Classify how applications, devices, and protocols relate to the OSI model layers. Chapter 2 aims to dig deeper into the concepts introduced in the previous chapter to ensure that students have a solid understanding of networking fundamentals and which network devices (i.e., hubs, switches, routers) fit into which layers of the OSI reference model.
The main purpose of a network is facilitating communication and information-sharing between network-enabled resources (e.g., workstations, servers, and other network devices). The following sections will present components that can be found at each of the first three OSI layers. You can learn more about the OSI in our Cisco CCNA course.
Networking Devices and the OSI Layers
An important aspect of networking technology is understanding the different network products available on the market. This is really important when designing Local Area Network (LAN) and Wide Area Network (WAN) solutions.
The three most common network devices in use are routers, switches, and hubs. Their topology diagram representation is shown in Figure 2.1 below:
Figure 2.1 – Network Devices
When describing various network devices, specific terminology is used:
- Domain: a specific part of a network
- Bandwidth: the amount of data that can be carried on a link in a given time period
- Unicast data: data sent to one device
- Multicast data: data sent to a group of devices
- Broadcast data: data sent to all devices
- Collision domain: includes all devices that share the same bandwidth; collision domains are separated by switches
- Broadcast domain: includes all devices that receive Broadcast messages; broadcast domains are separated by routers
|Note: The concept of Unicast, Multicast, and Broadcast transmission has different meanings, depending on whether they refer to Layer 2 or Layer 3. However, they all apply to both MAC addresses and IP addresses.|
Layer 1 Network Components
As described in Chapter 1, the Physical Layer-specific PDU (protocol data unit) is a bit. As the frame is passed down to the Physical Layer, the information is converted into 0 and 1 bits that are sent over the physical media using, for example, electrical signals (for copper links). The data is sent over the wire using a wide variety of methods, such as Ethernet, Token Ring, or other technologies.
Network Interface Cards (NICs)
The NIC (network interface card or network interface controller) connects a device to the network. Most modern PCs and laptops have a built-in NIC, and most of them are compatible with RJ45 (Registered Jack 45) connectors. The RJ45 connector allows for standardization and compatibility between network components with copper cable connectivity.
Figure 2.2 – Network Interface Card (Copper)
The NIC shown in Figure 2.2 above contains the electronic circuits required to communicate, using specific Physical Layer and Data Link Layer standards such as Ethernet. This allows communication with devices on the same local network or on large-scale infrastructures.
A special type of network card is a Wi-Fi NIC (see Figure 2.3 below), which allows the computer to connect to a wireless network, as opposed to a copper-wired network. The Wi-Fi NIC has an internal or external antenna that is integrated into modern devices (e.g., PCs, laptops, tablets, smartphones, and PDAs), but it can also be a dedicated card used to upgrade older non-Wi-Fi-compatible computers, using either the integrated PCI or the popular USB interfaces.
Figure 2.3 – Network Interface Card (Wi-Fi)
Network cables and patch cords are used to connect a computer to a switch or to inter-connect other network devices (e.g., switches, routers, firewalls, etc.). Common network cables are either copper or fiber-optic (FO) based.
Copper-based network cables are usually terminated with RJ45 connectors at both ends to ensure compatibility with most of the NICs and network device ports available today. They offer physical access (connectivity) from a computer or other device to the network. A copper patch cord terminated with RJ45 connectors is shown in Figure 2.4 below:
Figure 2.4 – Copper Patch Cord
Another commonly used network cable type is FO (fiber optic) cable, which usually ensures higher transmission rates and distances than copper-based cables. FO technology sends the signal on the wire using light beams, as opposed to the electrical signals used by copper cables. Another difference between copper and FO cables is the connectors used to terminate the cable. While the standardized approach for copper cables is using RJ45 connectors almost exclusively, FO cables commonly use multiple connector types, including LC, SC, MTRJ, ST, and FC (see Figure 2.5 below).
FO cables can be built using several technologies, including single-mode and multi-mode optics. Single-mode FO cables offer higher transmission distances compared with multi-mode cables, but they are also more expensive.
Figure 2.5 – FO Patch Cord with LC Connectors on Both Ends
Some devices, such as PCs, laptops, tablets, and smartphones, do not need cables to connect to the network infrastructure, as they use wireless connectivity via built-in Wi-Fi NICs. Although no cabling is needed for these devices to access network resources, they still have Physical Layer connectivity because the bits are sent through the air using radio frequency (RF) signals, as opposed to electrical signals over copper cables or light beams over FO cables.
