dialog behavior | Load balancers, app servers |
| 4 | Transport | End-to-end delivery, reliability, ports | Segment / Datagram | Port numbers | TCP, UDP | Stateful firewalls, Layer 4 load balancers |
| 3 | Network | Logical addressing and routing | Packet | IP address | IPv4, IPv6, and ICMP — the core network-layer protocols you’ll keep running into | Routers, Layer 3 switches, and ACLs — the usual Layer 3 players that decide where traffic can go |
| 2 | Data Link | Framing, local delivery, MAC addressing | Frame | MAC address | Ethernet, 802.11 framing, 802.1Q VLANs, and ARP sitting right around the Layer 2 and Layer 3 boundary | Switches, bridges, access points, 802.1X, and port security — the local-network gear and controls that keep things organized |
| 1 | Physical | Transmission of bits over media | Bits | Electrical/optical/radio signaling | Copper, fiber, RF channels, and connectors — the physical media and interfaces that carry the signal | Cables, transceivers, repeaters, and antennas — the hardware pieces that actually move bits from one point to another |
A simple way to remember it is this: when data’s being sent, it moves from the top of the stack down; when it’s being received, it works its way back up As data moves down the stack, it gets encapsulated, and when it arrives at the destination, it gets decapsulated
3. Layer-by-Layer Breakdown — the part where the OSI model really starts to make practical sense
Layer 1 – Physical: This layer is about whether bits can move at all. It covers copper and fiber cabling, radio transmission, connectors, transceivers, signal quality, and the kinds of media problems that stop traffic before it even starts Common issues include no link light, damaged cables, dirty fiber, failed SFPs, PoE problems, attenuation, and wireless interference — the sort of stuff that makes a network feel dead on arrival Hubs and repeaters are legacy Layer 1 devices, so you don’t see them much in modern production networks. Speed and duplex are often taught with Layer 1/2 because negotiation affects Ethernet operation, even though the symptom may look physical.
Layer 2 – Data Link: Layer 2 handles local delivery. Ethernet and Wi-Fi frames live here, along with MAC addressing and frame integrity checks. Switches learn source MAC addresses in a CAM, or MAC, table and forward unicast frames based on the destination MAC address. Broadcast frames get flooded within the broadcast domain. Switches split up collision domains, routers split up broadcast domains, and VLANs let you carve separate broadcast domains out of the same switching infrastructure Key topics here include 802.1Q tagging, access versus trunk ports, STP loop prevention, port security, and 802.1X port-based access control — all the things that keep Layer 2 from turning into chaos Wireless has Layer 2 behavior too, including association, authentication, and framing. A client with strong signal but failed WPA authentication is not a Layer 1 problem.
Layer 3 – Network: Layer 3 is routing between networks using logical addresses. IPv4 and IPv6 live here, along with the logic that lets devices find each other across networks Routers and Layer 3 switches forward packets using destination IP addresses and routing tables Inter-VLAN routing is one of the most common Layer 3 jobs you’ll see in real networks A host first checks whether the destination is local or remote by applying its subnet mask If it’s local, it sends directly. If it’s remote, it hands the traffic to the default gateway, which is the next-hop router that gets it off the subnet Route choice follows longest-prefix match, then default route if needed. ICMP supports diagnostics and error reporting. TTL in IPv4 and Hop Limit in IPv6 both drop by 1 at every routed hop IPv4 routers may fragment packets unless the DF bit says not to IPv6 routers don’t fragment packets while they’re in transit, so the endpoints have to rely on Path MTU Discovery
Layer 4 – Transport: This layer provides end-to-end transport between applications. TCP is connection-oriented and built for reliability, while UDP is connectionless and keeps overhead low TCP starts with a three-way handshake: SYN, SYN-ACK, and ACK That is transport connection establishment, not Session-layer setup. TCP also uses sequence numbers, acknowledgments, retransmissions, windowing, and control flags such as FIN and RST UDP has less overhead, which is why you’ll often see it used for DNS queries, voice, and streaming Ports matter here: well-known ports identify common services, while client source ports are usually ephemeral. Stateful firewalls track transport sessions, and PAT may translate source ports in transit.
Layer 5 – Session: Session is less visible in modern stacks, but the function still matters. It covers maintaining dialogs, persistence, and orderly communication state. In practice, this shows up in remote sessions, application cookies, token-based logins, API sessions, and load balancer stickiness If users keep getting logged out every few minutes, or requests only fail when they land on a different backend server, I’d immediately think about session persistence or a timeout mismatch
Layer 6 – Presentation: This layer handles how data is represented. That includes encoding, serialization, compression, and encryption. TLS is the modern secure protocol here conceptually, though real-world mapping often blurs between Layers 5–7. SSL may appear in legacy wording, but it is deprecated and insecure. Common problems include certificate chain failure, hostname mismatch, unsupported TLS version, cipher mismatch, and encoding errors that make data arrive successfully but display incorrectly.
