The OSI Model
The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes how different systems communicate over a network. It has 7 layers, each with a specific role — data travels down when sending, up when receiving.
APPLICATION SIDE (upper layers)
7
Application
PDU: DATAHTTP, FTP, DNS, SMTP, SSH — what the user interacts with
6
Presentation
PDU: DATAEncryption, compression, data formatting (SSL/TLS, JPEG, ASCII)
5
Session
PDU: DATAManages sessions/connections between applications (NetBIOS, RPC)
TRANSPORT LAYER (end-to-end)
4
Transport
PDU: SEGMENTReliable delivery, ports, flow control — TCP vs UDP
NETWORK SIDE (lower layers)
3
Network
PDU: PACKETRouting between networks using IP addresses (IP, ICMP, routers)
2
Data Link
PDU: FRAMENode-to-node transfer on same network using MAC addresses (Ethernet, switches)
1
Physical
PDU: BITRaw bit transmission — cables, hubs, electrical/optical signals
OSI vs TCP/IP Model
TCP/IP is the model actually used on the internet — it collapses OSI's 7 layers into 4:
APPLICATIONLayers 5+6+7 of OSI merged
TRANSPORTLayer 4 — TCP / UDP
INTERNETLayer 3 — IP addressing & routing
NETWORK ACCESSLayers 1+2 — Ethernet, Wi-Fi, MACs
Key Concepts Per Layer
L7 — AppBrowser, email client, API calls
L6 — PresTLS handshake encrypts here
L5 — SesLogin session starts/ends here
L4 — TransPort numbers (80, 443, 22…)
L3 — NetIP routing, TTL, ICMP (ping)
L2 — LinkARP maps IP ↔ MAC address
L1 — PhysCat5e/6 cables, fiber, WiFi radio
Encapsulation Flow
When you send data, each layer wraps it with a header (encapsulation). On arrival, each layer unwraps it (de-encapsulation).
[ L7 DATA ]
[ L4 SEGMENT | DATA ]
[ L3 PACKET | SEG | DATA ]
[ L2 FRAME | PKT | SEG | DATA ]
[ L1: 010101 raw bits on wire ]
[ L4 SEGMENT | DATA ]
[ L3 PACKET | SEG | DATA ]
[ L2 FRAME | PKT | SEG | DATA ]
[ L1: 010101 raw bits on wire ]
Network Protocols
Protocols are the agreed-upon rules that define how data is formatted, transmitted, and received. Each protocol lives at a specific OSI layer and has a specific job.
APPLICATION LAYER (L7)
HTTP/SL780 / 443
HyperText Transfer Protocol — the foundation of web communication. S = encrypted with TLS.
REQUEST → RESPONSE model
Methods: GET POST PUT DELETE PATCH
Status: 200 OK / 404 Not Found / 500 Error
Methods: GET POST PUT DELETE PATCH
Status: 200 OK / 404 Not Found / 500 Error
DNSL753
Domain Name System — translates human-readable domain names into IP addresses.
google.com → 142.250.74.14
Record types: A, AAAA, CNAME, MX, TXT
Uses UDP (fast) or TCP (large responses)
Record types: A, AAAA, CNAME, MX, TXT
Uses UDP (fast) or TCP (large responses)
DHCPL767/68
Dynamic Host Configuration Protocol — automatically assigns IP addresses to devices on a network.
Flow: DISCOVER → OFFER → REQUEST → ACK
Assigns: IP, subnet mask, gateway, DNS
Lease time: addresses are temporary
Assigns: IP, subnet mask, gateway, DNS
Lease time: addresses are temporary
SSHL722
Secure Shell — encrypted remote terminal access and file transfer. Replaced Telnet.
Auth: password or key-pair (public/private)
Uses: server admin, git, tunneling
ssh user@192.168.1.10
Uses: server admin, git, tunneling
ssh user@192.168.1.10
SMTP/IMAPL725/993
Email protocols — SMTP sends mail, IMAP/POP3 retrieves it from a mail server.
