SONiC Capabilities: Empowering Networks with Open-Source Solutions

Download PDF

Containerized NOS: The Architecture That Broke Data Center Lock-In – and the Access Tier Problem That Remains

July 7, 2026

Hyperscalers have run containerized NOS at scale for nearly a decade. The majority of enterprise access and campus switches still run proprietary software. The gap between those two realities is both a technical problem and a market signal.

The same architectural shift that reshaped how compute workloads run – containerization, microservices, modular software components – has been underway in networking for nearly a decade. SONiC, the containerized network operating system, proved that disaggregated NOS can manage thousands of switches and millions of routes in production environments. The evidence is in the infrastructure running global-scale cloud services today.

What that success story obscures is the layer of the network where the architectural revolution has not yet arrived. Access switches, campus switches, out-of-band management platforms – the hardware that represents the majority of physical switch ports in any real network – still overwhelmingly run proprietary, monolithic software. Community SONiC’s resource requirements are the primary barrier.

In this article, we will discover the specific compounding failure modes of monolithic NOS design, how SONiC’s container architecture eliminates them at the system level, and how PLVision’s SONiC Lite extends containerized NOS to resource-constrained platforms without requiring teams to build a dedicated NOS.

Considering a switch to open-source networking?

Explore the reasons to choose an open-source NOS like SONiC, along with a breakdown of the Total Cost of Ownership (TCO) for both proprietary and open-source solutions.

The Numbers Behind the Shift

Network infrastructure is changing because the economics and operational demands of modern environments have made the legacy model untenable, not because operators are chasing architectural novelty.

Goldman Sachs Research estimates that data center power demand will grow 165% by 2030 compared to 2023 levels, driven by AI workloads that consume roughly 10x the electricity of a standard web query. That infrastructure pressure lands directly on the network and on the operational teams responsible for managing it. Networks built on monolithic NOS, where a vendor’s release cycle sets the pace of every change, cannot adapt at the speed AI-driven infrastructure now requires.

The market response reflects this urgency. The U.S. disaggregated infrastructure market is projected to expand from $16.8 billion in 2025 to $29.4 billion by 2033, at a CAGR of 7.4%. That trajectory represents operators who have watched hyperscaler infrastructure run disaggregated NOS at scale and have concluded that waiting on proprietary vendor roadmaps is a competitive liability.

U.S. Disaggregated Infrastructure Market Growth and SONiC Community Milestones

On the open software side, SONiC has attracted contributions from more than 4,250 members across 520+ organizations, spanning silicon providers, hardware vendors, and cloud operators. Community engagement at that scale is a production signal. It means silicon vendors are qualifying ASICs, OEMs are validating hardware, and operators are deploying in production environments.

Four Failure Modes Baked Into Monolithic NOS Design

A monolithic network operating system runs as a single, indivisible codebase. Every network function – BGP routing, LLDP discovery, QoS policies, DHCP relay, hardware diagnostics, SNMP polling – lives within one unified image. That design creates four compounding failure modes that become more severe as network scale and operational velocity increase.

  • Update coupling. In a monolithic NOS, patching a single protocol daemon requires rebooting the entire system. A BGP security fix triggers a full software reload, including protocols and services unrelated to the vulnerability. The blast radius of any maintenance window is always the entire switch. In environments where uptime requirements are measured in minutes per year, this constraint forces operators to defer critical patches, which is exactly the posture that expands security exposure over time.
  • Feature development friction. Tightly interwoven code makes adding or modifying features expensive and slow. A new QoS model or an updated forwarding behavior requires understanding and modifying shared code paths that touch every other function. Developer velocity drops, vendor roadmap timelines extend, and operator infrastructure falls progressively behind what the hardware is capable of running.
  • Fault propagation across function boundaries. A bug in one protocol implementation can corrupt shared system state and bring down the entire NOS. There are no isolation boundaries between functions. A memory leak in the SNMP daemon can become a routing outage. A crash in hardware monitoring can destabilize the control plane. Functions share fate because they share a process.
  • Hardware lock-in enforced through NOS bundling. Monolithic NOS vendors have traditionally controlled both the software and the hardware qualification process. Operators who need a qualified hardware upgrade must buy from the same vendor, at the vendor’s price, on the vendor’s timeline. Cross-sourcing leverage is structurally unavailable. Hardware end-of-life timelines are set by vendor commercial decisions.

