Loading learning content...
The data link layer moves frames between directly connected devices—a computer to its switch, a switch to a router. But what happens when you want to communicate with a server on another continent? The data link layer has no concept of 'route to Tokyo' or 'path through multiple networks.' That responsibility belongs to the Network Layer (Layer 3).
The network layer is the great abstraction of networking. It hides the bewildering complexity of the underlying infrastructure—the countless switches, routers, fiber optic cables, microwave links, and satellite hops—behind a simple model: every device has an address, and packets find their way from source to destination. Whether that destination is across the room or across the ocean, the process looks identical to higher layers.
This is where the Internet Protocol (IP) operates, along with its companion protocols (ICMP, ARP at the boundary, routing protocols). Understanding Layer 3 is essential for anyone working with network infrastructure, security, or distributed systems.
By the end of this page, you will understand: the network layer's role in end-to-end packet delivery, how logical addressing (IP) enables global identification, how routing algorithms find paths through complex topologies, how routers make forwarding decisions, how fragmentation handles MTU mismatches, and the relationship between network layer protocols (IP, ICMP, ARP).
The network layer's fundamental purpose is end-to-end packet delivery across internetworks—getting a packet from its source host to its destination host, potentially traversing many intermediate networks and routers.
Core Functions:
1. Logical Addressing: Assigns addresses that identify devices independently of their physical network. Unlike MAC addresses (tied to hardware), IP addresses are hierarchical and location-based, enabling efficient routing decisions.
2. Routing: Determines the optimal path for packets to travel from source to destination. Routing protocols (OSPF, BGP, etc.) exchange information to build routing tables that guide forwarding decisions.
3. Packet Forwarding: The actual movement of packets from input to output. Routers examine the destination address, consult their routing table, and forward the packet toward its destination.
4. Fragmentation and Reassembly: When a packet is too large for a network's Maximum Transmission Unit (MTU), the network layer (in IPv4) can break it into smaller fragments. The destination host reassembles them.
5. Error Reporting: ICMP (Internet Control Message Protocol) reports errors and provides diagnostic functions (ping, traceroute).
| Function | Purpose | Key Concept | Protocol/Mechanism |
|---|---|---|---|
| Logical Addressing | Global device identification | Hierarchical, location-based addresses | IPv4, IPv6 |
| Routing | Path determination | Routing tables, algorithms | OSPF, BGP, RIP, IS-IS |
| Forwarding | Packet movement | Table lookup, next-hop | Router forwarding engine |
| Fragmentation | Handle MTU differences | Split large packets | IPv4 fragmentation |
| Error Reporting | Communicate problems | ICMP messages | Destination unreachable, TTL exceeded |
These terms are often confused:
Routing: The control plane process of determining routes—running algorithms, exchanging protocol messages, building routing tables. This happens in the background, not per-packet.
Forwarding: The data plane process of moving packets—examining headers, looking up tables, sending out the correct interface. This happens for every single packet, millions of times per second.
Analogy: Routing is like planning your road trip route before leaving. Forwarding is the actual act of turning at each intersection.
IP addresses are the network layer's addressing mechanism, providing globally unique (or locally unique in private ranges) identification for network interfaces.
IPv4 Addressing:
IPv4 uses 32-bit addresses, written as four decimal octets (e.g., 192.168.1.1). This provides approximately 4.3 billion possible addresses—which seemed abundant in 1981 but proved woefully insufficient.
Address Structure:
An IPv4 address has two logical parts:
The subnet mask determines where the network portion ends and the host portion begins:
| Class | First Octet Range | Default Mask | Network Bits | Host Bits | Number of Networks |
|---|---|---|---|---|---|
| A | 1-126 | 255.0.0.0 (/8) | 8 | 24 | 126 networks, 16M+ hosts each |
| B | 128-191 | 255.255.0.0 (/16) | 16 | 16 | 16,384 networks, 65K+ hosts each |
| C | 192-223 | 255.255.255.0 (/24) | 24 | 8 | 2M+ networks, 254 hosts each |
| D | 224-239 | N/A | N/A | N/A | Multicast |
| E | 240-255 | N/A | N/A | N/A | Reserved/Experimental |
Classless Inter-Domain Routing (CIDR):
The classful system wasted addresses (need 300 hosts? Class C is too small, Class B wastes 65,000). CIDR (introduced 1993) allows any prefix length:
CIDR notation: IP/prefix (e.g., 192.168.1.0/24)
Special Addresses:
| Address/Range | Purpose |
|---|---|
| 0.0.0.0/8 | 'This' network (used in DHCP) |
| 10.0.0.0/8 | Private (RFC 1918) |
| 127.0.0.0/8 | Loopback (localhost) |
| 169.254.0.0/16 | Link-local (APIPA) |
| 172.16.0.0/12 | Private (RFC 1918) |
| 192.168.0.0/16 | Private (RFC 1918) |
| 224.0.0.0/4 | Multicast |
| 255.255.255.255 | Broadcast |
IPv4 addresses officially exhausted in 2011 (IANA pool) and regionally thereafter. IPv6 provides 128-bit addresses (340 undecillion addresses)—enough for every grain of sand on Earth to have trillions of addresses.
