The interface between the network and the software running on top of it. Layer 7 doesn't mean "the app itself" — it means the network services that applications use. When your browser makes an HTTP request, that request is a Layer 7 message. This layer defines how applications format and exchange data, handling authentication, data representation, and session management at the application level.
Responsible for data translation, encoding, compression, and encryption. It ensures that data sent by one system's application layer can be understood by another's — converting formats (ASCII to EBCDIC, JPEG compression, Base64 encoding) and handling TLS/SSL encryption. In modern TCP/IP implementations, Layer 6 functions are typically handled within the application itself rather than as a discrete layer.
Establishes, manages, and terminates sessions (ongoing conversations) between applications. It controls the dialogue — who can transmit, when, and for how long — and provides synchronisation checkpoints so long data transfers can resume after an interruption without starting over. Like Layer 6, this is often absorbed into the application layer in TCP/IP stacks rather than implemented as a separate component.
Provides end-to-end communication between processes on different hosts. It segments large data into smaller chunks, adds port numbers to identify which process the data belongs to, and (with TCP) manages reliable delivery through sequencing, acknowledgements, and retransmission. TCP offers reliability and ordering; UDP offers speed without guarantees. Firewalls and load balancers typically operate at this layer, inspecting ports and connection state.
Handles logical addressing (IP addresses) and routing — determining the best path for data to travel across multiple networks. Routers operate here, reading destination IP addresses and forwarding packets hop-by-hop toward their destination. IP itself is connectionless and best-effort — it makes no delivery guarantees. Layer 3 also handles fragmentation when packets are too large for a network segment's MTU.
Manages data transfer between directly connected nodes — devices on the same network segment. It uses MAC addresses (hardware addresses burned into NICs) for local delivery and packages data into frames. It also handles error detection (not correction) via checksums like CRC. Layer 2 is split into two sublayers: the LLC (Logical Link Control) which interfaces with Layer 3, and the MAC (Media Access Control) which interfaces with the physical medium and governs how devices share it (CSMA/CD on Ethernet, CSMA/CA on Wi-Fi).
The raw transmission of bits over a physical medium — electrical signals on copper, light pulses through fibre, or radio waves through air. Layer 1 defines the physical and electrical specifications: cable types, connector pinouts, voltage levels, signal timing, and modulation schemes. There is no addressing or error detection here — it just moves bits. When a cable is unplugged or a NIC fails, the problem is at Layer 1.
When data travels down the stack on the sending side, each layer wraps it in its own header (and sometimes a trailer). This is encapsulation. On the receiving side, each layer strips its header back off — de-encapsulation — until the original application data is exposed.
| Device | Layer | What it does |
|---|---|---|
Hub / Repeater |
L1 Physical | Amplifies and rebroadcasts raw electrical signals. No addressing — everything goes everywhere. Effectively obsolete; replaced by switches. |
Switch |
L2 Data Link |
Forwards frames using MAC address tables. Learns which MAC is on which port and sends frames only to the correct destination — unlike a hub. VLANs and STP operate here.
Layer 3 switches also perform IP routing.
|
Router |
L3 Network | Routes packets between different networks using IP addresses and routing tables. Interconnects LANs, connects LANs to the internet, and enforces network boundaries. |
Firewall |
L3 – L7 | Stateless firewalls operate at L3/L4 (IP/port filtering). Stateful firewalls track connection state at L4. Next-generation firewalls (NGFW) inspect up to L7 for application-aware filtering. |
Load Balancer |
L4 / L7 | L4 load balancers distribute TCP/UDP flows by IP and port. L7 load balancers make routing decisions based on HTTP headers, cookies, or URL paths — they can decrypt TLS and inspect content. |
WAF |
L7 Application | Web Application Firewall — inspects HTTP/HTTPS traffic for attack patterns (SQLi, XSS, etc.). Operates entirely at Layer 7, understanding the application protocol rather than just ports and IPs. |
IDS / IPS |
L3 – L7 | Intrusion Detection/Prevention Systems inspect traffic at multiple layers. Signature-based rules can match at L3 (IP reputation), L4 (port patterns), or L7 (payload content and behaviour). |
The TCP/IP model has 4 layers (Application, Transport, Internet, Link), not 7. It maps roughly as: TCP/IP Application ≈ OSI L5+L6+L7; TCP/IP Internet ≈ OSI L3; TCP/IP Link ≈ OSI L1+L2. The OSI model is the conceptual framework — real-world stacks use TCP/IP. You'll see both used interchangeably in vendor documentation.
Each layer has a different name for its data unit. Getting this right in interviews and exams: Bit (L1), Frame (L2), Packet (L3), Segment (TCP) / Datagram (UDP) at L4, Data (L5–L7). A "packet capture" technically captures frames — the word "packet" is used loosely in practice.
Always start at Layer 1 and work up. No link light? L1. Can ping by IP but not hostname? L7 DNS issue, not a routing problem. Can reach a server by IP but the app errors? L7 application or L4 firewall rule. This discipline prevents wasted time — don't reconfigure routing when the cable is unplugged.
Attacks can target any layer: physical cable cuts (L1), MAC spoofing / ARP poisoning (L2), IP spoofing / route injection (L3), port scanning / SYN floods (L4), TLS stripping (L6), SQLi / XSS / API abuse (L7). Defence in depth means controls at multiple layers — no single layer is sufficient on its own.