These failure modes interact in ways that amplify each problem. An operator who cannot patch promptly because of update coupling carries a growing security debt. That same operator cannot respond to events from unpatched vulnerabilities quickly enough, because every response action requires a maintenance window that disrupts production. The monolithic model makes individual operations harder and makes the cumulative management burden grow in proportion to network scale.

Monolithic NOS and Containerized NOS (SONiC)

How SONiC’s Containerized NOS Architecture Eliminates Each Failure Mode

SONiC resolves all four failure modes through one architectural principle: every network function runs in a separate Docker container, and all inter-service communication flows through a centralized Redis key-value database. That principle is simple to state and consequential in practice.

The BGP routing stack runs in its own container, using the FRRouting (FRR) daemon with bgpd for protocol processing and zebra as the Routing Information Base manager. LLDP for topology discovery runs independently. Link aggregation (LAG) is managed by Teamd. Hardware monitoring – sensors, power supplies, fan states – runs in the PMON container, isolated from routing. DHCP relay runs separately.

The Switch State Service container (SWSS), driven by the orchestration agent orchagent, sits at the coordination layer. It monitors application-level routing tables, translates them into hardware-independent instructions, and passes them to the Syncd container – which programs the physical ASIC through the Switch Abstraction Interface (SAI).

SONiC-Based Custom Product Development

PLVision specializes in developing custom SONiC-based distributions tailored to the specific functionality required for your unique use case.

All state flows through five logical databases in Redis: APPL_DB carries calculated routing metrics and neighbor tables from protocol engines; CONFIG_DB holds persistent configuration state; STATE_DB tracks operational states and dependency resolution (preventing, for example, a VLAN interface from attempting configuration on an uninitialized physical port); ASIC_DB holds the translated state Syncd uses to program silicon; COUNTERS_DB accumulates port statistics and hardware diagnostics.

How each failure mode is resolved:

  • Update coupling. Patching the BGP container requires no restart of LLDP, PMON, or any other service. The patch is applied, the BGP container restarts, and the rest of the system continues forwarding normally. In a warm reboot scenario, SONiC writes its Redis database state to JSON files on the host filesystem before restarting control-plane containers. The physical ASIC continues forwarding transit traffic at line rate while the control plane restores state from the saved files on restart. That is a maintenance operation – a container restart followed by state reconciliation – rather than a network outage.
  • Feature development friction. Container boundaries enforce separation of concerns in the codebase. Protocol daemon developers work within a defined interface to Redis without knowledge of other containers’ internals. Feature development in one container does not require understanding the codebase of adjacent services. New capabilities can be added, tested, and deployed as container updates without modifying shared code paths.
  • Fault isolation. A crash or memory leak in one container does not propagate to others. The Redis state store provides a stable foundation: containers read a consistent network state from the database even if a neighbor container has restarted. The system degrades gracefully rather than failing catastrophically.
  • Hardware portability through SAI. SAI is the critical layer that maps SDK capabilities into a stable, testable interface for SONiC and other open NOS environments. A SONiC distribution qualified for Broadcom-based hardware can be ported to Marvell or Centec hardware through SAI implementation work, without rewriting control-plane logic. The same NOS codebase spans multiple silicon vendors – which is what makes white-box hardware selection viable.
  • GitOps-ready operations. Because SONiC’s entire configuration state is expressible as Redis database entries and serializable to JSON, the desired state of a switch can be defined declaratively in a Git repository, validated in CI pipelines, and reconciled automatically against the running switch by a GitOps agent. Configuration drift is detectable and correctable without manual CLI intervention. That is a maintenance and compliance workflow that monolithic NOS CLIs were never designed to support.

SONiC Control Plane Architecture

The Access Tier Barrier: Where Community SONiC’s Architecture Runs Out of Headroom

SONiC’s containerized architecture has a production record spanning thousands of switches in hyperscale data center environments. The challenge is that Community SONiC’s resource requirements were designed for that context – compute headroom typically provisioned through x86 processors (Community SONiC’s build system also supports ARM, but the amd64/x86 path is where most of the ecosystem’s Docker images and platform drivers are validated in practice), multiple gigabytes of RAM, 16+ gigabytes of storage, running a full Debian Linux stack with a Docker container runtime.

