Multitenancy: Assigning Cisco SD-WAN Controllers to Tenants

Feature history for assigning Cisco SD-WAN Controllers to tenants

Table 1. Feature history
Feature name Release information Description
Flexible tenant placement on multitenant Cisco Catalyst SD-WAN Controllers Cisco vManage Release 20.9.1 With this feature, while onboarding a tenant to a multitenant deployment, you can choose the pair of multitenant Cisco SD-WAN Controllers that serve the tenant. After onboarding a tenant, you can migrate the tenant to a different pair of multitenant Cisco SD-WAN Controller, if necessary.

Assigning SD-WAN Controllers to Tenants

Multitenancy

Multitenancy is a Cisco SD-WAN deployment model that

  • allows multiple tenants to share the same Cisco SD-WAN infrastructure,

  • assigns dedicated logical resources (such as controllers and organization names) to each tenant for isolation, and

  • supports automatic or flexible placement of Cisco SD-WAN Controller during tenant onboarding.

Types of multitenancy assignments

There are two types of multitenancy assignments in Cisco SD-WAN:

  • Automatic tenant placement: Cisco SD-WAN Manager automatically assigns controllers to tenants using an internal algorithm during onboarding.

  • Manual tenant placement : You can manually select the pair of SD-WAN Controllers for a tenant based on utilization and resource availability.

Manual tenant placement

With manual tenant placement, you can select controller pairs during onboarding, view controller capacity (such as enants, WAN Edge devices, CPU, memory), and migrate tenants or add controllers to optimize utilization.

Availability and configuration

From Cisco vManage Release 20.9.1, you can use manual tenant placement as an optional feature. By default, vManage performs automatic tenant placement, but you can enable manual placement to gain more control during onboarding.

SD-WAN Controller capacity limits

A multitenant SD-WAN Controller supports up to 24 tenants and 1000 tenant WAN edge devices across all tenants. During onboarding, the admin must select a pair of SD-WAN Controllers that can host one more tenant and connect to the tenant’s forecasted number of WAN edge devices.

Optimization and migration

If the tenant adds more devices than forecast and the assigned SD-WAN Controllers cannot support them, the admin migrates the tenant to another SD-WAN Controller pair that has capacity. If no SD-WAN Controller pair has enough capacity, the admin migrates other tenants to different SD-WAN Controllers to free up resources and balance utilization. If this optimization still doesn’t create enough capacity, the admin adds a new SD-WAN Controllers pair and then migrates the tenant there.

Automatic tenant placement

With automatic tenant placement you can rely on the system to assign SD-WAN Controller pairs during onboarding, adjust forecasts if existing SD-WAN Controllers can handle more WAN Edge devices, or re-onboard/add controllers if capacity is exceeded.

Availability

Cisco supports automatic tenant placement in vManage in Release 20.8.x and earlier.

Algorithm criteria

The internal algorithm assigns SD-WAN Controllers by considering three factors:

  • the number of tenant WAN edge devices forecasted for the tenant,

  • the number of tenants already served by each SD-WAN Controller pair, and

  • the number of WAN edge devices already connected to each SD-WAN Controller pair.

Benefits of automatic tenant placement on multitenant SD-WAN Controllers

This section highlights how strategic tenant placement enhances controller efficiency, performance, and overall network resilience.

Reliability & availability

Reduces the risk of simultaneous controller failures by allowing you to choose controllers deployed in different failure zones or regions in a cloud environment.

Performance & efficiency

  • Minimizes latency by enabling you to select controllers located in the same geographical region as the tenant WAN edge devices.

  • Improves performance and efficiency by letting you choose controllers based on available CPU, DRAM, hard disk resources, and their utilization.

Scalability

Provides scalability by allowing you to migrate tenants to different controllers when the tenant device forecast changes.

Restrictions for automatic tenant placement on multitenant SD-WAN Controllers

If you need to migrate a tenant to a different pair of SD-WAN Controllers, change the SD-WAN Controllers one at a time. This restriction ensures that one controller remains available to the tenant WAN edge devices and prevents traffic disruption.