Layer 7 – Application: This is where network services used by applications live. DNS resolves names, DHCP assigns addresses, HTTP and HTTPS deliver web content, SMTP sends email, IMAP and POP3 retrieve it, SNMP supports monitoring, and SSH provides secure remote access Telnet is also an application-layer protocol, but it’s legacy and insecure, so SSH is the smarter choice DHCP sits at Layer 7 in the OSI model, but exam questions may also expect you to know that it uses UDP ports 67 and 68 and relies on local broadcast behavior during the initial address acquisition process.
4. PDUs, Addressing, and What Changes at Each Hop
| Layer | PDU | Main Identifier |
|---|---|---|
| 7–5 | Data | Service/session context |
| 4 | Segment (TCP) / Datagram (UDP) | Port number |
| 3 | Packet | IP address |
| 2 | Frame | Link-layer address such as MAC |
| 1 | Bits | Signal encoding |
One transmission can contain all of these identifiers at once. A web request may have source and destination MAC addresses for the current link, source and destination IP addresses for the endpoints, and source and destination ports for the applications.
What changes at each routed hop is a favorite exam concept:
- Layer 2 frame is removed and rebuilt.
- Link-layer source and destination addresses are rewritten for the next link.
- TTL, or Hop Limit, decreases by 1.
- IP addresses usually stay the same from end to end unless NAT steps in and rewrites them
- Ports usually stay the same too, although PAT, proxies, and load balancers can translate them when needed
Also keep in mind that the Layer 2 FCS often won’t appear in host-based packet captures, because a lot of NICs strip it off before the operating system ever sees the frame
5. Encapsulation, ARP/NDP, and NAT/PAT
Encapsulation is the process of adding control information as data moves down the stack. Transport adds ports and reliability details, Network adds IP addressing, Data Link adds local-link addressing and a trailer, and Physical sends bits on the medium. At the destination, decapsulation just walks that process back in reverse
On an IPv4 local network, a host has to use ARP to resolve the next-hop IP address into a MAC address The ARP request goes out as a broadcast, the ARP reply usually comes back as a unicast, and then the host caches the answer If ARP fails, the host can’t build a usable local frame, even when it already knows the destination IP address In IPv6, Neighbor Discovery takes over that local-link resolution job instead of ARP
NAT and PAT are worth knowing too, because they can change what shows up when you’re troubleshooting NAT may rewrite IP addresses. PAT, often used in home and enterprise edge devices, may rewrite both source IP and source port so many internal clients can share one public address. That means a packet capture taken on the client and one taken outside the firewall may show different source IP/port values.
6. End-to-End Example: From Client Startup to Secure Web Access
Here’s the compact workflow that ties the layers together:
- DHCP: A new client joins the network and uses the DORA process: Discover, Offer, Request, Acknowledge. DHCP is an application-layer service that uses UDP ports 67 and 68 Early DHCP messages may be broadcast because the client still doesn’t know its full IP configuration yet
- DNS: The client resolves a domain name through DNS, usually over UDP 53. DNS also uses TCP port 53 for zone transfers and for larger or fallback responses when needed
- TCP: The client opens a TCP connection to destination port 443 using an ephemeral source port.
- TLS: The client validates the server certificate, hostname, trust chain, and compatible protocol/cipher settings.
- HTTP: The application request is sent inside the established secure transport.
If the server sits on another subnet, the client sends the frame to the default gateway’s MAC address instead of the remote server’s MAC address The router strips off that frame, inspects the packet, drops the TTL by one, and then builds a fresh frame for the next hop If an edge firewall is doing PAT, the source private IP address and ephemeral port may be translated before the traffic goes out to the internet
7. Protocol and Port Quick Reference
| Service | Layer 7 Protocol | Transport | Default Port(s) |
|---|---|---|---|
| Web | HTTP | TCP | 80 |
| Secure Web | HTTPS | TCP | 443 |
| Name Resolution | DNS | UDP/TCP | 53 |
| Address Assignment | DHCP | UDP | 67/68 |
| Secure Remote CLI | SSH | TCP | 22 |
| Legacy Remote CLI | Telnet | TCP | 23 |
| Email Send | SMTP | TCP | 25 |
| Email Retrieve | POP3 | TCP | 110 |
| Email Retrieve | IMAP | TCP | 143 |
| Monitoring | SNMP | UDP | 161/162 |
| Remote Desktop | RDP | TCP | 3389 |
8. OSI vs TCP/IP Model
OSI is a seven-layer reference model. TCP/IP is the practical model used on modern networks. The mapping CompTIA expects is:
- OSI Application + Presentation + Session → TCP/IP Application
- OSI Transport → TCP/IP Transport
- OSI Network → TCP/IP Internet
- OSI Data Link + Physical → TCP/IP Network Access
We still teach OSI because it explains functions more cleanly. We use TCP/IP because that is the real protocol suite. On the exam, know both the mapping and the fact that some technologies, especially TLS and ARP, blur clean boundaries.