An access or campus switch is typically built around a 2-core ARM processor with ~2 GB of RAM and ~3 GB of storage. That hardware profile represents the majority of physical switch ports in any real enterprise network, across data center out-of-band management planes, campus distributions, edge aggregation points, and branch infrastructure. It is also the hardware profile that makes cost-effective white-box switching commercially viable for OEM and ODM vendors.

Community SONiC, with its full containerized stack, does not run on that hardware. The minimum viable platform for Community SONiC requires substantially more compute and memory than the access tier provides, which means that the architectural shift that freed data center cores from proprietary lock-in has not carried to the edge.

Learn more about SONiC's architecture, its capabilities, and explore inspiring success stories of SONiC deployments across diverse network environments.

The result is a structural fragmentation that undermines the operational benefits of open networking. Operators who adopt SONiC in the data center core still run proprietary NOS on access and management tiers – because there is no lightweight SONiC distribution that fits those platforms. Different NOS vendors mean different automation interfaces, different lifecycle management models, different support contracts, and different training requirements for the engineering team managing the estate. The vendor independence gained at the core is partially offset by the vendor dependency that remains at the edge.

The Access Tier Barrier

This fragmentation has a hardware lifecycle dimension as well. Access-tier switches managed through proprietary NOS remain subject to the commercial decisions of those vendors – end-of-support timelines, hardware certification requirements, and feature prioritization that may not align with the operator’s actual network requirements. The architectural improvement at the core does not transfer.

Closing the Gap: What the Right Engineering Approach Delivers for Hardware Vendors and Operators

Closing the access tier gap requires a SONiC distribution engineered specifically for the resource constraints of access and campus hardware – one that removes the overhead of the full containerized stack while preserving the functional capabilities that matter for production deployments at that tier.

PLVision, an open networking software engineering company with 17+ years of SONiC and open networking engineering depth, built SONiC Lite to address this specific gap. SONiC Lite is an enterprise SONiC distribution built for cost-effective access and management platforms in data center, edge, and campus deployments. Unlike traditional Community SONiC, which was designed mainly for data center environments, SONiC Lite is optimized for platforms with limited CPU, RAM, and storage while preserving key vendor-specific elements such as SAI and platform integrations.

Work with the SONiC Experts

Benefit from PLVision's deep experience delivering enterprise SONiC solutions across industries.

The result is a lighter, production-ready NOS that helps OEMs and enterprises build efficient, vendor-neutral networks with lower hardware overhead and faster time to market.

The engineering approach starts from the access-tier hardware profile. SONiC Lite targets 2-core ARM platforms with ~2 GB RAM and ~3 GB storage – the hardware that access-tier economics require. It ships with the L2 and L3 capabilities needed for real deployments: standard switching and routing, alongside capabilities relevant specifically to the access and campus context that Community SONiC does not address. xSTP for spanning tree in multi-vendor access environments. PoE++ per-port power management with granular control – relevant for any access deployment managing IP phones, cameras, and wireless APs. Wi-Fi out-of-band link support for campus management planes.

Seeking out SONiC Distribution
for cost-effective management
and access switches?

Download the SONiC Lite product brief to explore detailed features, supported use cases, and the current hardware compatibility list.

Get product brief

SAI abstraction is preserved in full, which means multi-silicon support across different platforms, and OEM vendors can white-label the distribution for their hardware without building a NOS engineering organization. The qualification and lifecycle discipline that PLVision applies – hardware-specific validation, security patch management, and structured support – means OEM teams take on neither the maintenance burden nor the build-from-scratch NOS investment.

For OEM teams, targeting hardware platforms that the access tier actually ships with changes the commercial math on switch products. When the NOS qualifies on 2-core ARM hardware with ~2 GB RAM rather than requiring x86 compute, the bill-of-materials cost drops at the hardware level – not through software feature trade-offs, but through a distribution architected to run on the target silicon from the start.

For DC operators running SONiC in the core, SONiC Lite means the management and OOB network tiers can run on the same NOS family – consistent automation interfaces, unified lifecycle management, and a single operational model spanning from spine to access switch.