Prerequisites for automatic tenant placement on multitenant SD-WAN Controllers

Before adding new tenants, ensure that SD-WAN Controller, capacity limits, and account configurations meet the foundational requirements.

SD-WAN Controller requirements

  • Ensure at least two Cisco SD-WAN Controllers are operational and visible in SD-WAN Manager before adding new tenants.

  • Push a template from SD-WAN Managerto a controller to place it in Manager mode; a controller in CLI mode cannot serve multiple tenants.

  • Verify that each SD-WAN Controller pair can support a maximum of 24 tenants and 1000 tenant devices. Ensure at least two controllers have capacity for a new tenant. If no pair can support a new tenant, add two controllers and switch them to Manager mode.

Tenant provisioning rules

  • Add up to 16 tenants in a single operation. SD-WAN Manager provisions tenants sequentially, not in parallel.

  • Do not start a second Add Tenant task while one is already in progress; otherwise, the second task fails.

Accounts and profiles

Each tenant requires a unique Virtual Account (VA) on Plug and Play Connect in Cisco Software Central. The tenant VA must belong to the same Smart Account (SA) as the provider VA. Depending on the deployment type, one of the following must be completed:

  • On-premises deployments: Create a SD-WAN Validator controller profile for the tenant on Plug and Play Connect with these mandatory fields:

    Table 2. Mandatory fields for on-premises validator controller profile
    Field Description
    Profile name Enter a name for the controller profile.
    Multi-tenancy From the drop-down list, select Yes.
    SP organization name Enter the provider organization name.
    Organization name Enter the tenant organization name in the format <SP Org Name>-<Tenant Org Name>. The organization name can be up to 64 characters.
    Primary controller Enter the host details for the primary SD-WAN Validator

  • For cloud deployments: SD-WAN Manager automatically creates the Validator Controller profile during tenant creation.

Assign SD-WAN Controllers to Tenants During Onboarding

Before you begin

Each tenant requires a unique Virtual Account (VA) on Plug and Play Connect in Cisco Software Central. The tenant VA must belong to the same Smart Account (SA) as the provider VA. Depending on the deployment type, one of these must be completed:

  • On-premises deployments: Create a Cisco SD-WAN Validator controller profile for the tenant on Plug and Play Connect with these mandatory fields:

    Table 3. Mandatory fields for on-premises validator controller profile
    Field Description
    Profile name Enter a name for the controller profile.
    Multi-tenancy From the drop-down list, select Yes.
    SP organization name Enter the provider organization name.
    Organization name Enter the tenant organization name in the format <SP Org Name>-<Tenant Org Name>. The organization name can be up to 64 characters.
    Primary controller Enter the host details for the primary SD-WAN Validator.

  • For cloud deployments: SD-WAN Manager automatically creates the Validator Controller profile during tenant creation.

To provision and activate the tenant in SD-WAN Manager with the configured settings, follow these steps.

Procedure

Step 1

Log in to SD-WAN Manager as the provider admin user.

Step 2

From the menu, choose Administration > Tenant Management.

Step 3

Click Add Tenant.

Step 4

In the Add Tenant slide-in pane, click New Tenant.

Step 5

Configure tenant details:

Table 4. Tenant Configuration Fields
Field Details

Name

Enter a name for the tenant.

For cloud deployments, the tenant name must match the tenant VA name in Plug and Play Connect.

Description

Enter a description (up to 256 alphanumeric characters).

Organization name

Enter the tenant’s organization name (case-sensitive, up to 64 characters).

Use the format <SP Org Name>-<Tenant Org Name>

Example: managed-sp-customer1

URL subdomain

Enter the tenant’s fully qualified subdomain name. It must include the provider’s domain name.

Example: customer1.managed-sp.com.

See DNS configuration table for deployment-specific steps.

Forecasted devices

Enter the maximum number of WAN edge devices the tenant can add. If this limit is exceeded, SD-WAN Manager blocks device addition.

Select two controllers

  • Automatic placement (default): Ensure the field is set to Autoplacement.

  • Manual placement:

    1. Click the Select two Controllers drop-down list.

      SD-WAN Manager lists the hostnames of the available SD-WAN Controllers.

