This chapter covers the TCP/IP model and its protocol suite, the foundational framework for all modern networking. Understanding the TCP/IP model is critical for the N10-009 exam, as it underpins every networking concept you will encounter. Approximately 15-20% of exam questions directly test your knowledge of TCP/IP layers, protocols, and their functions.
Jump to a section
Imagine you want to send a letter to a friend in another city. The TCP/IP model works like a postal service with four distinct layers. At the Application layer, you write the letter (the data) and decide what to say—this is like using an app like email or web browser. The Transport layer is like choosing the delivery method: you can send a regular letter (TCP) that guarantees delivery by requesting a return receipt, or a postcard (UDP) that is faster but you don't know if it arrived. The Transport layer also adds a return address (port number) so your friend knows which app to forward the letter to. Next, the Internet layer acts like the postal sorting office: it puts the letter in an envelope with the destination address (IP address) and decides the route the letter should take through various post offices (routers). Finally, the Network Interface layer is the actual mail truck and delivery person that physically transports the envelope over roads (cables, Wi-Fi) to your friend's mailbox. When your friend receives the letter, the process reverses: the Network Interface layer hands the envelope up to the Internet layer, which opens it and passes the letter to the Transport layer, which checks the return receipt and delivers the content to the correct application. Just as the postal service works reliably even if the sender doesn't know the exact route, TCP/IP ensures data reaches the right application on the right device across any interconnected network.
The TCP/IP model (Transmission Control Protocol/Internet Protocol) is a conceptual framework that describes how data travels from one device to another over a network. It was developed by the U.S. Department of Defense in the 1970s and is documented in RFC 1122 and RFC 1123. Unlike the OSI model (which has seven layers), the TCP/IP model has four layers: Application, Transport, Internet, and Network Interface. The exam expects you to know the function of each layer, the protocols that operate at each layer, and how data encapsulation works.
Why the TCP/IP Model Exists
Before standardized networking models, each vendor had proprietary protocols that could not interoperate. The TCP/IP model provided a common language so that devices from different manufacturers could communicate. It also introduced the concept of layering: each layer handles a specific aspect of communication, and changes in one layer do not affect others. This modularity allows protocols to be developed independently.
The Four Layers in Detail
#### 1. Network Interface Layer (also called Link Layer)
This is the lowest layer, responsible for physical transmission of data over the medium (e.g., Ethernet, Wi-Fi, fiber). It includes hardware addresses (MAC addresses) and framing. The protocol data unit (PDU) at this layer is a frame. The Network Interface layer handles error detection using Frame Check Sequence (FCS) but does not guarantee delivery. Common protocols: Ethernet (IEEE 802.3), Wi-Fi (IEEE 802.11), PPP, and ARP (Address Resolution Protocol) which maps IP addresses to MAC addresses.
#### 2. Internet Layer (also called Network Layer)
The Internet layer handles logical addressing (IP addresses) and routing. Its primary protocol is IP (Internet Protocol), which is connectionless and best-effort. The PDU at this layer is a packet. IP provides no error recovery or flow control—those are left to upper layers. IPv4 uses 32-bit addresses; IPv6 uses 128-bit addresses. Other protocols at this layer include: - ICMP (Internet Control Message Protocol): Used for error reporting (e.g., destination unreachable) and diagnostic tools like ping and traceroute. - ARP (Address Resolution Protocol): Although sometimes considered part of the Network Interface layer, ARP operates at the Internet layer to resolve IP addresses to MAC addresses. - IGMP (Internet Group Management Protocol): Used for multicast group management.
#### 3. Transport Layer
The Transport layer provides end-to-end communication between applications. It segments data from the Application layer and adds port numbers to identify the specific application. The two main protocols are: - TCP (Transmission Control Protocol): Connection-oriented, reliable, with flow control and error recovery. TCP uses a three-way handshake to establish a connection. It numbers segments and retransmits lost data. The PDU is called a segment. Default port numbers for common services: HTTP (80), HTTPS (443), FTP (21), SSH (22), SMTP (25). - UDP (User Datagram Protocol): Connectionless, unreliable, no handshake. It is used for real-time applications where speed matters more than reliability (e.g., DNS, DHCP, VoIP, streaming video). The PDU is called a datagram. Common ports: DNS (53), DHCP (67/68), TFTP (69), SNMP (161/162).
