What is the difference between the OSI model and the TCP/IP model?

The OSI (Open Systems Interconnection) model has 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, Application. The TCP/IP model has 4 layers: Network Access (or Link), Internet, Transport, Application. The TCP/IP model collapses OSI's top three layers (Session, Presentation, Application) into one Application layer and OSI's bottom two (Physical, Data Link) into one Network Access layer. Both describe the same network stack — different abstractions.

Why do networking exams still use OSI when TCP/IP is what actually runs?

Because OSI is a more granular teaching model. When troubleshooting an issue, 'layer 2 problem' (Data Link, MAC addresses, switches) is more specific than 'Network Access problem' (which lumps cable issues and MAC issues together). The 7-layer OSI taxonomy maps to how vendors label their tools (layer-2 switch vs layer-3 router vs layer-7 firewall), so the model persists in industry vocabulary regardless of what runs on the wire.

What's the easiest way to memorize the OSI layers?

Bottom-up mnemonic: 'Please Do Not Throw Sausage Pizza Away' for Physical, Data Link, Network, Transport, Session, Presentation, Application. Top-down: 'All People Seem To Need Data Processing' for Application, Presentation, Session, Transport, Network, Data Link, Physical. The exam may ask either direction so know both.

Which OSI layer does a firewall operate at?

It depends on the firewall type. A stateless packet filter operates at Layer 3 (Network — IP addresses, port numbers). A stateful firewall operates at Layers 3 and 4 (adds TCP/UDP state tracking). A next-generation firewall (NGFW) operates at Layers 3 through 7, inspecting application content and user identity. When the exam asks 'what layer is a firewall,' the answer depends on what type of firewall — read the question carefully.

What is encapsulation in the OSI model?

Encapsulation is the process of wrapping data with headers as it moves down the OSI stack from Application to Physical. The Application data gets a Transport header (TCP or UDP) at layer 4, then a Network header (IP) at layer 3, then a Data Link header (Ethernet) at layer 2, then becomes a bit stream at layer 1. Each layer adds its own header. On the receiving side, each layer strips its header in reverse — that's de-encapsulation.

OSI vs TCP/IP Layer Mapping — A Cheat Sheet for the N10-009 Exam

Every Network+ exam attempt has 10–15 questions that test whether you can map a protocol, a piece of hardware, or a troubleshooting symptom to the correct OSI layer. Get those right and you bank 15 points. Get them confused and you lose a passing score over avoidable mistakes.

The good news: layer questions are pure memorization with a tight set of mappings. This post is the complete cheat sheet — OSI’s 7 layers, TCP/IP’s 4 layers, the protocols that live at each, the hardware that operates there, and the specific traps the exam uses to catch people who memorized half the table.

The two models side by side

OSI Layer	OSI Name	TCP/IP Layer	TCP/IP Name
7	Application	4	Application
6	Presentation	4	Application
5	Session	4	Application
4	Transport	3	Transport
3	Network	2	Internet
2	Data Link	1	Network Access (Link)
1	Physical	1	Network Access (Link)

The single sentence to memorize: TCP/IP collapses OSI 5/6/7 into one Application layer and OSI 1/2 into one Network Access layer. Everything else maps 1:1.

The N10-009 exam uses both models. When a question says “layer 7” it means OSI. When it says “Application layer” it usually means TCP/IP (because TCP/IP layers are named, not numbered). Read carefully.

Layer-by-layer with protocols, PDUs, and hardware

The full cheat sheet. Memorize column 2, 3, and 4 for each row — that covers ~80% of the layer questions.

OSI #	Layer	PDU name	Hardware	Protocols / examples
7	Application	Data	Application server, NGFW (L7)	HTTP, HTTPS, FTP, SFTP, SMTP, IMAP, POP3, DNS, SNMP, SSH, Telnet, DHCP, NTP, LDAP
6	Presentation	Data	(rare to dedicate hardware)	TLS/SSL, JPEG, MPEG, ASCII, EBCDIC, encryption / compression / encoding
5	Session	Data	(rare to dedicate hardware)	NetBIOS, RPC, SQL sessions, PPTP, H.323, SOCKS
4	Transport	Segment (TCP) / Datagram (UDP)	Stateful firewall, load balancer (L4)	TCP, UDP, port numbers (0–65535)
3	Network	Packet	Router, layer-3 switch, packet filter	IPv4, IPv6, ICMP, IGMP, IPsec, OSPF, EIGRP, BGP, RIP
2	Data Link	Frame	Switch, bridge, NIC, wireless AP	Ethernet (802.3), Wi-Fi (802.11), PPP, Frame Relay, ARP, STP, MAC addressing, VLANs (802.1Q)
1	Physical	Bit	Hub, repeater, cable, transceiver	Copper (Cat 5e/6/6a), fiber, RJ-45, BNC, voltage / signal encoding, 1000BASE-T

The PDU (Protocol Data Unit) naming pattern is a classic exam-question target. Memorize: Bit → Frame → Packet → Segment → Data → Data → Data going up the stack. The exam asks “what is the PDU at layer 4?” expecting “segment” (for TCP) or “datagram” (for UDP).

