The SDN controller ecosystem encompasses dozens of implementations—from academic research projects to carrier-grade commercial platforms. Navigating this landscape requires understanding not just feature lists, but the architectural philosophies, target use cases, and community dynamics that shape each controller.

This page profiles the most significant SDN controllers in production today. We'll examine open-source giants like ONOS and OpenDaylight, commercial leaders like Cisco ACI and VMware NSX, and specialized controllers for specific domains. For each, we'll explore architecture, distinctive features, deployment patterns, and appropriate use cases.

By the end of this exploration, you'll understand the major players in the SDN controller market and have the context needed to evaluate controllers for specific deployment scenarios.

ONOS (Open Network Operating System) is a carrier-grade, distributed SDN controller designed for high availability, scalability, and performance. Developed initially by ON.Lab and now stewarded by the Open Networking Foundation (ONF), ONOS targets service provider and large enterprise deployments.

Architecture Overview

ONOS is built as a distributed system from the ground up:

• Cluster Architecture: Multiple ONOS instances form a cluster, sharing state and responsibility
• Distributed Core: Atomix-based distributed primitives for state management and consensus
• Subsystems: Modular subsystems handle topology, flow, host, and intent management
• Applications: SDN applications run as OSGi bundles on the ONOS platform

Key Architectural Components

• Atomix: Distributed coordination framework providing consensus, leadership election, and distributed data structures
• Device Subsystem: Manages switch discovery and representation
• Link Subsystem: Maintains topology graph via LLDP-based discovery
• Host Subsystem: Tracks end-host locations and movements
• Flow Subsystem: Programs flow rules across devices
• Intent Framework: High-level path and connectivity abstraction

Intent Framework

ONOS's Intent Framework is a signature feature:

• High-Level Abstraction: Express connectivity requirements, not flow rules
• Automatic Path Computation: ONOS computes optimal paths satisfying constraints
• Automatic Recovery: Intent survives failures—ONOS finds alternative paths
• Intent Types: HostToHost, PointToPoint, MultiPointToSinglePoint, SinglePointToMultiPoint

Deployment Characteristics

• Cluster Size: Typically 3, 5, or 7 instances for production
• Mastership: Each device has a single master controller
• Failover Time: Sub-second failover with standby mastership
• Scale: Tested to thousands of devices and millions of flows

Target Use Cases

• Carrier access networks (CORD, SEBA)
• Large-scale SD-WAN
• Programmable data center fabrics (Trellis)
• Research networks requiring customization

OpenDaylight (ODL) is a modular, multi-protocol SDN controller developed under the Linux Foundation. Unlike ONOS's carrier focus, OpenDaylight targets enterprise and data center use cases with extensive multi-vendor integration.

Architecture Overview

OpenDaylight is built around the Model-Driven Service Abstraction Layer (MD-SAL):

• Model-Driven: YANG models define all data structures and APIs
• Modular Design: Features delivered as Karaf features; enable only what's needed
• Multi-Protocol: Native support for OpenFlow, NETCONF, BGP, OVSDB, and more
• Plugin Architecture: Southbound plugins for different protocols; northbound APIs generated from models

Key Architectural Components

• MD-SAL (Model-Driven SAL): Central data broker with transaction support
• Data Store: Configuration and operational stores with notification support
• Clustering: Akka-based clustering for high availability
• Karaf: OSGi container for feature management
• AAA: Authentication, Authorization, and Accounting services
• DLUX: Web UI for visualization and management

Model-Driven Architecture

OpenDaylight's model-driven approach has profound implications:

• YANG as Truth: All data modeled in YANG; APIs derived automatically
• Consistent Interfaces: Same data accessible via RESTCONF, NETCONF, and Java
• Schema Enforcement: Invalid data rejected by data store
• Documentation Generation: API docs generated from models
• Multi-Vendor Alignment: OpenConfig models work across vendors

Deployment Characteristics

• Cluster Mode: 3-node clusters typical for HA
• Resource Requirements: High memory (8GB+ for production clusters)
• Startup Time: Longer startup as features initialize
• Feature Selection: Only enable needed features to manage resources

Target Use Cases

• Enterprise data center automation
• Multi-vendor, multi-protocol environments
• WAN SDN with Segment Routing (PCEP, BGP-LS)
• NFV orchestration requiring device configuration
• Environments with NETCONF-capable devices

Cisco Application Centric Infrastructure (ACI) is a proprietary SDN solution for data center networks. Unlike open-source controllers that manage multi-vendor devices, ACI integrates deeply with Cisco Nexus 9000 switches to deliver a unified fabric.