#### 4. Application Layer
The Application layer represents the user-facing protocols that provide network services. Unlike the OSI model, TCP/IP combines the Session, Presentation, and Application layers into one. Examples of Application layer protocols: - HTTP/HTTPS: Web browsing - FTP/SFTP: File transfer - SMTP/POP3/IMAP: Email - DNS: Domain name resolution - DHCP: Dynamic IP address assignment - SNMP: Network management - Telnet/SSH: Remote access
Data Encapsulation and Decapsulation
When an application sends data, it travels down the layers, each adding its own header (and sometimes trailer) in a process called encapsulation. The reverse process (removing headers) is decapsulation at the receiving end. - Application layer: Data (e.g., HTTP request) - Transport layer: Adds TCP or UDP header (segment/datagram) - Internet layer: Adds IP header (packet) - Network Interface layer: Adds frame header and trailer (frame)
The data is then transmitted as bits on the medium. The receiving device reverses this: it removes the frame header/trailer, then the IP header, then the TCP/UDP header, and finally delivers the data to the application.
Key Differences from the OSI Model
The exam often compares TCP/IP and OSI models. Key points:
OSI has 7 layers; TCP/IP has 4.
OSI separates Presentation and Session layers; TCP/IP includes them in Application.
OSI's Network layer is TCP/IP's Internet layer.
OSI's Data Link and Physical layers are combined in TCP/IP's Network Interface layer.
Important Protocols and Port Numbers
You must memorize the following port numbers for the exam:
- TCP ports: - 20/21: FTP (data/control) - 22: SSH - 23: Telnet - 25: SMTP - 53: DNS (also UDP) - 80: HTTP - 110: POP3 - 143: IMAP - 443: HTTPS - 3389: RDP - UDP ports: - 53: DNS - 67/68: DHCP - 69: TFTP - 161/162: SNMP - 520: RIP
TCP Three-Way Handshake
TCP connections are established with a three-way handshake: 1. Client sends a SYN segment (sequence number = x). 2. Server responds with SYN-ACK (acknowledgment number = x+1, own sequence number = y). 3. Client sends ACK (acknowledgment number = y+1).
After this, data can be sent. The connection is closed with a four-way handshake (FIN). The exam may test the states of TCP connections (SYN_SENT, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, etc.).
UDP Operation
UDP is stateless. There is no handshake; the sender just sends datagrams. This makes UDP faster but unreliable. Applications using UDP must handle reliability themselves if needed. Common UDP applications: DNS queries (usually), DHCP, VoIP (RTP), video streaming.
IP Addressing and Subnetting
IPv4 addresses are 32 bits, written in dotted decimal (e.g., 192.168.1.1). They are divided into classes (A, B, C, D, E) but modern networking uses CIDR (Classless Inter-Domain Routing) for subnetting. IPv6 addresses are 128 bits, written in hexadecimal (e.g., 2001:db8::1). The exam expects you to know the difference between IPv4 and IPv6, including address exhaustion issues and the use of NAT with IPv4.
Common Commands for Verification
Network engineers use the following commands to verify TCP/IP operation:
ping <destination>: Sends ICMP echo requests to test reachability.
tracert <destination> (Windows) or traceroute <destination> (Linux): Traces the path packets take.
ipconfig (Windows) or ifconfig (Linux): Shows IP configuration.
netstat -an: Shows active TCP connections and listening ports.
nslookup <hostname>: Queries DNS.
arp -a: Shows ARP cache.
How TCP/IP Interacts with Related Technologies
TCP/IP works with many other technologies you will study: - NAT (Network Address Translation): Modifies IP addresses in packets, typically at the Internet layer. - VLANs: Operate at the Network Interface layer (Ethernet). - Routing protocols (OSPF, BGP): Operate at the Internet layer. - Firewalls: Inspect packets at various layers; stateful firewalls track TCP connections. - VPNs: Encapsulate IP packets in other protocols (e.g., IPsec, SSL/TLS).