The encapsulation flow

When an HTTP request leaves your laptop, this is what happens to the data:

Layer 7  Application:    "GET /index.html HTTP/1.1"
                              │
Layer 4  Transport:      [TCP header | "GET /index.html HTTP/1.1"]
                              │
Layer 3  Network:        [IP header | TCP header | "GET ..."]
                              │
Layer 2  Data Link:      [Ethernet header | IP header | TCP header | "GET ..." | Ethernet trailer]
                              │
Layer 1  Physical:       10101110010110010001011010001101...

Each layer wraps the previous layer’s PDU with its own header (and sometimes a trailer at layer 2). On the receiving side, each layer strips off its own header and hands the inner PDU upward.

The exam asks encapsulation in three ways:

“What header is added at layer 3?” → IP header
“What is the PDU after layer 2 encapsulation?” → Frame
“In what order are headers added as data moves down the stack?” → Application → Transport → Network → Data Link → Physical

Where each common protocol lives (memorize this table)

The single most-frequently-tested protocol-to-layer mapping table. Memorize this and you have 10 points in the bank.

Protocol	OSI Layer	Default Port	Notes
HTTP	7 (Application)	80 (TCP)
HTTPS	7 (Application)	443 (TCP)	TLS encryption at layer 6
SSH	7 (Application)	22 (TCP)
Telnet	7 (Application)	23 (TCP)	Unencrypted — exam trap
FTP	7 (Application)	20, 21 (TCP)	20 = data, 21 = control
SFTP	7 (Application)	22 (TCP)	Runs over SSH
FTPS	7 (Application)	989, 990 (TCP)	FTP over TLS, distinct from SFTP
SMTP	7 (Application)	25, 587 (TCP)	25 = unauth, 587 = submission
POP3 / POP3S	7 (Application)	110 / 995 (TCP)
IMAP / IMAPS	7 (Application)	143 / 993 (TCP)
DNS	7 (Application)	53 (TCP + UDP)	UDP for query, TCP for zone transfer
DHCP	7 (Application)	67, 68 (UDP)	Server 67, client 68
NTP	7 (Application)	123 (UDP)
SNMP	7 (Application)	161, 162 (UDP)	161 = poll, 162 = trap
LDAP / LDAPS	7 (Application)	389 / 636 (TCP)
Syslog	7 (Application)	514 (UDP)
RDP	7 (Application)	3389 (TCP)
TLS / SSL	6 (Presentation)	(no port — wraps L7)	The encryption layer
NetBIOS	5 (Session)	137, 138 (UDP), 139 (TCP)	Legacy Windows
TCP	4 (Transport)	—	Reliable, connection-oriented
UDP	4 (Transport)	—	Unreliable, connectionless
IPv4	3 (Network)	—	32-bit addresses
IPv6	3 (Network)	—	128-bit addresses
ICMP	3 (Network)	—	ping, traceroute
IGMP	3 (Network)	—	Multicast group management
OSPF	3 (Network)	—	Link-state routing
BGP	3 (Network)	179 (TCP)	Inter-AS routing
ARP	2 (Data Link)	—	IP → MAC resolution (exam trap — see below)
STP	2 (Data Link)	—	Spanning Tree
Ethernet	2 (Data Link)	—	802.3
802.11 (Wi-Fi)	2 (Data Link)	—
PPP	2 (Data Link)	—	Point-to-point links

The exam traps you must know

Five layer-mapping traps the N10-009 uses repeatedly.

Trap 1 — ARP is layer 2 or layer 3?

ARP (Address Resolution Protocol) translates IP addresses to MAC addresses. It uses both an IP address (layer 3) and a MAC address (layer 2). Different sources put it at different layers.

Exam answer: Layer 2 (Data Link). CompTIA places ARP at layer 2 because it deals with MAC-address resolution within a broadcast domain — the function is L2 even though it carries an L3 address inside the request. If the question gives layer 3 as an option and not layer 2, take layer 3.

Trap 2 — TLS / SSL is layer 5 or 6 or 7?

TLS encrypts application-layer traffic but isn’t itself an application. Various sources put it at 5, 6, or 7.

Exam answer: Layer 6 (Presentation). TLS handles encryption/encoding — the canonical Presentation-layer responsibility. Some questions accept layer 5 (Session) because TLS also negotiates sessions, but if both are options, take layer 6.

Trap 3 — Layer-3 switch vs router

Both forward IP packets at layer 3. The exam may ask “which is the layer-3 device?”

Exam answer: Both are layer-3 devices. The trap is questions that include only one in the options. If only “router” is listed, take it. If only “layer-3 switch” is listed, take it. If both are options, look for a distinguishing detail in the question (routing protocols → router; high-speed inter-VLAN routing within a campus → layer-3 switch).

