Cisco Catalyst SD-WAN Multitenancy Guide, Releases 26.x and Later

PDF

Cisco Catalyst SD-WAN multitenancy

Updated: June 21, 2026

Want to summarize with AI?

Introduces Cisco Catalyst SD-WAN multitenancy, outlining its purpose, architecture, and integration for scalable, secure, and efficient multi-tenant SD-WAN deployments.

With Cisco Catalyst SD-WAN multitenancy, a service provider can manage multiple customers, called tenants, from Cisco SD-WAN Manager.

The tenants share the same set of underlying Cisco SD-WAN Control Components:

Cisco SD-WAN Manager
Cisco SD-WAN Validator
Cisco SD-WAN Controller

The tenant data is logically isolated on these shared control components.

Access to multitenancy

The service provider accesses Cisco SD-WAN Manager using a domain name mapped to the IP address of a Cisco SD-WAN Manager cluster and manages the multitenant deployment.

Each tenant is provided a subdomain to access a tenant-specific Cisco SD-WAN Manager view and manage the tenant deployment.

A service provider using the domain name managed-sp.com can assign tenants Customer1 and Customer2 the subdomains:

customer1.managed-sp.com
customer2.managed-sp.com

This allows the service provider to manage multiple tenants on the same set of SD-WAN Controllers instead of providing each customer a single-tenant setup with a dedicated set of SD-WAN Controllers.

Full enterprise multitenancy

Cisco Catalyst SD-WAN supports multitenancy and offers enterprises the flexibility of segregated roles such as service provider and tenants. Service providers can use multitenancy to provide Cisco Catalyst SD-WAN service offerings to their customers.

Security

Send and receive AAA traffic over management VPN 512 from Cisco IOS XE Catalyst SD-WAN Release 17.16.1a.

Overlapping VPN numbers

A particular VPN or a set of common VPNs is assigned to a specific tenant, with their own configurations and monitoring dashboard environment. These VPN numbers can overlap where they are used by other tenants.

On-prem and cloud deployment models

Cisco Catalyst SD-WAN controllers can be deployed in:

An organization data center on servers running VMware ESXi 6.7 or later, or the Kernel-based Virtual Machine (KVM) hypervisor.
Amazon Web Services (AWS) servers hosted by Cisco CloudOps.

Tenant-specific Cisco SD-WAN Analytics

Cisco SD-WAN Analytics is a cloud-based service that offers insights into the performance of applications and the underlying SD-WAN network infrastructure.

Each tenant can obtain Cisco SD-WAN Analytics insights for their overlay network by:

Requesting a tenant-specific Cisco SD-WAN Analytics instance.
Enabling data collection on SD-WAN Manager.

The service provider must enable cloud services on SD-WAN Manager in the provider view to facilitate the onboarding of the Cisco SD-WAN Analytics instance for the tenant overlay network.

Single tenant environments

A single tenant environment exclusively manages, and is responsible for, its own Cisco Catalyst SD-WAN Control Components and devices. All configured resources are visible to the single tenant administrator in the Cisco SD-WAN Manager interface.

Cloud-delivered Catalyst SD-WAN

Cloud-delivered Catalyst SD-WAN operates as a tenant within a multitenant environment rather than as a single tenant. Cloud-delivered Catalyst SD-WAN users do not see controller infrastructure settings in Cisco SD-WAN Manager. Their available information is limited to their own components and WAN edge devices.

For more information on Cloud-delivered Catalyst SD-WAN, see Cloud-delivered Cisco SD-WAN Getting Started Guide.

Multitenancy

Multitenant Cisco SD-WAN Manager
Multitenant Cisco SD-WAN Validator
Multitenant Cisco SD-WAN Controller
Tenant-specific WAN edge devices

Multitenant SD-WAN Manager

Defines how SD-WAN Manager is accessed and used by service providers and tenants in a multitenant deployment.

Provider view

SD-WAN Manager is deployed and configured by the service provider. The provider enables multitenancy and creates a SD-WAN Manager cluster to serve tenants. Only the provider can access a SD-WAN Manager instance through the SSH terminal.

In the Provider view, SD-WAN Manager:

Provides service providers with an overall view of the SD-WAN multitenant deployment.
Allows service providers to mange all Cisco Catalyst SD-WAN Validator and SD-WAN Controller devices.
Enables service providers to monitor and manage each tenant deployment through the Provider-as-Tenant view.

Tenant view

In the tenant view, SD-WAN Manager allows individual tenants to:

Monitor and manage their own deployment through a dashboard.
Deploy and configure WAN edge devices.
Configure custom policies on Cisco Catalyst SD-WAN Controllers.

Cisco Catalyst SD-WAN Control Component infrastructure settings are not displayed in tenant view.

Multitenant SD-WAN Validator

Describes how SD-WAN Validator function in a multitenant environment.

SD-WAN Validators are deployed and configured by the service provider.

Only the provider can access a SD-WAN Validator through the SSH terminal.

In a multitenant deployment, SD-WAN Validators:

Serve WAN edge devices of multiple tenants.
Authenticate and validate WAN edge devices as they are added to the overlay network.

Multitenant SD-WAN Controllers

Explains the deployment and management of SD-WAN Controller in a multitenant environment.

SD-WAN Controllers are deployed by the service provider. Only the provider can:

Create and attach device and feature templates to SD-WAN Controllers.
Access a SD-WAN Controller through the SSH terminal.

Tenant assignment

When a tenant is created, SD-WAN Manager assigns two SD-WAN Controllers for the tenant.
The SD-WAN Controllers form an active-active cluster.
Each tenant is assigned only two CSD-WAN Controllers.
Before a tenant is created, two SD-WAN Controllers must be available to serve the tenant.

Controller selection

When multiple pairs of CSD-WAN Controllers are available:
- SD-WAN Manager assigns the pair connected to the lowest number of forecast devices.
- If two pairs are connected to the same number of devices, the pair serving the lowest number of tenants is assigned.
From Cisco vManage Release 20.9.1:
- While onboarding a tenant, you can choose the pair of multitenant SD-WAN Controllers that serve the tenant.
- After onboarding, the tenant can be migrated to a different pair if necessary.
- For more information, refer to the information about manual and automatic tenant placement in Multitenancy.
Each pair of SD-WAN Controllers can serve up to 24 tenants.

Tenant policy management

Tenants can configure custom policies on their assigned SD-WAN Controllers.
Cisco SD-WAN Manager notifies the Controllers to pull the policy templates.
Controllers pull the templates and deploy the policy configuration for the specific tenant.

Provider access

Only the provider can view events, audit logs, and OMP alarms for a SD-WAN Controller on SD-WAN Manager.
Starting from Cisco Catalyst SD-WAN Manager Release 20.16.1, a provider can view alarms and events for the sites and devices in its tenancy.

Tenant-specific WAN edge devices

A tenant or the provider acting on behalf of a tenant can:

Add WAN edge devices to the tenant network.
Configure the devices.
Remove the devices from the tenant network.
Access the device through the SSH terminal.

A provider can manage the WAN edge devices only from the provider-as-tenant view. In the provider view, SD-WAN Manager does not show any WAN edge device information. Refer to SD-WAN Manager views for providers.

SD-WAN Manager reports WAN edge device events, logs, and alarms only in the tenant and the provider-as-tenant views.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.