SMTP: outgoing mail (port 587 w/ auth)
IMAP: syncs mailbox (server-side)
POP3: downloads and deletes (local)
IMAP: syncs mailbox (server-side)
POP3: downloads and deletes (local)
FTP/SFTPL721/22
File Transfer Protocol — transfers files between client and server. SFTP is the SSH-encrypted version.
FTP: unencrypted, two channels (control+data)
SFTP: runs over SSH, fully encrypted
Active vs Passive mode for firewalls
SFTP: runs over SSH, fully encrypted
Active vs Passive mode for firewalls
TRANSPORT LAYER (L4)
TCPL4
Transmission Control Protocol — reliable, ordered, error-checked delivery. Slower but guaranteed.
3-way handshake: SYN → SYN-ACK → ACK
Flow control: receiver controls send rate
Used by: HTTP, SSH, FTP, SMTP
Flow control: receiver controls send rate
Used by: HTTP, SSH, FTP, SMTP
UDPL4
User Datagram Protocol — fast, connectionless, no guarantee of delivery. Best-effort.
No handshake, no acknowledgment
Used by: DNS, VoIP, video streaming, gaming
Lower latency — critical for real-time apps
Used by: DNS, VoIP, video streaming, gaming
Lower latency — critical for real-time apps
TLS/SSLL4-L6
Transport Layer Security — encrypts data in transit. SSL is the deprecated predecessor.
Handshake: negotiate cipher + exchange keys
Certificate: proves server identity (CA-signed)
Provides: confidentiality + integrity + auth
Certificate: proves server identity (CA-signed)
Provides: confidentiality + integrity + auth
NETWORK LAYER (L3)
IPL3
Internet Protocol — logical addressing and routing of packets across networks. The backbone of the internet.
IPv4: 32-bit address (4.3B addresses)
IPv6: 128-bit address (virtually unlimited)
Connectionless: no state, no guarantee
IPv6: 128-bit address (virtually unlimited)
Connectionless: no state, no guarantee
ICMPL3
Internet Control Message Protocol — used for diagnostics and error reporting. The protocol behind ping.
ping: tests reachability + latency
traceroute: maps hops to destination
Errors: "Destination Unreachable", "TTL Exceeded"
traceroute: maps hops to destination
Errors: "Destination Unreachable", "TTL Exceeded"
BGP / OSPFL3
Routing protocols — determine the best path for packets. BGP governs internet routing between ISPs.
BGP: Border Gateway Protocol (inter-AS, internet)
OSPF: Open Shortest Path First (intra-network)
RIP: older, hop-count based routing
OSPF: Open Shortest Path First (intra-network)
RIP: older, hop-count based routing
DATA LINK LAYER (L2)
EthernetL2
The dominant wired LAN standard — defines frame format, MAC addressing, and cable specifications.
Speeds: 100Mbps → 1Gbps → 10Gbps+
Frame: [Dest MAC | Src MAC | Type | Data | FCS]
Standards: 802.3 (wired)
Frame: [Dest MAC | Src MAC | Type | Data | FCS]
Standards: 802.3 (wired)
Wi-FiL2
IEEE 802.11 wireless networking standard. Multiple generations with increasing speed and efficiency.
802.11ac (Wi-Fi 5): up to 3.5Gbps
802.11ax (Wi-Fi 6): up to 9.6Gbps, better density
Bands: 2.4GHz (range) vs 5GHz (speed)
802.11ax (Wi-Fi 6): up to 9.6Gbps, better density
Bands: 2.4GHz (range) vs 5GHz (speed)
ARPL2/L3
Address Resolution Protocol — maps a known IP address to a MAC address on a local network.
Broadcasts: "Who has 192.168.1.5?"
Responds: "I do — MAC: AA:BB:CC:DD:EE:FF"
Stored in ARP cache (arp -a to view)
Responds: "I do — MAC: AA:BB:CC:DD:EE:FF"
Stored in ARP cache (arp -a to view)
Network Devices
Each network device operates at a specific OSI layer. Understanding which layer a device works at tells you what information it can read and act upon.