9. Devices, Security Controls, and Wireless Through the OSI Lens
Switches are primarily Layer 2. Routers and Layer 3 switches work at Layer 3 when it comes to routing Access points operate across Layers 1 and 2 Firewalls can filter traffic at Layers 3, 4, and 7 A default gateway is the Layer 3 next-hop router a host uses to reach networks outside its own subnet That’s different from an application or protocol gateway, which translates between services or protocols.
Security controls also map by layer. Layer 2 examples include port security, 802.1X, DHCP snooping, and Dynamic ARP Inspection 802.1X is primarily a Layer 2 port-based access control method, even though it often depends on EAP and backend RADIUS services behind the scenes Layer 3 and Layer 4 controls include ACLs, stateless filtering, stateful firewalls, and NAT/PAT Layer 7 controls include proxies, DNS filtering, and web application firewalls VPNs vary by design. IPsec is usually associated with Layer 3, while SSL/TLS VPNs are generally treated as upper-layer remote-access solutions
For wireless, separate RF from access control. Poor RSSI, channel overlap, attenuation, and interference from nearby devices are all Layer 1 concerns. Authentication, association, and WPA, WPA2, or WPA3 negotiation are Layer 2 concerns A client can still see the SSID and fail to join because of bad credentials or an 802.1X issue
10. Troubleshooting with the OSI Model — where the framework becomes a real diagnostic tool
Use a method instead of guesswork; it saves time and keeps you from chasing the wrong layer Bottom-up starts with cabling and link. Top-down starts with the application. Divide-and-conquer tests the middle, such as pinging the gateway first. Follow-the-path troubleshooting traces traffic hop by hop, which is especially helpful when the problem isn’t on the local device Compare against a known-good device whenever you can, because that baseline can tell you a lot faster than assumptions can
| Symptom | Likely Layer — the first place I’d look | What to Check |
|---|---|---|
| No link light / no Wi-Fi radio | 1 | Cable, transceiver, interface state, RF signal, PoE |
| Wrong VLAN / port security violation / STP block | 2 | Access VLAN, trunk tags, MAC table, switch logs |
| Local works, remote fails | 3 | IP address, subnet mask, default gateway, route table, and ACLs |
| DNS resolves, but HTTPS still fails | 4 | TCP 443, the SYN/SYN-ACK exchange, firewall state, and NAT/PAT |
| Frequent logouts / app breaks behind load balancer | 5 | Idle timeout, cookie persistence, stickiness |
| Certificate warning / TLS handshake failure | 6 | Trust chain, hostname, protocol version, ciphers |
| Can reach by IP but not by name | 7 | DNS records, resolver settings, and the server’s actual response |
Useful commands include ipconfig /all, ip addr, arp -a, route print, ping, tracert/traceroute, nslookup, dig, netstat -an, and ss. On switches and routers, I usually check interface status, VLAN membership, MAC tables, and routing tables first Packet capture tools make it much easier to see ARP, DNS, TCP handshakes, ICMP errors, retransmissions, and resets directly
One important caution: a failed ping or traceroute doesn’t automatically mean you’ve got a Layer 3 problempath failure. ICMP may be filtered even while TCP or UDP applications are still working.
11. Common Exam Traps and Final Review
- Switch vs router: Switches forward frames; routers forward packets.
- Frame vs packet vs segment: Layer 2 frame, Layer 3 packet, Layer 4 segment/datagram.
- MAC vs IP vs port: MAC = local-link delivery, IP = routed delivery, port = application/process.
- ARP vs DNS: ARP resolves IPv4 address to MAC on the local network; DNS resolves names to IP addresses.
- Default gateway vs gateway: Default gateway is the router used to leave the subnet; a gateway device may translate protocols or services.
- TCP handshake: Transport connection establishment, not Session-layer setup.
- TLS placement: Often taught at Presentation/Application boundary; real implementations blur layers.
- AP classification: Access points are Layer 1 and Layer 2 devices, not just one or the other.
- IPv6 nuance: Neighbor Discovery replaces ARP; Hop Limit replaces TTL; routers do not fragment in transit.
Exam readiness checklist:
- I can name all seven OSI layers in order.
- I know the PDU and main identifier at each layer.
- I can explain encapsulation and decapsulation.
- I know what changes at each routed hop.
- I can distinguish local delivery, routed delivery, and application delivery.
- I can map OSI to TCP/IP.
- I know common protocols and ports.
- I can explain ARP for IPv4 and Neighbor Discovery for IPv6.
- I understand NAT/PAT effects on IPs and ports.
- I can use the OSI model to isolate faults quickly.
If you can do those things without relying on a memorized chart, you’re ready for the Network+ style of OSI and encapsulation questions—and much better prepared to troubleshoot real networks.