IPv6 format: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
IPv6 adoption is accelerating but IPv4 remains dominant due to NAT, existing infrastructure, and transition complexity.
Every packet traversing an IP network carries an IP header containing the information routers need for forwarding decisions. Understanding this header is essential for packet analysis and troubleshooting.
IPv4 Header Fields:
| Field | Size | Description |
|---|---|---|
| Version | 4 bits | IP version (4 for IPv4) |
| IHL | 4 bits | Internet Header Length in 32-bit words (min 5 = 20 bytes) |
| DSCP | 6 bits | Differentiated Services Code Point (QoS) |
| ECN | 2 bits | Explicit Congestion Notification |
| Total Length | 16 bits | Total packet size including header and data |
| Identification | 16 bits | Fragment identification |
| Flags | 3 bits | DF (Don't Fragment), MF (More Fragments) |
| Fragment Offset | 13 bits | Position of fragment in original datagram |
| TTL | 8 bits | Time To Live—hop limit |
| Protocol | 8 bits | Upper-layer protocol (TCP=6, UDP=17, ICMP=1) |
| Header Checksum | 16 bits | Error detection for header only |
| Source IP | 32 bits | Sender's IP address |
| Destination IP | 32 bits | Recipient's IP address |
| Options | Variable | Rarely used; adds to header length |
IPv6 Header (Simplified):
IPv6 redesigned the header for efficiency:
| Field | Size | Description |
|---|---|---|
| Version | 4 bits | IP version (6) |
| Traffic Class | 8 bits | QoS priority (like DSCP) |
| Flow Label | 20 bits | Identifies flows for special handling |
| Payload Length | 16 bits | Length of data (not including header) |
| Next Header | 8 bits | Identifies next header type (extension or transport) |
| Hop Limit | 8 bits | Like TTL—decremented each hop |
| Source IP | 128 bits | Sender's IPv6 address |
| Destination IP | 128 bits | Recipient's IPv6 address |
Key IPv6 improvements:
Tools like Wireshark decode IP headers automatically, making analysis accessible. Practice capturing packets and examining: • TTL changes as packets traverse routers • Protocol field identifying TCP/UDP/ICMP • DSCP values for QoS marking • Fragmentation flags in MTU-challenged paths
Understanding the header makes troubleshooting concrete—you can see exactly what the network sees.
Routing is the process of selecting paths in a network along which to send packets. Every router maintains a routing table that maps destination networks to next-hop addresses or exit interfaces.
Routing Table Structure:
A routing table entry typically contains:
Route Selection:
When a packet arrives:
| Route Source | Administrative Distance | Meaning |
|---|---|---|
| Connected | 0 | Directly connected networks—highest trust |
| Static | 1 | Manually configured routes |
| eBGP | 20 | External BGP—routes from other AS |
| EIGRP | 90 | Cisco's Enhanced IGRP |
| OSPF | 110 | Open Shortest Path First |
| IS-IS | 115 | Intermediate System to Intermediate System |
| RIP | 120 | Routing Information Protocol |
| iBGP | 200 | Internal BGP |
| Unknown | 255 | Route will never be used |
Types of Routing:
1. Static Routing:
2. Dynamic Routing:
Routing Protocol Categories:
Interior Gateway Protocols (IGPs): Within a single organization (Autonomous System)
Exterior Gateway Protocols (EGPs): Between organizations (Autonomous Systems)
An Autonomous System is a collection of IP networks under a single administrative domain that presents a common routing policy to the Internet. Each AS has a unique AS Number (ASN).
Examples: Your ISP is an AS. Google, Amazon, Microsoft each have multiple ASNs. BGP routes between these autonomous systems, determining how traffic flows across the global Internet.
Routing protocols use algorithms to determine optimal paths. The two fundamental approaches—distance vector and link state—have different characteristics, trade-offs, and use cases.
Distance Vector Algorithms:
"Tell your neighbors about the world."
Each router maintains a table of distances to every destination. Periodically, routers share their entire routing table with direct neighbors. Neighbors update their own tables based on received information.
Key Characteristics:
The Bellman-Ford Algorithm:
Distance vector protocols are based on the Bellman-Ford algorithm:
Link State Algorithms:
"Tell the world about your neighbors."
Each router discovers its neighbors and link costs, then floods this information to all routers. Every router builds an identical topology database (Link State Database), then independently calculates shortest paths using Dijkstra's algorithm.
Key Characteristics:
Dijkstra's Algorithm (Shortest Path First):
Small network (<15 hops): RIP may suffice for simplicity.
Enterprise network: OSPF is the standard—hierarchical design with areas, fast convergence, vendor-neutral.
Service provider/Internet: BGP for inter-AS routing; OSPF or IS-IS for internal.
Cisco-only environment: EIGRP offers fast convergence with simpler configuration than OSPF.
Most modern networks use OSPF internally and BGP externally. RIP is largely legacy.