Hub
// OSI LAYER 1 — PHYSICAL
The dumbest network device — broadcasts every incoming signal to all ports. No intelligence whatsoever.
broadcasts to ALL ports
no MAC awareness
creates collisions
largely obsolete
Switch
// OSI LAYER 2 — DATA LINK
Connects devices within a LAN. Learns MAC addresses and forwards frames only to the correct port.
MAC address table
unicast forwarding
VLANs support
L3 switch = routing too
Router
// OSI LAYER 3 — NETWORK
Routes packets between different networks using IP addresses. Your home router connects your LAN to the internet.
IP routing table
NAT (Network Address Translation)
connects different subnets
default gateway
Firewall
// OSI LAYER 3–7 — STATEFUL
Monitors and filters traffic based on rules. Can be hardware or software. Your first line of network defense.
packet filtering
stateful inspection
ACL rules
NGFW = deep packet inspection
Load Balancer
// OSI LAYER 4–7 — TRANSPORT/APP
Distributes incoming traffic across multiple backend servers to ensure availability and performance.
Round Robin
Least Connections
health checks
SSL termination
Proxy Server
// OSI LAYER 7 — APPLICATION
Acts as an intermediary between clients and servers. Forward proxy hides the client; reverse proxy hides the server.
caching
content filtering
anonymization
reverse proxy (Nginx)
Access Point
// OSI LAYER 1–2 — PHYSICAL/LINK
Provides wireless access to a wired network. Bridges Wi-Fi clients into the Ethernet LAN.
SSID broadcast
WPA3 encryption
2.4 / 5 / 6 GHz bands
PoE powered
VPN Gateway
// OSI LAYER 3 — NETWORK
Creates encrypted tunnels between networks or remote users and the corporate network.
IPSec / OpenVPN
WireGuard
site-to-site VPN
split tunneling
DNS Server
// OSI LAYER 7 — APPLICATION
Resolves domain names to IP addresses. The phonebook of the internet. Can be internal or public (8.8.8.8).
recursive resolver
authoritative server
DNS caching
split-horizon DNS
DHCP Server
// OSI LAYER 7 — APPLICATION
Automatically assigns IP addresses, subnet masks, gateways, and DNS servers to network devices.
IP address pool
lease management
static reservations
option 82 relay
IP Addressing
Every device on a network has an IP address. Understanding how addresses work — and how to break them into subnets — is fundamental to network design.
IPv4
192 . 168 . 1 . 105
FORMAT4 octets, 8 bits each = 32 bits total
RANGE0.0.0.0 → 255.255.255.255
TOTAL ADDRESSES~4.3 billion (exhausted)
NOTATIONDotted decimal (e.g. 10.0.0.1)
SPECIAL RANGES (RFC 1918)
10.0.0.0/8Private — Class A (large orgs)
172.16.0.0/12Private — Class B (medium)
192.168.0.0/16Private — Class C (home/office)
127.0.0.1Loopback (localhost)
169.254.x.xAPIPA (no DHCP found)
IPv6
2001:0db8:85a3::8a2e:0370:7334
FORMAT8 groups of 4 hex digits = 128 bits
TOTAL ADDRESSES340 undecillion (3.4 × 10³⁸)
SHORTHAND:: replaces consecutive zero groups
NO NAT NEEDEDEvery device gets a global address
SPECIAL ADDRESSES
::1Loopback (equivalent to 127.0.0.1)
fe80::/10Link-local (auto-configured)
fd00::/8Unique local (private, like RFC1918)
2000::/3Global unicast (public internet)
Subnetting & CIDR
CIDR (Classless Inter-Domain Routing) notation expresses a network as an IP address followed by a prefix length (e.g., /24). This defines how many bits belong to the network vs. the hosts.