Architecture Overview

ACI comprises three core components:

• APIC (Application Policy Infrastructure Controller): The SDN controller cluster
• Nexus 9000 Leaf Switches: Top-of-rack switches with ACI mode firmware
• Nexus 9000 Spine Switches: Spine switches completing the Clos fabric

The system operates as an integrated whole—APIC doesn't just program switches, it manages the complete fabric lifecycle.

The Policy Model

ACI centers on an object-oriented policy model:

• Tenants: Top-level administrative domains (like a tenant in cloud)
• Application Profiles: Group of related EPGs (Endpoint Groups)
• EPGs: Logical groupings of endpoints (VMs, bare metal, containers)
• Contracts: Policies controlling communication between EPGs
• Bridge Domains: L2 broadcast domains
• VRFs: L3 routing contexts

Intent-Based Networking in ACI

ACI operationalized intent-based networking before the term became popular:

• Declarative Model: Define what you want (EPGs, contracts), not how to achieve it
• Policy Rendering: APIC translates policy into switch configurations
• Automatic Optimization: Fabric handles multipathing, load distribution
• Closed-Loop Verification: APIC verifies policy is correctly applied

Deployment Characteristics

• APIC Cluster: Typically 3 APIC controllers for HA
• Fabric Discovery: Switches auto-discovered and provisioned
• No CLI Management: All configuration via APIC (GUI, API, or tools)
• In-Band Management: APIC uses the fabric for control traffic

Integration Ecosystem

• VMware Integration: APIC manages VMware vDS, micro-segmentation
• Kubernetes/OpenShift: ACI CNI plugin for container networking
• Public Cloud: ACI Multi-Site extends fabric to AWS, Azure
• Terraform Provider: Infrastructure as Code support
• Ansible Modules: Configuration automation

VMware NSX is a network virtualization platform that creates software-defined networks independent of physical infrastructure. Unlike traditional SDN controllers that manage physical switches, NSX virtualizes the entire network layer.

Architecture Overview

NSX operates at the hypervisor level:

• NSX Manager: Central management and control plane
• NSX Controllers: Distributed control for VXLAN and routing
• vSphere ESXi: Hypervisors with kernel modules for data plane
• NSX Edge: Gateway for L3 routing, VPN, load balancing, firewall

Two Product Lines

• NSX-T Data Center: Multi-hypervisor, multi-cloud (current focus)
• NSX-V (vSphere): vSphere-only, legacy product

The Overlay Model

NSX creates virtual networks using overlays:

• VXLAN/GENEVE Encapsulation: Virtual network traffic over physical IP fabric
• Physical Network Agnostic: Any L3 fabric provides underlay; NSX handles rest
• Logical Switches: Span across physical infrastructure
• Logical Routers: Distributed routing at hypervisor level
• Distributed Firewall: Micro-segmentation at virtual NIC level

Micro-Segmentation

NSX's distributed firewall enables zero-trust security:

• vNIC-Level Enforcement: Firewall runs in kernel at virtual NIC
• Workload Follows Policy: VMs carry security policy during migration
• Application-Centric Groups: Group by application name, not IP address
• Least-Privilege: Default deny; explicitly allow required communication
• Integration with NSX Intelligence: ML-driven policy recommendations

Multi-Cloud Support

NSX extends beyond on-premises:

• VMware Cloud on AWS: NSX manages cloud networking
• Azure VMware Solution: NSX included in AVS
• GCP VMware Engine: Consistent networking across clouds
• Federation: Connect multiple NSX domains with unified policy

Deployment Characteristics

• NSX Manager Cluster: 3, 5, or 7 nodes for HA
• vSphere Requirement: Requires VMware virtualization (ESXi)
• Physical Underlay: Simple L3 fabric sufficient
• Licensing: Subscription or perpetual; tiered by feature set

Beyond the major players, several specialized and emerging controllers deserve attention for specific use cases.

