Quick Answer
The OSI model has 7 layers, from bottom to top: 1 Physical (cables, signals), 2 Data Link (MAC addresses, switches), 3 Network (IP addresses, routers), 4 Transport (TCP and UDP, port numbers), 5 Session, 6 Presentation (encryption, TLS), and 7 Application (HTTP, DNS, SMTP). The mnemonic is All People Seem To Need Data Processing (top → bottom). It's used to map protocols, devices, and troubleshooting symptoms to a specific layer on CompTIA A+, Network+, and Security+ exams.
The OSI Model is one of the most important networking concepts on the CompTIA A+ exam. It breaks networking into 7 layers so we can understand how data moves from one device to another — and how to diagnose what went wrong when it doesn't.
What are the 7 layers of the OSI model?
🧠 Memory Trick (top → bottom)
All People Seem To Need Data Processing
Application · Presentation · Session · Transport · Network · Data Link · Physical
7
Application
User-facing protocols — HTTP, FTP, SMTP, DNS
User Interface
6
Presentation
Encryption, formatting, compression
SSL / TLS
5
Session
Opens, manages, and closes connections
Sessions
4
Transport
TCP and UDP live here — reliability and port numbers
TCP · UDP
3
Network
IP addresses and routing between networks
Routers
2
Data Link
MAC addresses and switching within a network
Switches
1
Physical
Cables, signals, voltage, connectors — Ethernet, fiber, Wi-Fi
Cables · NICs
How is the OSI model tested on the CompTIA A+ exam?
| Concept | OSI Layer | Why |
|---|---|---|
| Port numbers | Layer 4 — Transport | TCP/UDP operate here |
| IP addresses | Layer 3 — Network | Routing between networks |
| MAC addresses | Layer 2 — Data Link | Switching within a network |
| Cables / signals | Layer 1 — Physical | Hardware-level transmission |
How do you troubleshoot using the OSI model?
🔴 No link light on NIC or switch port
→
Layer 1 — Physical
🟡 169.254.x.x APIPA address assigned
→
Layer 3 — Network
🔵 Ping works but website won't load
→
Layer 7 — Application
⚡ CompTIA A+ Exam Tip
The exam loves asking you to identify which layer a problem or component belongs to. Memorize: cables = Layer 1, MAC = Layer 2, IP = Layer 3, TCP/UDP = Layer 4, and HTTP/DNS = Layer 7.
When in doubt, work bottom-up — start at Layer 1 (is it plugged in?) and work your way up.
Which protocols and devices live at each OSI layer? (Network+)
The Network+ exam maps specific protocols, devices, and technologies to OSI layers. You need to know not just what each layer does, but which protocols live there and what devices operate at each layer.
| Layer | Name | Protocols | Devices | PDU |
|---|---|---|---|---|
| 7 | Application | HTTP, HTTPS, FTP, SMTP, DNS, DHCP, SNMP, SSH, Telnet, LDAP | Proxy, Load balancer, NGFW | Data |
| 6 | Presentation | TLS/SSL, JPEG, MPEG, ASCII, encryption formats | — | Data |
| 5 | Session | NetBIOS, RPC, SQL sessions, NFS | — | Data |
| 4 | Transport | TCP, UDP, TLS (session establishment) | Firewall (ports) | Segment |
| 3 | Network | IP (IPv4/IPv6), ICMP, OSPF, BGP, RIP, EIGRP, IPsec | Router, Layer 3 switch | Packet |
| 2 | Data Link | Ethernet, Wi-Fi (802.11), ARP, PPP, STP, VLANs (802.1Q) | Switch, Bridge, WAP | Frame |
| 1 | Physical | Ethernet (physical), USB, Bluetooth (physical), DSL | Hub, Repeater, Cable, NIC | Bit |
⚡ Network+ exam tip — Layer 2 vs Layer 3 switches: A standard switch operates at Layer 2 using MAC addresses. A Layer 3 (multilayer) switch can also route between VLANs using IP addresses — it's a switch with routing capability. Exam questions often ask which device operates at which layer.
What is encapsulation in the OSI model?
When data is sent, each layer adds its own header (and sometimes trailer). This is called encapsulation. On the receiving end, each layer strips its header — called de-encapsulation.
Layer 7–5 Application Data ← HTTP request, email, file
Layer 4 [TCP/UDP Header] + Data ← adds port numbers → Segment
Layer 3 [IP Header] + Segment ← adds IP addresses → Packet
Layer 2 [Ethernet Header] + Packet + [FCS Trailer] ← adds MAC → Frame
Layer 1 101001011... ← Frame converted to bits on wire
Layer 4 [TCP/UDP Header] + Data ← adds port numbers → Segment
Layer 3 [IP Header] + Segment ← adds IP addresses → Packet
Layer 2 [Ethernet Header] + Packet + [FCS Trailer] ← adds MAC → Frame
Layer 1 101001011... ← Frame converted to bits on wire
Which attacks target which OSI layer? (Security+)
Security+ maps attacks to the OSI layer where they occur. Understanding which layer an attack targets tells you which layer the defence needs to operate at.
| Layer | Attack | How It Targets This Layer | Defence Layer |
|---|---|---|---|
| 7 — Application | SQL injection, XSS, CSRF | Exploits application logic and input handling | WAF, input validation, secure coding |
| 7 — Application | Phishing, social engineering | Targets the human user of the application | User training, email filtering |
| 6 — Presentation | SSL stripping, downgrade attacks | Forces plaintext by removing TLS encryption | HSTS, TLS pinning, strong cipher policy |
| 5 — Session | Session hijacking, replay attack | Steals or replays valid session tokens | Encrypted sessions, short token lifetimes |
| 4 — Transport | SYN flood, port scanning | Exploits TCP handshake or probes open ports | SYN cookies, firewall port filtering |
| 3 — Network | IP spoofing, route poisoning, DDoS | Forges source IPs or manipulates routing tables | BCP38, OSPF authentication, rate limiting |
| 2 — Data Link | ARP spoofing, MAC flooding, VLAN hopping | Poisons ARP cache or floods switch CAM table | DAI, port security, private VLANs |
| 1 — Physical | Wiretapping, jamming, hardware keylogger | Intercepts or disrupts physical medium | Physical security, fibre (harder to tap), TEMPEST shielding |
⚡ Security+ exam tip: When a scenario describes an attack, identify the layer first — then match the defence. A WAF operates at Layer 7. A firewall filtering ports operates at Layer 4. A switch with port security operates at Layer 2. The exam tests whether you can match controls to the correct layer.
What are real exam scenarios for the OSI model?
A technician adds a source IP address and destination IP address to a packet. At which OSI layer is this occurring?
Layer 3 — Network. IP addresses are added at the Network layer during encapsulation. MAC addresses are added at Layer 2. Port numbers are added at Layer 4.
An attacker is sending forged ARP replies to redirect traffic through their machine. Which OSI layer is being attacked?
Layer 2 — Data Link. ARP operates at Layer 2, mapping IP addresses to MAC addresses. ARP spoofing poisons the ARP cache so traffic is forwarded to the attacker's MAC. Dynamic ARP Inspection (DAI) on a managed switch defends against this.
You plug a new device into a network switch. The switch learns the device's address and starts forwarding traffic. What address did the switch learn, and at which layer?
MAC address, Layer 2. Switches build a CAM (Content Addressable Memory) table mapping MAC addresses to switch ports. This is a Layer 2 function. Routers make forwarding decisions at Layer 3 using IP addresses.
Related Networking Articles
Preparing for the A+ Exam?
See the books, practice exams, and free resources that actually work.