How Subnet Masks Work
IP: 192.168.1.105 = 11000000.10101000.00000001.01101001
MASK: 255.255.255.0 = 11111111.11111111.11111111.00000000
──────────────────────────────────────────────────
NET: 192.168.1 = Network portion (fixed)
HOST: 0–255 = Host portion (variable)
MASK: 255.255.255.0 = 11111111.11111111.11111111.00000000
──────────────────────────────────────────────────
NET: 192.168.1 = Network portion (fixed)
HOST: 0–255 = Host portion (variable)
A /24 subnet means 24 bits for network = 8 bits for hosts = 256 addresses (254 usable — first is network ID, last is broadcast).
| CIDR | SUBNET MASK | HOSTS | USE CASE |
|---|---|---|---|
| /8 | 255.0.0.0 | 16M | Large ISP / enterprise |
| /16 | 255.255.0.0 | 65,534 | Large org network |
| /24 | 255.255.255.0 | 254 | Standard office LAN |
| /25 | 255.255.255.128 | 126 | Half a /24 |
| /26 | 255.255.255.192 | 62 | Small dept network |
| /28 | 255.255.255.240 | 14 | Small server segment |
| /30 | 255.255.255.252 | 2 | Point-to-point links |
| /32 | 255.255.255.255 | 1 | Single host route |
NAT (Network Address Translation)
WHAT IT DOESMaps private IPs to a public IP
WHYIPv4 address exhaustion
WHEREYour home/office router
TYPEPAT = many-to-one via ports
VLSM (Variable Length)
WHAT IT ISDifferent subnet sizes per segment
WHYEfficient address space use
EXAMPLESales: /24, Servers: /28
REQUIRESCIDR-aware routing (OSPF)
VLAN (Virtual LAN)
WHAT IT ISLogical network segmentation
WHYSecurity + broadcast isolation
HOWTagged frames on L2 switch
ROUTINGNeeds L3 switch or router
Network Topologies
Topology describes how devices are physically or logically connected. The choice of topology impacts cost, performance, fault tolerance, and scalability.
⭐ Star
All devices connect to a central switch/hub. The dominant topology in modern LANs.
PROS
Easy to troubleshoot
One failure = one device
Simple to expand
CONS
Central switch = single point
More cable needed
🕸️ Mesh
Every device connects to every other device. Full redundancy — used in WANs and critical infrastructure.
PROS
Highly redundant
No single point of failure
CONS
Very expensive to cable
Complex management
🚌 Bus
All devices share a single communication line. Historic — used in early Ethernet. Rarely used today.
PROS
Simple and cheap
Easy to add devices
CONS
Cable break = whole network down
Collisions at scale
💍 Ring
Devices form a closed loop — data travels in one direction. Used in token ring and SONET fiber rings.
PROS
Predictable performance
No collisions (token)
CONS
One failure breaks the loop
Slow to troubleshoot
🌳 Hierarchical (Tree)
The real-world enterprise model. Three tiers: Core, Distribution, and Access. Scales to thousands of devices.
PROS
Scales massively
Easy to segment
Industry standard
CONS
Higher cost
Core is critical
📏 Network Types by Scale
Networks are categorized by their geographic coverage and typical use case.
PANPersonal Area Network — Bluetooth, ~10m range
LANLocal Area Network — building/campus, Ethernet
MANMetropolitan Area Network — city-wide
WANWide Area Network — countries, internet = global WAN
VPNVirtual Private Network — secure tunnel over public WAN
SD-WANSoftware-defined WAN — virtualised enterprise WAN
How Data Actually Flows
Let's trace what happens when you type a URL and press Enter — from DNS resolution to data arriving on your screen. Every step maps to an OSI layer.
DNS RESOLUTION FLOW
STEP 01 // L7
Browser Cache Check
Browser checks its own DNS cache for the domain. If it was visited recently and the TTL hasn't expired, it uses the cached IP — no DNS request needed.
chrome://net-internals/#dns
STEP 02 // L7
OS Resolver & Hosts File
OS checks its own DNS cache, then the hosts file. If found → use it. If not → forward to configured DNS resolver (usually your router or a public resolver like 8.8.8.8).
C:\Windows\System32\drivers\etc\hosts
STEP 03 // L7 → L4
Recursive Resolver Query
A UDP packet (port 53) is sent to the recursive resolver. It asks: who's responsible for this domain? The resolver does the heavy lifting so your device doesn't have to.
dig google.com @8.8.8.8
STEP 04 // DNS HIERARCHY
Root → TLD → Authoritative
Resolver queries the root servers (13 clusters), who point to the TLD server (.com, .it…), who point to the authoritative nameserver for the domain — which finally returns the A record (IP address).