Summary of Encapsulation Example
When you visit a website: 1. Application layer: Browser sends HTTP GET request. 2. Transport layer: TCP adds a header with source port (random high port) and destination port 80. 3. Internet layer: IP adds a header with source and destination IP addresses. 4. Network Interface layer: Ethernet adds a header with source and destination MAC addresses and a trailer with FCS.
The frame is transmitted over the network. The web server reverses the process and sends back an HTTP response.
Application Layer Generates Data
The process begins when an application (e.g., web browser, email client) generates data that needs to be sent over the network. The data is passed to the Transport layer along with instructions on which protocol to use (TCP or UDP) and the destination port number. For example, a web browser generates an HTTP GET request and specifies destination port 80 (TCP). The application does not handle addressing or delivery; it relies on lower layers.
Transport Layer Adds Segment Header
The Transport layer receives the data and adds a TCP or UDP header. For TCP, this includes source port, destination port, sequence number, acknowledgment number, flags (SYN, ACK, FIN, etc.), window size, and checksum. For UDP, the header is simpler: source port, destination port, length, and checksum. The resulting unit is a segment (TCP) or datagram (UDP). The Transport layer may also split the data into smaller segments if needed.
Internet Layer Adds Packet Header
The Internet layer receives the segment/datagram and adds an IP header. The IP header includes source and destination IP addresses, version (4 or 6), Time-to-Live (TTL), protocol field (TCP=6, UDP=17), header checksum, and fragmentation information. The resulting unit is an IP packet. The Internet layer determines the next-hop router by consulting the routing table. If the packet is larger than the MTU of the outgoing link, it may fragment the packet.
Network Interface Layer Frames the Packet
The Network Interface layer receives the IP packet and encapsulates it in a frame appropriate for the physical medium. For Ethernet, this includes source and destination MAC addresses, EtherType (0x0800 for IPv4, 0x86DD for IPv6), and a Frame Check Sequence (FCS) trailer. The frame is then converted to bits and transmitted over the physical medium (cable, fiber, radio waves).
Intermediate Devices Route the Frame
As the frame travels across the network, switches (Layer 2) forward frames based on MAC addresses, and routers (Layer 3) decapsulate the frame to examine the IP packet, then re-encapsulate it into a new frame for the next hop. Routers decrement the TTL field; if TTL reaches 0, the packet is discarded and an ICMP Time Exceeded message is sent back. This continues until the packet reaches the destination network.
Destination Decapsulates and Delivers Data
At the destination device, the Network Interface layer removes the frame header and trailer, and passes the IP packet up to the Internet layer. The Internet layer checks the IP header, verifies the checksum, and passes the segment/datagram to the Transport layer. The Transport layer uses the destination port number to deliver the data to the correct application. For TCP, it also acknowledges receipt and reassembles segments in order. The application then processes the data (e.g., renders a web page).
In a typical enterprise network, the TCP/IP model is the foundation for all communication. Consider a company with 1,000 employees accessing cloud-based applications. The network engineer configures DHCP servers to assign IP addresses dynamically, DNS servers to resolve internal and external hostnames, and firewalls to filter traffic based on IP addresses and ports. For example, a web server hosting the company's intranet listens on TCP port 443 (HTTPS). The engineer must ensure that the firewall allows inbound traffic to that port from the internal network only. Load balancers distribute incoming TCP connections across multiple web servers, using source IP persistence to maintain session affinity. When a user sends an email via SMTP (port 25), the email server relays it to the internet using MX records from DNS. The network team monitors performance using SNMP (UDP ports 161/162) and analyzes traffic with netstat and packet captures. A common issue is TCP window scaling: if a firewall or router is misconfigured to drop TCP options, performance degrades. Another scenario is VoIP deployment: phones use UDP for RTP (real-time transport) and require QoS to prioritize voice traffic. Misconfigured VLANs or MTU mismatches can cause one-way audio. The engineer must verify end-to-end connectivity with ping, traceroute, and path MTU discovery. In cloud environments, virtual networks implement TCP/IP with overlay protocols like VXLAN, which encapsulates Ethernet frames in UDP datagrams. Troubleshooting often involves checking TCP three-way handshake completion using packet captures—if SYN-ACK is not received, the issue could be a firewall blocking return traffic or a routing problem. The exam expects you to apply these concepts in scenario-based questions, such as identifying which layer a problem occurs at based on symptoms.