      For each SD-WAN Controller, SD-WAN Manager shows whether the controller is reachable and reports the utilization details. See utilizations details table for more information.

    2. Select two SD-WAN Controllers to assign to the tenant based on the utilization details.

Table 5. Utilization details

Field

Description
Tenant hosting capacity Each SD-WAN Controller can serve a maximum of 24 tenants. Tenant hosting capacity represents the number of tenants to which the Cisco SD-WAN Controller is assigned in the form of a percentage. This value indicates whether you can assign another tenant to this controller.
Used device capacity Each SD-WAN Controller can support a maximum of 1000 tenant WAN edge devices. Used device capacity represents the number of tenant WAN edge devices connected to the SD-WAN Controller in the form of a percentage of the maximum capacity (1000 WAN edge devices). This value indicates whether the SD-WAN Controller can support the number of devices forecast for the tenant that you are onboarding.
Memory utilized This value represents memory consumption as a percentage.
CPU utilized This value represents CPU usage as a percentage.
Table 6. DNS configuration

Deployment type

DNS configuration steps

On-premises

  • Add the tenant subdomain to DNS and map it to the IPs of the three SD-WAN Manager instances in the cluster.

  • Create a provider DNS A record from the provider’s domain name and cluster ID.

    Example: vmanage123.sdwan.cisco.com.

    Validate: nslookup vmanage123.sdwan.cisco.com.

  • Create tenant DNS CNAME records mapping the tenant FQDN to the provider FQDN.

    Example: customer1.sdwan.cisco.com.

    Validate: nslookup customer1.sdwan.cisco.com.

  • If DNS is misconfigured, an authentication errors occurs.

Cloud

  • The tenant subdomain is automatically added to DNS.

  • DNS resolution can take up to one hour after creation.

Step 6

Save the tenant configuration.

Step 7

To add another tenant, repeat steps 4 to 6.

When the task completes successfully, you can view the tenant information, including the assigned SD-WAN Controllers and Validators, on Administration > Tenant Management.

After completing the tenant addition steps, SD-WAN Manager performs the Create Tenant Bulk task, which:

  • Creates the tenant.

  • Assigns two SD-WAN Controllers and pushes CLI templates with the tenant information.

  • Sends the tenant and controller details to SD-WAN Validator.

Update SD-WAN Controller placement for a tenant

You can migrate a tenant to a different pair of SD-WAN Controller if the currently assigned controllers cannot support the tenant’s revised WAN edge device forecast.

During migration, change one controller at a time to ensure continuous availability and prevent traffic disruption.

Procedure

Step 1

Log in to SD-WAN Manager as the provider admin user.

Step 2

From the menu, choose Administration > Tenant Management.

Step 3

Locate the tenant to migrate and click next to the tenant organization name.

Step 4

Click Update Controller Placement.

Step 5

In the Update Controller Placement slide-in pane, configure these:

  1. Source Controller (currently applied)

    1. Click the drop-down list to view the tenant’s currently assigned controllers.

    2. SD-WAN Managershows reachability and utilization details for each controller:

      • Tenant hosting capacity (max 24 tenants)

      • Used device capacity (max 1000 devices)

      • Memory utilization (%)

      • CPU utilization (%)

    3. Select the check box next to one of the currently assigned controllers.

  2. Destination controller

    1. Click the drop-down list to view available controllers not currently assigned to the tenant.

    2. SD-WAN Manager shows reachability and utilization details for each controller.

      • Tenant hosting capacity (max 24 tenants)

      • Used device capacity (max 1000 devices)

      • Memory utilization (%)

      • CPU utilization (%)

    3. Select the checkbox next to the controller you want to assign.

    Note

     

    If the selected controller cannot support the tenant’s devices, the update operation fails.

Step 6

Click Update.

Step 7

To change the second controller assigned to the tenant, repeat steps 5–6.

SD-WAN Manager starts the Tenant Controller Update task, migrating the tenant details from the previous controller to the new controller.

What to do next

After the task completes successfully, view the updated tenant information, including the assigned SD-WAN Controllers, on Administration > Tenant Management.