Firewall – FloodLight OpenFlow controller – ACLs, Firewall, static rules – what is the difference between them

A normal switch works independently of the rest of the network.

A OpenFlow/SDN switch, when it receives a packet, that it does not have a flow for (Match + exit port) will contact a SDN controller (Server) and ask what must it do with this packet. The controller can then download a flow to the switch, possibly including some packet manipulation. Once the flow is downloaded to the switch it will switch similar packets at wire-speed.

Why is centralizing the decision such a big deal?

Having a central server that knows the network layout and can make all the switching decisions and build the paths gives us new capabilities.

1. The SDN controller could route non-critical/bulk traffic on longer routes that are not fully utilized.
2. The SDN controller could send the initial couple of packets to a firewall, and once the firewall is happy/accepts the flow, the SDN controller can bypass the firewall thus removing the load from it and allowing multi-gigabit data centers to be fire-walled.
3. The SDN controller can easily implement load-balancing also at high data rates by just directing different flows to different hosts, only doing the set-up of the initial flows.
4. Traffic can be isolated without the need for VLANs, the SDN controller can just refuse certain connections.
5. Setup a network TAP/Sniffer easily for any port or even specific traffic by programming the network to send a duplicate stream to a network monitoring device.
6. It allows for the development of new services and ideas all in software on the SDN controller. OpenFlow-Actions

Good question. The 5 second, and facetious answer is that OpenSwitch needs real wires and ports whereas OpenVswitch doesn't.

In more detail: OpenSwitch is switching software that you ultimately deploy onto a physical switch. Think of it as the equivalent of IOS or CatOS or JunOS. It's going to be controlling some real hardware ports. OpenVSwitch, on the other hand, is switching software that you deploy on a virtualized or cloud layer. There are no hardware ports on this switch: its representation is entirely in software. For example, when you have two virtual machines running on a compute hosts, talking to one another, their traffic will be crossing a virtual switch.

In even more detail: OpenSwitch expects to use ONIE hardware whereas OpenvSwitch only cares that you have some virtualization plumbing.

There is a lot of work going into SDN and virtualized switching right now. For example, imagine that you could control the ONIE device by software based on workloads and conditions. This is your SDN play. In another domain: how do you get the best possible performance out of a software vswitch when it's running in an environment where the host CPU has to service a bunch of competing tasks? It's a very interesting area.