Hubs are network devices with multiple RJ45 ports that operate at Layer 1 and connect multiple devices, which are all on the same LAN. The importance of hubs appeared with the need to connect more than two devices, because a cable can only connect two endpoints.
Unlike switches, hubs do not have any intelligence and do not process packets in any way. They just send all the data received on a port to all the other ports, so devices receive all the packets that traverse the specific network, even if the addresses do not match. For this reason, hubs are also called multiport repeaters, as they forward the bits received from a specific port to all of the other active ports without using any Layer 2 logic. This behavior is depicted in Figure 2.6 below, where a packet sent by PC 1 to PC 3 is broadcasted out of all the ports by the hub and the workstations that do not need that packet (i.e., PC 2 and PC 4) will discard it.
Figure 2.6 – Hub Operations
Hubs are rarely used in modern networks, as they have been replaced by switches.
|Note: Devices connected to the hub are in the same collision domain and the same broadcast domain. We cover collision domains in detail later in this guide.|
Layer 2 Network Components
As described in Chapter 1, the Layer 2-specific PDU is a frame. The Data Link Layer created this new data unit by adding a Layer 2 frame header and trailer before passing it down to the Physical Layer. The most important information inside the frame header is the source and destination MAC addresses.
Layer 2 addresses are also called MAC (Media Access Control) addresses, physical addresses, or burned-in addresses (BIAs). These are assigned to NICs or device interfaces when they are manufactured.
MAC addresses are 48-bit values. The first 24 bits represent the Organizational Unique Identifier (OUI) code, which identifies the vendor of the device. The second-least significant bit in the OUI portion identifies whether the address has been locally (a bit value of 1) or universally (a bit value of 0) assigned, and the most significant bit identifies a Unicast MAC address (a bit value of 0) or a Multicast address (a bit value of 1). The last 24 bits form a unique value assigned to the specific interface so that each network interface can be identified in a unique way via the associated MAC address. This MAC address structure is illustrated in Figure 2.7 below:
Figure 2.7 – MAC Address Structure
|Note: Each NIC has a BIA (MAC address), so they could be considered both Layer 1 devices and Layer 2 devices.|
Using hubs in medium-sized and large networks (or in any network for that matter) is not efficient. In order to improve performance, especially from a bandwidth and security standpoint, LANs are divided into multiple smaller LANs called collision domains and are interconnected by a LAN switch. When using switches, only the destination device in a communication flow receives the data sent by the source device, and multiple conversations between devices connected to a switch can happen simultaneously.
Switches have some intelligence, unlike hubs, because they send data to a port only if the data needs to reach that particular segment. This switching intelligence is based on a MAC table the switches keep in their memory. That table contains MAC address-to-port mappings and is populated in the following way: when a device sends data to a device located on another switch port, the switch learns the source MAC address (Layer 2 address) and its associated port. It then floods the received frames to all ports except the port on which it was received. This process continues until the MAC table is filled with entries for all of the devices in the network. When a switch must forward a frame with a destination MAC address that can be found in the MAC table, it forwards that frame only to that specific port.
The switching operation outlined above is exemplified in Figure 2.8 below; assume that the switch’s MAC address table is empty (i.e., the switch was just plugged in). When PC 1 sends a frame to PC 3, the switch does not know the port that PC 3 is connected to so it floods that frame out of all ports except the port on which it was received (port 1). At the same time, it records the source port and MAC address of that specific frame (port 1, with the MAC address of PC 1). When PC 3 responds and sends a frame back to PC 1, the switch does not have to flood that frame out of all ports because it now knows the port associated with PC 1. It forwards the frame just on port 1 to reach the destination. At the same time, it also records the port-MAC association for PC 3. If PC 1 sends a future frame to PC 3, the switch will forward it only on port 3 because it now knows where PC 3 is connected.
Figure 2.8 – Switching Operation (Building the MAC Address Table)
Special scenarios are those in which the destination Layer 2 field contains a Multicast or Broadcast address. In that case, the switch forwards the frame on multiple ports.
Devices connected to a switch port are in their own collision domains, so in effect, each port on the switch is its own collision domain. This is the most important feature of a switch: it separates collision domains. On the other hand, all devices connected to a switch are in the same broadcast domain. A broadcast frame will be sent to all connected devices out of each port.
Switches are considered Layer 2 devices because they make forwarding decisions based on Layer 2 (MAC) addresses.
|Note: A bridge is an old name for a switch. The bridge was the first step up from a hub and it offered limited switching capacities, usually containing two or four ports (while a switch commonly is equipped with up to 48 ports). Bridges use the same forwarding logic as switches.|
A special category of switches are Layer 3 switches, which have full Layer 3 capabilities, including routing. They are also called routing switches or, more often, multilayer switches, as they can make forwarding decisions at multiple layers.