For hardware vendors developing open switches for campus, branch, and edge deployments, PLVision’s Embedded SONiC Lite, a streamlined version of SONiC Lite, extends the approach further. It removes the overhead of standard containerized SONiC, delivering faster boot time, smaller footprint, and lower hardware requirements on resource-constrained platforms. At the same time, it preserves the essential Layer 2 and Layer 3 capabilities needed for real deployments. The result is a production-ready, enterprise-hardened NOS that helps vendors bring cost-effective, differentiated SONiC-based products to market faster and with lower engineering effort.

Community SONiC & SONiC Lite

What Network Engineers Should Actually Do

  1. Audit your NOS estate before assuming SONiC coverage is complete. Map every switch port in your network against the NOS running on it. SONiC – community or commercial – likely covers core and leaf tiers. Access, campus, OOB management, and edge switches are typically running proprietary software, and the operational cost of that fragmentation does not appear in a topology diagram. It surfaces in automation projects that stop at the access tier, security patch cycles managed through separate vendor portals, and procurement negotiations where you have no cross-sourcing leverage.
  2. Qualify your access-tier hardware against SONiC Lite’s target platform profile. If you’re running 2-core ARM-class switches at the access or edge layer, evaluate whether a SONiC-based distribution engineered for that hardware profile can replace the proprietary NOS without a hardware refresh. The commercial case for NOS consolidation depends on the software fitting the existing silicon – not on buying new hardware to satisfy a NOS requirement that was designed for a different context.
  3. Separate the containerization principle from the Community SONiC build. SONiC’s container architecture is the right design model for production network operating systems. The question for access and campus deployments is which distribution delivers that architecture within the actual hardware constraints of the target platform. Evaluate distributions against your hardware specification, not against a reference data center configuration. A distribution that requires hardware you do not have is not a viable production option, regardless of its feature list.
  4. Treat SAI validation as a first-order selection criterion. The SAI implementation between the NOS and your specific ASIC determines whether a distribution works in production environments. Validated SAI coverage for your target silicon – verified against a specific hardware combination on a qualified HCL rather than a claimed supported ASIC list – is the difference between a distribution that runs in a demo environment and one that survives a production maintenance window. Ask for hardware compatibility list evidence before committing to a platform.
  5. Build lifecycle criteria into your evaluation alongside feature criteria. The choice between Community SONiC, a commercial distribution, and a purpose-built access-tier distribution is a lifecycle commitment, not a feature selection. Evaluate security patch frequency, backport policy for stable baselines, and hardware qualification cycle discipline alongside capabilities. A distribution without a defined lifecycle model places the maintenance burden on your engineering team – a cost that does not appear in the vendor’s pricing but shows up on your headcount.
  6. For OEM teams: consider NOS lifecycle ownership before deciding to build. The engineering investment to qualify, harden, and maintain a SONiC distribution for a specific hardware platform is substantial – typically 18–24 months of dedicated NOS engineering to reach a production-ready baseline, followed by ongoing maintenance against community SONiC releases, security advisories, and hardware qualification cycles. A purpose-built distribution with an existing qualified baseline and a structured support model eliminates that build cost and accelerates the time from silicon qualification to shipping product.

The Bottom Line

SONiC’s containerized architecture resolved a fundamental structural problem in how network operating systems are built and maintained. The production record is substantial: hyperscale environments running thousands of switches on containerized NOS, with update cycles measured in container restarts rather than full system reboots, fault isolation that prevents protocol bugs from becoming network outages, and hardware portability through SAI that ends single-vendor procurement constraints. That case has been settled in production deployments – the remaining question is one of reach rather than proof.

The remaining engineering challenge is scope. Community SONiC’s resource requirements created a ceiling that left the access and campus tiers operating under the monolithic model that hyperscale data centers moved past years ago. Closing that gap requires a distribution designed from the hardware profile outward.

The operational benefit of closing that gap is a consolidated NOS estate: one NOS family with consistent automation interfaces, unified lifecycle management, and a single operational model spanning from data center spine to access switch. That is the architecture organizations running SONiC at the core have been positioned to extend. The access tier is where that extension stalls – and where the right engineering approach makes the difference between a partial open-networking deployment and a complete one.

Contact Us to Discuss Your Use Case

Learn how PLVision helps organizations take back control of their infrastructure – explore our open-source solutions.
Message:
Your message has been sent, thank you! We will contact you as soon as possible.
Vadym Hlushko