Root (.) → .com → google.com NS → A record: 142.250.x.x
STEP 05 // L4
TCP Three-Way Handshake
With the IP known, browser opens a TCP connection to port 443. SYN → SYN-ACK → ACK. This establishes a reliable channel before any data is sent.
SYN → SYN-ACK → ACK → connection established
STEP 06 // L6
TLS Handshake
For HTTPS, a TLS handshake negotiates cipher suites, exchanges certificates (to verify the server is legit), and derives shared session keys. All subsequent data is encrypted.
ClientHello → ServerHello + Cert → Key Exchange → Finished
STEP 07 // L7
HTTP GET Request
Browser sends an encrypted HTTP GET request: "give me the HTML for this page." The server responds with status 200 + the HTML body, CSS, JS references, etc.
GET / HTTP/1.1 Host: google.com → 200 OK
STEP 08 // L3–L1
Routing & Physical Delivery
Data is broken into packets (L3), each wrapped in frames (L2) with MAC addresses for each hop. Routers across the internet forward each packet hop-by-hop via BGP routing tables until it arrives at your NIC (L1).
tracert google.com → shows every router hop
STEP 09 // DONE
Page Renders
Browser de-encapsulates, decrypts, reassembles TCP segments in order, parses HTML/CSS/JS, and renders the page. Sub-resources (images, fonts, scripts) trigger additional HTTP requests.
TCP vs UDP: When to Use Which
TCPWhen data MUST arrive correctly
TCP USEWeb, email, SSH, file transfer
UDPWhen speed matters more than perfection
UDP USEDNS, VoIP, video, gaming, streaming
HTTP/3Uses QUIC (UDP-based) for speed
Common Port Numbers
21FTP
22SSH / SFTP
25SMTP (outgoing mail)
53DNS
80HTTP
443HTTPS (TLS)
3389RDP (Remote Desktop)
1433SQL Server
5432PostgreSQL
6379Redis
27017MongoDB
Network Security
Network security is about controlling who can reach what, detecting anomalies, and ensuring data confidentiality and integrity in transit.
🔥 Firewall
Filters traffic based on ACL rules — source/dest IP, port, protocol, direction. Can be stateless (packet filter) or stateful (tracks connection state).
Stateless / Stateful
NGFW (Layer 7)
East-West vs North-South
Zone-based policy
WAF (Web App Firewall)
🔒 VPN
Creates an encrypted tunnel over public internet. Remote users access corporate resources as if they were on the internal network.
IPSec tunnel mode
SSL/TLS VPN
WireGuard
Split tunneling
Zero Trust replaces it
🚨 IDS / IPS
Intrusion Detection System monitors traffic for known attack patterns. IPS goes further — it actively blocks malicious traffic in real-time.
Signature-based
Anomaly-based
Inline (IPS) vs passive (IDS)
False positive tuning
🧅 Zero Trust
Modern security model: "never trust, always verify." No implicit trust for anything inside the perimeter. Every request is authenticated, authorized, and inspected.
Identity-driven access
Microsegmentation
MFA everywhere
Least privilege
ZTNA replaces VPN
📊 NAC
Network Access Control enforces policy before devices join the network — checking compliance, identity, and health posture.
802.1X authentication
Posture assessment
Guest VLAN quarantine
RADIUS server
📡 Common Attacks
Key threats your network defenses must address.
DDoS (flood)
ARP spoofing
DNS poisoning
MitM (sniffing)
Port scanning
VLAN hopping
DMZ Architecture
A DMZ (Demilitarized Zone) is a network segment that sits between the internet and the internal network. Public-facing services (web servers, email) live here so that a compromise doesn't directly expose internal systems.
Internet
🌍 Public Users
Untrusted
→
FIREWALL 1
External
→
DMZ
🌐 Web Server
📧 Mail Relay
Restricted
→
FIREWALL 2
Internal
→
Internal
💾 DB Servers
🏢 Corp LAN
Trusted
// Traffic flows left→right. Return traffic is allowed by stateful firewall rules. Internal systems never directly exposed to internet.
Quick Reference Glossary
Key networking terms — type to filter.