Switches are network devices that separate collision domains and process data at high rates, as the switching function is implemented in hardware using application-specific integrated circuits (ASICs). Networks are segmented by switches in order to provide more bandwidth per user by reducing the number of devices that share the same bandwidth. Switches forward traffic only on interfaces that need to receive the traffic. In the case of Unicast traffic, switches forward the frame on a single port rather than on all ports.
The bridge table is an internal data structure that records all the MAC address-to-interface pairs, whenever the switch receives a frame from a device. When the switch is first turned on, the bridge table (also called the switch table, the MAC address table, and the content addressable memory (CAM) table) contains no entries. When a frame enters an interface, the switch adds the source MAC address and the source port to its bridge table and then examines the destination MAC address. If this is a Broadcast, Multicast, or unknown Unicast address, the switch floods the frame out of all ports, except for the source port. If the source and the destination addresses are on the same interface, the frame is discarded. If the destination address is known (i.e., the switch has a valid entry in the bridge table), the switch forwards the frame out of the corresponding interface. This switching operation is summarized in Figure 2.9 below:
Figure 2.9 – Switching Operation (Flooding Frames)
In addition to flooding unknown Unicast frames, switches also flood two other frame types: Broadcast and Multicast. Various multimedia applications generate Multicast or Broadcast traffic that propagates throughout a switched network (i.e., the broadcast domain).
Switches learn source MAC addresses so they can send data to the appropriate destination segments. When a switch learns a source MAC address, it records the time of its entry. Every time the switch receives a frame from that source, it updates the timestamp. If a switch does not hear from that source before a predefined aging time expires, that entry is removed from the bridge table. The default aging time in Cisco access switches is five minutes. This behavior is outlined in Table 2.1 below (the sender workstation has the AAAA.AAAA.AAAA.AAAA MAC address):
Table 2.1 – Behavior of the Mac Address Table
|Action||Port||MAC Address||Age (sec)|
|00:00||Host A sends frame #1||Fa0/1||AAAA.AAAA.AAAA.AAAA||0|
|01:15||Host A sends frame #2||Fa0/1||AAAA.AAAA.AAAA.AAAA||0|
|06:16||Entry aged out (deleted)||–||–||–|
|06:30||Host A sends frame #3||Fa0/1||AAAA.AAAA.AAAA.AAAA||0|
MAC address table entries are removed when the aging time expires because switches have a finite amount of memory, limiting the number of addresses it can remember in its bridge table. If the MAC address table is full and the switch receives a frame from an unknown source, the switch floods that frame on all ports until an opening in the bridge table allows the bridge to learn about the station. Entries become available whenever the aging timer expires for an address. The aging timer helps to limit flooding by remembering the most active stations in the network. The aging timer can be adjusted if the total number of network devices is lower than the bridge table capacity. This allows the switch to remember the station longer and reduces flooding.
|Note: The process of flooding new, unknown frames when the MAC address table is full is a potential security risk because an attacker could take advantage of this behavior and overwhelm the bridge table. If the attacker is successful, all the ports (including the attacker port) will receive all the new frames, even if they are not destined for them.|
Layer 3 Network Components
As described in Chapter 1, the Network Layer-specific PDU is a packet. As data comes down from the Transport Layer, the Network Layer places its Layer 3 header in front of the segment received and this group becomes a packet (or a datagram). The Layer 3 header contains very important fields, including the logical address (IP address) of both the source device and the destination device.
As the frame is passed down to the Physical Layer, the information is converted into 0 and 1 bits that are sent over physical media using, for example, electrical signals (for copper links). The data is sent over the wire using a wide variety of methods, such as Ethernet, Token Ring, or other technologies.
Network Layer Addresses
Although each network interface has a unique MAC address, this does not indicate the location of a specific device or what network it is attached to. This means that a router can’t determine the best path to that device. In order to solve this problem, Layer 3 addressing is used. Network Layer addresses are logical addresses assigned when a device is placed in the network and changed when the device is moved.
Network Layer addresses have a hierarchical structure made of two parts: the network address and the host address. Logical addresses can be assigned manually by the administrator or dynamically via a dedicated protocol, like Dynamic Host Configuration Protocol (DHCP). All the devices in a network have the same network portion of the address and different host identifiers. This addressing structure can be observed in Figure 2.10 below, both for IPv4 and for IPv6. IPv4 and IPv6 address structures will be covered in detail in subsequent sections of this chapter.