N10-009 Exam Focus: TCP/IP Model and Protocol Suite (Objective 1.2)
The exam tests your ability to:
Identify the function of each TCP/IP layer.
Match protocols to their correct layer.
Understand encapsulation and decapsulation order.
Recall common port numbers and their associated protocols.
Differentiate between TCP and UDP characteristics.
Explain the TCP three-way handshake and connection termination.
Compare TCP/IP model to OSI model.
Common Wrong Answers and Why
"TCP uses port numbers to identify applications, but UDP does not." Both use port numbers. The difference is reliability, not port usage. Candidates often think UDP is portless.
"The Internet layer is responsible for error detection and correction." No, error detection is at the Transport layer (TCP checksum) and Data Link layer (FCS). The Internet layer only checks the header checksum, not the payload.
"The Application layer includes only HTTP and FTP." Many more protocols exist: DNS, DHCP, SMTP, SNMP, etc. Candidates forget that DNS and DHCP are Application layer protocols.
"TCP and UDP both use a three-way handshake." Only TCP does; UDP is connectionless.
"The Network Interface layer includes IP addressing." IP addressing is at the Internet layer. The Network Interface layer uses MAC addresses.
Specific Numbers and Values to Memorize
TCP port 80 (HTTP), 443 (HTTPS), 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS), 110 (POP3), 143 (IMAP), 3389 (RDP).
UDP port 53 (DNS), 67/68 (DHCP), 69 (TFTP), 161/162 (SNMP), 520 (RIP).
Protocol numbers: TCP=6, UDP=17, ICMP=1.
Ethernet Type: IPv4=0x0800, IPv6=0x86DD, ARP=0x0806.
MTU: Ethernet=1500 bytes, IPv4 minimum=68, IPv6 minimum=1280.
TTL default: 64 (Linux), 128 (Windows), 255 (some routers).
Edge Cases and Exam Traps
DNS uses both TCP and UDP: DNS primarily uses UDP on port 53, but uses TCP for zone transfers and when responses exceed 512 bytes.
DHCP uses UDP: Client on port 68, server on port 67. The client sends a broadcast because it doesn't have an IP yet.
TFTP uses UDP: Trivial File Transfer Protocol uses UDP port 69, no authentication.
SNMP: Uses UDP ports 161 (queries) and 162 (traps).
RDP: Uses TCP port 3389.
GRE and IPsec: These are not Transport layer protocols; they operate at the Internet layer (protocol numbers 47 and 50/51).
How to Eliminate Wrong Answers
If a question mentions "reliable delivery" or "guaranteed delivery", look for TCP-related answers.
If it mentions "low overhead" or "real-time", think UDP.
If it asks about "addressing" or "routing", it's the Internet layer.
If it asks about "physical transmission" or "MAC addresses", it's the Network Interface layer.
Encapsulation order: Data → Segment/Datagram → Packet → Frame.
Memorize the layer-to-PDU mapping: Application (Data), Transport (Segment for TCP, Datagram for UDP), Internet (Packet), Network Interface (Frame).
Practice with scenario questions: "A user cannot access a website. You run a packet capture and see SYN sent but no SYN-ACK. Which layer is most likely the problem?" Answer: Transport layer (TCP handshake incomplete) or Internet layer (routing issue).
The TCP/IP model has four layers: Application, Transport, Internet, Network Interface.
TCP is connection-oriented and reliable; UDP is connectionless and unreliable.
Common TCP ports: 80 (HTTP), 443 (HTTPS), 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS).
Common UDP ports: 53 (DNS), 67/68 (DHCP), 69 (TFTP), 161/162 (SNMP).