While routing protocols determine what the routing table should contain, packet forwarding is the actual process of moving packets through a router. This happens for every single packet, at wire speed.
The Forwarding Process:
Forwarding Table vs. Routing Table:
The routing table (RIB—Routing Information Base) contains all known routes with full details. The forwarding table (FIB—Forwarding Information Base) is an optimized version used for actual packet forwarding—typically stored in fast memory or ASICs for wire-speed lookups.
Packet arrives: Source 10.1.1.5, Dest 192.168.2.10, TTL 64Packet forwarded with new L2 headers, TTL 63Important Observations:
IP addresses don't change — Source and destination IP remain constant from source host to destination host
MAC addresses change at every hop — At each router, the frame is stripped and a new frame created with:
TTL decreases at every hop — This is how packets eventually die if stuck in a loop
ARP bridges the gap — To send a packet to the next hop, the router must know the next-hop's MAC address. ARP resolves IP → MAC on the local segment.
Longest Prefix Match:
If multiple routes match a destination, the most specific (longest prefix) wins:
Software forwarding (general-purpose CPU): Flexible but limited to ~100Kpps to ~1Mpps. Used in: Virtual routers, small branch routers.
Hardware forwarding (ASICs): Fixed-function chips achieving 100+Mpps at wire speed. Used in: Enterprise switches, data center routers.
Modern high-end routers use specialized hardware (Memory, TCAMs, NPUs) for forwarding while running routing protocols on general-purpose CPUs. This separation of control plane and data plane is fundamental to router architecture.
Different network technologies have different Maximum Transmission Unit (MTU) sizes—the largest packet that can traverse a link without fragmentation. When a packet exceeds the MTU of the next hop, fragmentation may occur.
Common MTU Values:
| Technology | MTU |
|---|---|
| Ethernet | 1500 bytes |
| Jumbo Frames | 9000 bytes |
| PPP | 576-1500 bytes |
| ATM (AAL5) | 9180 bytes |
| FDDI | 4352 bytes |
| IPv4 minimum | 68 bytes |
| IPv6 minimum | 1280 bytes |
IPv4 Fragmentation:
In IPv4, when a packet exceeds the next-hop MTU:
Problems with Fragmentation:
Path MTU Discovery (PMTUD):
Modern approach to avoid fragmentation:
Caveat: PMTUD requires ICMP to work. Overzealous firewalls that block all ICMP can break PMTUD, causing "black hole" connections where data just disappears.
IPv6 does NOT allow fragmentation at routers—only the source host can fragment. Routers that receive oversized IPv6 packets drop them and send ICMPv6 'Packet Too Big.'
This design forces endpoints to use Path MTU Discovery, reducing router overhead and improving performance. The minimum IPv6 MTU (1280 bytes) is chosen to ensure reasonable functionality even on constrained links.
IP doesn't work alone. Two critical companion protocols support network layer operations:
ICMP (Internet Control Message Protocol):
ICMP is IP's error-reporting and diagnostic mechanism. It travels encapsulated in IP packets (Protocol = 1) but is considered part of the network layer.
Key ICMP Message Types:
| Type | Name | Purpose |
|---|---|---|
| 0 | Echo Reply | Response to ping |
| 3 | Destination Unreachable | Host/network/port unreachable |
| 4 | Source Quench | Congestion (deprecated) |
| 5 | Redirect | Inform host of better route |
| 8 | Echo Request | Ping |
| 11 | Time Exceeded | TTL expired (used by traceroute) |
| 12 | Parameter Problem | Invalid header field |
Ping: Uses ICMP Echo Request/Reply to test reachability Traceroute: Sends packets with incrementing TTLs; ICMP Time Exceeded reveals each hop
ARP (Address Resolution Protocol):
ARP maps IP addresses to MAC addresses on the local network. It operates at the boundary between Layers 2 and 3.
How ARP Works:
ARP Cache:
Devices maintain an ARP cache (table) to avoid repeated broadcasts:
arp -a (Windows/Linux), show arp (Cisco)IPv6 replaces ARP with Neighbor Discovery Protocol (NDP), which uses ICMPv6 messages. NDP provides:
• Neighbor Solicitation/Advertisement (like ARP Request/Reply) • Router Solicitation/Advertisement (auto-discovery of routers) • Redirect messages • Duplicate address detection
NDP uses multicast instead of broadcast, improving efficiency.
The network layer enables global communication by providing logical addressing and routing across interconnected networks. Let's consolidate the essential concepts:
What's Next:
With global addressing and routing established, we ascend to Layer 4: The Transport Layer—where the focus shifts from host-to-host to process-to-process communication. We'll explore how TCP and UDP deliver data to the right applications, provide reliability (or choose not to), and manage the flow of data end-to-end.
You now understand OSI Layer 3—the network layer—where logical addressing and routing enable global connectivity. From IP addressing to routing algorithms, from packet forwarding to fragmentation, you've explored the layer that makes the Internet possible. Next, we'll examine the transport layer, where reliable (and unreliable) end-to-end communication is built.