Trap 4 — NGFW operating layer

A next-generation firewall does packet filtering (L3), state tracking (L4), and application inspection (L7). The exam may ask “what is the operating layer of an NGFW?”

Exam answer: Layer 7 if asked for the highest layer. Multiple layers (3–7) if a “select all that apply” question. If the question simply says “firewall” without “next-generation,” default to L3/L4.

Trap 5 — DNS uses TCP or UDP?

Both. Default queries use UDP port 53. Zone transfers (and large responses, like with DNSSEC) use TCP port 53.

Exam answer: Look for keywords. “Query” or “lookup” → UDP. “Zone transfer” → TCP. “What transport protocol does DNS use” with no qualifier → UDP (most common), but the technically-correct answer is “both” if it’s an option.

The hardware-to-layer mapping

Almost as commonly tested as protocols.

Device	OSI Layer	What it inspects
Hub	1 (Physical)	Nothing — repeats every bit on every port
Repeater	1 (Physical)	Nothing — boosts signal
Cable / fiber	1 (Physical)	(medium)
Bridge	2 (Data Link)	MAC addresses
Switch (standard)	2 (Data Link)	MAC addresses
Switch (layer-3)	3 (Network)	MAC + IP addresses
Wireless Access Point	2 (Data Link)	MAC addresses (plus Wi-Fi PHY at L1)
NIC	1 + 2	Physical signal + MAC
Router	3 (Network)	IP addresses
Stateless firewall	3 (Network)	IP addresses, port numbers
Stateful firewall	4 (Transport)	+ TCP/UDP state
Next-generation firewall	7 (Application)	+ app content, user identity
Load balancer (L4)	4 (Transport)	TCP/UDP info
Load balancer (L7)	7 (Application)	URL paths, cookies, headers
Proxy server	7 (Application)	URL, headers
IDS / IPS	3–7	Depends on inspection depth

Why the OSI model is still worth knowing in 2026

Some practitioners argue OSI is dead — nothing implements all 7 layers; everything runs TCP/IP. They’re not wrong about the implementation, but the OSI taxonomy is how we name things in the industry.

When you say “layer 2 issue,” everyone in the room thinks switches, MAC tables, ARP, STP, spanning-tree loops. When you say “layer 7 issue,” everyone thinks app crashes, HTTP errors, malformed JSON. The vocabulary is the model’s persistent value, even when the underlying stack is TCP/IP.

It’s also how vendors price and label equipment. “Layer 3 switch,” “layer 4 load balancer,” “layer 7 firewall” — those phrases set price points in the buyer’s mind. As a Network+ candidate (or a future SE), speaking the OSI vocabulary is table stakes.

How to study this for the exam

Three-pass strategy that takes about 90 minutes total:

Pass 1 (30 min) — read this post, identify the layers and protocols you don’t immediately recall, write them on flashcards. Focus on the protocol-to-layer table.

Pass 2 (30 min) — flashcards both directions (protocol → layer, layer → protocol). Then hardware → layer flashcards.

Pass 3 (30 min) — practice questions. Pick 30 random “what layer is X?” questions and answer in under 10 seconds each. Anything you miss goes back into the flashcard deck.

After this, layer questions on the actual exam take you 10–15 seconds each, leaving you more time for the subnetting questions that need the calculation work — which is the magic-number method post.

Where to take this next

If you want a port-number reference card (the related memorization grind for the N10-009), Port Numbers Worth Memorizing for Network+ (and Which Ones You Can Skip) breaks down which to memorize cold.

If your subnetting still slows you down, Subnetting Without a Calculator — The Magic-Number Method is the technique that gets you to 30 seconds per problem.

📡 Studying for CompTIA Network+?

Practice with free flashcards, subnetting drills, and exam-style scenarios at network.it-learn.io — aligned to the current N10-009 objectives. No signup required.

The two models side by side

Layer-by-layer with protocols, PDUs, and hardware

The encapsulation flow

Where each common protocol lives (memorize this table)

The exam traps you must know

Trap 1 — ARP is layer 2 or layer 3?

Trap 2 — TLS / SSL is layer 5 or 6 or 7?

Trap 3 — Layer-3 switch vs router

Trap 4 — NGFW operating layer

Trap 5 — DNS uses TCP or UDP?

The hardware-to-layer mapping

Why the OSI model is still worth knowing in 2026

How to study this for the exam

Where to take this next

Related Posts

Subnetting Without a Calculator — The Magic-Number Method

CompTIA Network+ (N10-009) Objective 1.1: OSI Model All 7 Layers Explained

CompTIA Network+ N10-009 Complete Study Guide

Network+ N10-009 Objective 1.3 — Cloud Concepts

CompTIA Network+ (N10-009) Objective 1.2: Networking Appliances Explained

Network+ N10-009: Home Lab Ideas to Study Networking the Right Way