Encapsulation order: Data → Segment (TCP) or Datagram (UDP) → Packet → Frame.
The TCP three-way handshake uses SYN, SYN-ACK, ACK segments.
IP is best-effort and does not guarantee delivery.
The Network Interface layer uses MAC addresses and handles physical transmission.
DNS uses both TCP and UDP; DHCP uses UDP; TFTP uses UDP.
The exam expects you to identify which layer a protocol belongs to and recall port numbers.
These come up on the exam all the time. Here's how to tell them apart.
TCP (Transmission Control Protocol)
Connection-oriented: establishes a session via three-way handshake
Reliable: uses acknowledgments and retransmissions
Flow control: uses windowing to avoid overwhelming receiver
Error recovery: retransmits lost or corrupted segments
Higher overhead: 20-byte header
UDP (User Datagram Protocol)
Connectionless: no handshake, just send datagrams
Unreliable: no guarantee of delivery
No flow control: sender sends at its own pace
No error recovery: corrupted datagrams are discarded silently
Lower overhead: 8-byte header
Mistake
TCP/IP has seven layers like the OSI model.
Correct
TCP/IP has four layers: Application, Transport, Internet, Network Interface. The OSI model has seven layers. Candidates often confuse the two.
Mistake
UDP does not use port numbers.
Correct
UDP uses 16-bit port numbers exactly like TCP. Both are in the Transport layer header.
Mistake
The Internet layer guarantees delivery of packets.
Correct
IP is a best-effort protocol. It does not guarantee delivery, error recovery, or flow control. Those are provided by TCP at the Transport layer.
Mistake
DNS only uses UDP.
Correct
DNS primarily uses UDP on port 53, but it uses TCP for zone transfers and when the response is larger than 512 bytes.
Mistake
ARP operates at the Network Interface layer only.
Correct
ARP is often considered part of the Internet layer because it maps IP addresses to MAC addresses. It uses Ethernet frames but its payload is an IP-to-MAC mapping.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
TCP (Transmission Control Protocol) is connection-oriented and reliable. It establishes a session with a three-way handshake, ensures data arrives in order, retransmits lost packets, and uses flow control. UDP (User Datagram Protocol) is connectionless and unreliable. It does not guarantee delivery, has no handshake, and is used for real-time applications like VoIP and streaming where speed matters more than reliability. Both use port numbers to identify applications.
The Internet layer (also called the Network layer) handles logical addressing (IP addresses) and routing. It encapsulates segments/datagrams from the Transport layer into packets, adds source and destination IP addresses, and forwards packets based on routing tables. Protocols at this layer include IP, ICMP, ARP, and IGMP.
The three-way handshake establishes a reliable connection between two devices. It synchronizes sequence numbers and ensures both sides are ready to communicate. Step 1: client sends SYN with initial sequence number. Step 2: server responds with SYN-ACK, acknowledging the client's sequence number and sending its own. Step 3: client sends ACK to confirm receipt. After this, data transfer can begin.
DHCP (Dynamic Host Configuration Protocol) uses UDP ports 67 (server) and 68 (client). The client broadcasts on port 68 to discover DHCP servers, and the server responds on port 67. DHCP can also use UDP port 546/547 for DHCPv6.
DNS primarily uses UDP on port 53 for most queries because it is faster. However, DNS uses TCP on the same port for zone transfers (between DNS servers) and when the response size exceeds 512 bytes (or 4096 with EDNS0). The exam expects you to know that DNS uses both.
The Protocol Data Unit (PDU) names are: Application layer – Data; Transport layer – Segment (TCP) or Datagram (UDP); Internet layer – Packet; Network Interface layer – Frame. Memorizing these helps with encapsulation questions.
The TCP/IP model has 4 layers: Application, Transport, Internet, Network Interface. The OSI model has 7 layers: Application, Presentation, Session, Transport, Network, Data Link, Physical. TCP/IP combines the OSI Application, Presentation, and Session layers into its Application layer, and combines Data Link and Physical into its Network Interface layer.
You've just covered TCP/IP Model and Protocol Suite — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?