By Russell Lindsay, VP of Engineering, Trusted Network Solutions
One of the first things we learn when we started working in the field of computer networking, is the OSI model. The OSI model is used to describe how data should pass across a network. It is broken up into 7 layers, starting with layer 1 as the lowest layer and moving up to layer 7. The 7 layers are labelled, starting with layer 1 at the bottom, 1-Physical, 2-Data Link, 3-Network, 4-Transport, 5-Session, 6-Presentation, and 7-Application.
There are many things that live at each layer. Layer 1, the Physical Layer, has to do with all things that are used to provide physical connectivity. Some of them are Ethernet cables, Fiber cables, and wall jacks. The most common networking device at Layer 1 is a hub. It provides device connectivity and that is about it. Hubs have no brain, and cannot be managed at all. With hubs, the broadcast domain (which is the segment of the network where all nodes can reach each other by broadcast) and the collision domain (which is the segment of a network where data packets can collide with one another) are the same, and include every port on every hub connected together on a physical segment.
Layer 2, the Data Link Layer, is broken into 2 sublayers: the Media Access Control (MAC) sublayer and the Logical Link Control (LLC) sublayer. The MAC sublayer contains physical addressing and the LLC sublayer provides flow control. MAC addresses are unique identifiers assigned to network interfaces for communication on a physical network segment. The MAC address is 6 bytes in length, with the first 3 bytes being the Organizationally Unique Identifier (OUI) to uniquely identify the manufacturer and the last 3 bytes being assigned by the manufacturer of the network interface. It is represented as six 2-digit hexadecimal numbers. An example would be 58-94-6B-00-DC-04. All devices on a network segment talk only to the other devices on the same segment using the MAC address.
Networking components that fall into Layer 2 are network interface cards (NICs) and switches. Switches come in a couple flavors, unmanaged and managed. Unmanaged switches are not programmable, and logging and statistics are not available on them. You cannot create virtual local area networks (VLANs) on unmanaged switches. Managed switches allow for the creation of VLANs, monitoring, logging and statistics. All switches break up the collision domain into smaller segments. Each port of a switch is its own collision domain. However, switches do not break up broadcast domains. All ports in the same VLAN of all switches connected together on a physical segment are in the same broadcast domain. VLANs break up broadcast domains into small segments.
The Network Layer, layer 3, is where IP addressing and routing are found. There are many other protocols that are found at layer 3, but IP is the most common today. The most common networking device that lives at Layer 3 is a router. Routers make decisions about where traffic should be directed on a network. Sometimes routers are referred to as gateways. Routers break up both the broadcast domain and the collision domain. Every port of a router is its own broadcast and collision domain.
Layer 4, the Transport Layer, is the layer that is responsible for reliable delivery of data packets between nodes on a network. The most common protocols at Layer 4 are TCP and UDP. TCP is connection-oriented, meaning it provides reliable, ordered, error-checked delivery of data between nodes on a network. UDP is connectionless, meaning it does not use handshaking prior to sending data between nodes on a network. Firewalls are the networking device found at Layer 4. Firewalls allow or disallow traffic on a network segment based on a combination of source and destination IP address and port number.
Layers 5-7, Session, Presentation and Application, are usually lumped together. There are some firewalls that have proxy functionality or inspections that look at information contained in these layers. They allow or deny traffic on the network based on information in these layers.
Now that we have completed a description of the OSI as it pertains to networking, we can talk about why the OSI model is a good model for troubleshooting problems on networks. When end users describe problems, they usually will talk in term terms of Layer 7. However, most problems are actually found in Layers 1, 2, and 3. So, it is best to start troubleshooting at Layer 1. Most problems end up being Layer 1 problems. Start by verifying physical connectivity. One thing I do when I begin troubleshooting is draw a physical map and then verify that it is accurate by looking at connectivity. Once all Layer 1 items are verified, then move up to Layer 2.
At Layer 2, verify MAC addressing, VLANs, and switch configuration. One thing to watch out for are duplicate IP addresses. This really falls into Layer 2 because you are look at the MAC address table and seeing if there are 2 IP addresses associated with a single MAC address. For VLANing, verify ports that are tagged and ports that are untagged. You will probably need to make a Layer 2 map that contains tagging so that you can verify traffic is passing between switches for the all VLANs. Finally, look at Spanning Tree Protocol (STP). It is responsible for managing network loops, but if all switches aren’t configured for STP, loop can occur and broadcast storm can happen. Once you have verified that all Layer components are correct, you can move to Layer 3.
At Layer 3, you will want to verify what routing protocols are being used. You will also want to understand the IP addressing schemas being used on the network. Again, building a Layer 3 map will be very useful in understanding the flow of traffic. Make sure to know where gateway addresses live, what subnet masks are being used, and where traffic should be routed. Understand what the routing tables for devices should look like and verify them. Once all Layer 3 components have been established and confirmed, you can move to Layer 4.
You will most likely be working with a firewall of some sort at Layer 4. Make sure to validate what traffic should be passing and what traffic should be blocked. This will require asking questions about the firewall rule base and probing as to whether access rules should be changed. Also remember, a firewall is really a router (Layer 3 device) that manages traffic at Layers 4 and higher. You will need to make sure that the Layer 3 troubleshooting includes IP and routing components on firewalls. Once you have verified all Layer 4 components, then you can start looking at the Application Layer.
One thing to note about creating the different connectivity maps at each layer, remember to verify the map as you do this. There have been several instances when an end user will describe an environment, only to find out later that they were remembering wrong or it had changed without their knowledge. Always verify what you are being told.
By using the OSI model as a troubleshooting model, you will be able to methodically troubleshoot networking problems in a way that is logical. There are so many times that I have been told by end users that the problem is at Layer 7 only to find it was at Layer 1. Good luck and happy troubleshooting.