Figure 2.10 – Network Layer Addressing Structure
Routers analyze the network portion of IP addresses and compare them with entries from its routing table. If a match is found, the packet is sent out of the appropriate interface. In the case of directly connected devices, routers also examine the host portion of the address to ensure that the packet will be sent to the appropriate device. The router uses the Address Resolution Protocol (ARP) to determine the MAC address of the device with a specific IP address and encapsulates the packet with a header that contains that specific MAC address before sending it on the wire.
IPv4 addresses are 32-bit numbers represented as strings of zeros and ones. As mentioned before, the Layer 3 header contains a Source IP Address field and a Destination IP Address field. Each field is 32 bits in length.
To create a more intuitive representation of IPv4 addresses, the 32 bits can be divided into 4 octets (1 octet (or byte) = 8 bits) separated by dots. This representation is called dotted-decimal notation. The octets can be converted into decimal numbers using standard base-2 to base-10 translation.
For example, consider the following 32-bit string:
After dividing it into 4 octets, you have the following binary representation:
This translates into an easy to read decimal representation:
An IPv4 packet contains the following fields, as depicted in Figure 2.11 and Table 2.2 below:
Figure 2.11 – IPv4 Packet Fields
Table 2.2 – Size and Description of IPv4 Packet Fields
|Version||4 bits||Identifies the IP version (IPv4 in this case)|
|Header Length||4 bits||Size of the header|
|Type of Service (ToS)||8 bits||QoS marking, specifies how the packet should be handled within the network|
|Total Length||16 bits||The size (in octets) of the header and data|
|Identification||16 bits||Used when the packet is fragmented|
|Flags||3 bits||Used when the packet is fragmented|
|Fragment Offset||13 bits||Used when the packet is fragmented|
|Time To Live (TTL)||8 bits||Protection against endless loops, decremented by 1 on every router the packet passes through|
|Protocol||8 bits||Identifies the Layer 4 protocol (TCP, UDP)|
|Header Checksum||16 bits||The checksum of the header, used to verify its integrity|
|Source IP Address||32 bits||Source logical IP address|
|Destination IP Address||32 bits||Destination logical IP address|
|IP Options||Variable||Used for debugging|
|Padding||Variable||Used for debugging|
|Data||Variable||Transport Layer data|
The limited number of IPv4 addresses and the permanent increase in the number of addressable network devices all over the world has accelerated the implementation of IP version 6. IPv6 addresses have a different structure compared with IPv4 addresses. IPv6 addresses are 128 bits long, which means that a larger pool of IPv6 addresses is available. The notation of IPv6 addresses is also different: while an IPv4 address can be written in decimal format, an IPv6 address is notated in hexadecimal format (16 bits separated by colons), for example, 2001:43aa:0000:0000:11b4:0031:0000:c110.
An IPv6 packet contains the following fields, as depicted in Figure 2.12 and Table 2.3 below:
Figure 2.12 – IPv6 Packet Fields
Table 2.3 – Size and Description of IPv6 Packet Fields
|Version||4 bits||Identifies the IP version (IPv6 in this case)|
|Traffic Class||8 bits||Similar to the ToS byte in the IPv4 header, QoS marking functionality|
|Flow Label||20 bits||Used to identify and classify packet flows|
|Payload Length||16 bits||The size of the packet payload|
|Next Header||8 bits||Similar to the Protocol field in the IPv4 header, defines the type of traffic contained within the payload and which header to expect|
|Hop Limit||8 bits||Similar to the TTL field in the IPv4 header, prevents against endless loops|
|Source IP Address||128 bits||Source logical IPv6 address|
|Destination IP Address||128 bits||Destination logical IPv6 address|
|Data||Variable||Transport Layer data|
IPv6 addresses are four times the size of IPv4 addresses. This size disparity will be covered in detail in Chapter 3.
|Note: Using the IEEE’s 64-bit Extended Unique Identifier (EUI-64) format, a network device can automatically assign itself an IPv6 address. This is done by referencing the unique 48-bit MAC address and reformatting the value so that it matches the EUI-64 specification.|
From the Network+ standpoint, the most intelligent devices in a network are routers. Routers are Layer 3 devices that use Layer 3 addresses and allow devices in different LANs to communicate with each other. By default, they do not forward any information between devices connected to different ports.
Figure 2.13 – Router Operations
Figure 2.13 above illustrates how a router operates, and this can be described as follows: the router reads the source and destination IP addresses in the packets and keeps track of which devices connect to which ports and which devices need to communicate with devices on other ports. A router separates broadcast domains, so devices connected to different ports are located in different broadcast domains. The process of moving a packet across different broadcast domains is called routing and it works by implementing different routing protocols on the router. Routing behavior is discussed further in Chapter 4.