Juniper Contrail/Tungsten Fabric

Originally Juniper's SDN controller, now open-sourced as Tungsten Fabric:

• Focus: NFV and telco cloud networking
• Architecture: Distributed control plane with BGP-based routing
• Key Feature: OpenStack and Kubernetes integration
• Use Case: Service providers deploying virtualized network functions

Arista CloudVision

Arista's management and automation platform:

• Focus: Data center leaf-spine fabrics
• Architecture: Centralized visibility with distributed control (EOS)
• Key Feature: Network-wide telemetry and streaming analytics
• Use Case: High-performance data centers with Arista switches

Nokia Nuage Networks

Nokia's SD-WAN and data center SDN platform:

• Focus: Enterprise SD-WAN and data center connectivity
• Architecture: VSC (controller) + VRS (virtual router) + VSD (orchestration)
• Key Feature: Policy-based automation with strong WAN optimization
• Use Case: Enterprises with distributed branches and data centers

Educational and Research Controllers

For learning and research, simpler controllers remain valuable:

Ryu Controller

• Python-based, component-oriented
• Simple to understand and extend
• Good for learning OpenFlow concepts
• Limited production scalability

Floodlight

• Java-based, Apache licensed
• Modular architecture with REST API
• Historical importance (Big Switch origins)
• Largely superseded by newer controllers

POX

• Python-based (Python 2)
• Very simple, easy to modify
• Excellent for classroom use
• Not maintained for production

Faucet

• Python-based, production-oriented
• Configuration-driven (YAML)
• Prometheus/Grafana integration
• Good for smaller OpenFlow deployments

With multiple controller options available, comparative analysis helps clarify selection decisions. Let's examine how major controllers compare across critical dimensions.

Architecture Philosophy

Controllers differ in fundamental approaches:

• ONOS: Distributed-first, carrier-grade, flow-centric
• OpenDaylight: Model-driven, multi-protocol, enterprise-friendly
• Cisco ACI: Integrated fabric, policy-centric, intent-based
• VMware NSX: Overlay virtualization, hypervisor-centric, security-focused

These philosophies shape every aspect of operation—deployment complexity, integration patterns, and optimal use cases.

Scale and Performance Characteristics

• ONOS: Millions of flows, thousands of devices, sub-second failover
• OpenDaylight: Thousands of devices, moderate flow scale, configuration-optimized
• Cisco ACI: Data center scale (hundreds of leaves), hardware-accelerated
• VMware NSX: Tens of thousands of workloads, hypervisor-native performance

Integration Ecosystem

• ONOS: ONF ecosystem (CORD, Trellis), P4/Stratum alignment
• OpenDaylight: Broad vendor support, OpenStack, Kubernetes
• Cisco ACI: VMware, Kubernetes, MultiCloud (AWS/Azure)
• VMware NSX: vSphere/vCenter, Kubernetes, Multi-cloud

Operational Complexity

• ONOS: Medium-high (distributed systems expertise needed)
• OpenDaylight: High (feature complexity, YANG learning curve)
• Cisco ACI: Medium (integrated solution, but policy model complexity)
• VMware NSX: Medium (tightly coupled with vSphere)

Selecting an SDN controller requires systematic evaluation against organizational requirements. This framework guides the selection process.

Step 1: Define Requirements

Before evaluating controllers, clarify needs:

• Scale: How many devices? How many flows? Geographic span?
• Use Case: Data center? Campus? WAN? Carrier access?
• Protocols: What southbound protocols do devices support?
• Integration: What systems must the controller interact with?
• Operations: What expertise exists? What support is needed?
• Budget: License tolerance? Support requirements?

Step 2: Filter by Hard Requirements

Eliminate options that cannot meet non-negotiable requirements:

• If you need NETCONF: Consider ODL (native) over ONOS (limited)
• If you have only VMware: NSX is natural fit
• If you're Cisco-committed: ACI removes integration friction
• If carrier scale required: ONOS designed for it
• If budget-constrained: Open source necessary

Step 3: Evaluate Shortlist

For remaining candidates, evaluate:

• Proof of Concept: Deploy in lab; test key use cases
• Integration Testing: Connect to actual systems
• Performance Testing: Load test at projected scale
• Operations Evaluation: Day 2 tasks (upgrade, troubleshoot, backup)
• Community/Support Assessment: Response time, quality, roadmap

Step 4: Total Cost Analysis

Calculate actual costs:

• Hardware (switches, controller servers)
• Software (licenses, subscriptions)
• Integration (development, testing)
• Operations (training, support, staffing)
• Opportunity cost (time to value)

Step 5: Risk Assessment

• Vendor/community stability
• Technology maturity
• Lock-in implications
• Migration path if choice fails

We've explored the major SDN controller implementations, examining their architectures, strengths, and appropriate use cases. Let's consolidate the key insights:

What's Next:

With knowledge of specific controllers, we'll complete this module by examining controller selection criteria in detail. We'll develop evaluation frameworks for matching controller capabilities to deployment requirements, enabling informed architectural decisions.