Some important concepts to keep in mind regarding routers are as follows:
- Routers block Multicast and Broadcast packets by default. This is a significant difference between a router and a switch, and it helps control bandwidth utilization on a network.
- Devices connected to the same router port are in the same collision and broadcast domains, but devices connected to different router ports are in different collision and broadcast domains.
- Routers are considered Layer 3 devices because they make forwarding decisions based on Layer 3 (IP) addresses.
Routers are devices that operate at OSI Layer 3 and their responsibility is to determine the best path a packet can take to a specific destination. After the best path has been chosen, the packet is encapsulated with a new frame and the router places the packet on the interface that has a link to the next hop in that path.
The process of choosing the best path is called routing, and the process of sending the packet on the correct interface is called switching. Although routers are the most popular devices that make routing decisions, other network devices can have routing functionality, such as Layer 3 switches and security appliances.
A router is responsible for sending the packet the correct way and it doesn’t care about what is happening above the Network Layer. However, a router is concerned with what is happening at the Physical and Data Link Layers because it might need to receive data on certain media and send over a different media type. This is performed by decapsulating the packet received up to the Network Layer and encapsulating it with the header specific to the other media type.
An example that illustrates this behavior is depicted in Figure 2.14 below. Router A receives the packet over an Ethernet connection, re-encapsulates it with a Frame Relay header, and sends it to Router B, which manages the packet in the opposite way: it strips the Frame Relay header and encapsulates it in the Ethernet format before sending the packet to the receiver’s endpoint. Notice that the routers only care about the first three OSI layers.
Figure 2.14 – Routing across Different Physical Media
Routers look at the packet’s destination address to determine where the packet is going so they can select the best path to get the packet there. To calculate the best path, routers must know what interface should be used to reach the packet’s destination network. Routers learn about networks either by being physically connected to them or by learning information from other routers or from a network administrator.
Even though data encryption is usually a function of Layer 6 (Presentation Layer) of the OSI reference model, or the Application Layer of the TCP/IP protocol suite, this process does not always happen at these layers. Certain devices can implement Layer 2, Layer 3, or Layer 4 encryption. For example, special network equipment can be used to encrypt data between routers at a specific end of a WAN link and decrypt traffic at the other end using a Layer 3 approach.
The main purpose of a network is facilitating communication and information-sharing between network-enabled resources (e.g., workstations, servers, and other network devices).
The NIC (network interface card or network interface controller) connects a device to the network. Most modern PCs and laptops have a built-in NIC, and most of them are compatible with RJ45 (Registered Jack 45) connectors. Network cables and patch cords are used to connect a computer to a switch or to interconnect other network devices (e.g., switches, routers, firewalls, etc.). Common network cables are either copper or fiber-optic (FO) based.
Hubs are network devices with multiple RJ45 ports that operate at Layer 1 and connect multiple devices, which are all in the same LAN. The importance of hubs appeared with the need to connect more than two devices, because a cable can only connect two endpoints. Unlike switches, hubs do not have any intelligence and do not process packets in any way. They just send all the data received on a port to all the other ports, so devices receive all the packets that traverse the specific network, even if the addresses don’t match.
Layer 2 addresses are also called MAC (Media Access Control) addresses, physical addresses, or burned-in addresses (BIAs). These are assigned to NICs or device interfaces when they are manufactured.
When using switches, only the destination device in a communication flow receives the data sent by the source device, and multiple conversations between devices connected to a switch can happen simultaneously. Switches have some intelligence, unlike hubs, because they send data to a port only if the data needs to reach that particular segment. This switching intelligence is based on a MAC table switches keep in their memory.
Network Layer addresses are logical addresses assigned when a device is placed in the network and changed when the device is moved. Network Layer addresses have a hierarchical structure made of two parts: the network address and the host address. Logical addresses can be assigned manually by the administrator or dynamically via a dedicated protocol, like DHCP (Dynamic Host Configuration Protocol).
IPv4 addresses are 32-bit numbers represented as strings of zeros and ones. The Layer 3 header contains a Source IP Address field and a Destination IP Address field. Each field is 32 bits in length. In order to have a more intuitive representation of IPv4 addresses, the 32 bits can be divided into 4 octets (1 octet (or byte) = 8 bits) separated by dots. This representation is called dotted-decimal notation. The octets can be converted into decimal numbers by standard base-2 to base-10 translation.
The most intelligent devices in a network are routers. Routers are Layer 3 devices that use Layer 3 addresses and allow devices on different LANs to communicate with each other. By default, they do not forward any information between devices connected to different ports.
Read the Cloudflare OSI model article.