Cisco Catalyst SD-WAN Multitenancy Guide, Releases 26.x and Later

PDF

Initial setup for multitenancy

Updated: June 21, 2026

Want to summarize with AI?

Details the initial setup process for Cisco Catalyst SD-WAN multitenancy.

Prerequisites for Cisco Catalyst SD-WAN multitenancy

Ensure these prerequisites are met to successfully deploy and enable Cisco Catalyst SD-WAN m ultitenancy.

Download and install software versions as recommended in the table below:

Table 1. Minimum software prerequisites for Cisco Catalyst SD-WAN multitenancy
Device	Software Version
Cisco SD-WAN Manager	Cisco vManage Release 20.6.1
Cisco SD-WAN Validator	Cisco SD-WAN Release 20.6.1
Cisco SD-WAN Controller	Cisco SD-WAN Release 20.6.1
Cisco IOS XE Catalyst SD-WAN Device	Cisco IOS XE Catalyst SD-WAN Release 17.6.1a

A configuration in which one or more controllers, or WAN edge devices, are running software versions earlier than those mentioned in the table above is not supported.

Ensure a new SD-WAN Manager software image is downloaded and installed instead of migrating an existing single-tenant instance to multitenant mode, even if all devices are invalidated or deleted.
Follow the recommended hardware specifications in the Supported Devices and Hardware specifications section of this document.

Initial setup for Cisco Catalyst SD-WAN multitenancy

Follow these steps to set up Cisco Catalyst SD-WAN multitenancy.

Procedure

	1.	Log in to SD-WAN Manager as the provider admin user.
	2.	Create SD-WAN Manager cluster. To support 50 tenants and 1000 devices across all tenants, create a 3-node Cisco SD-WAN Manager Multitenant cluster. To support 100 tenants and 5000 devices across all tenants, create a 6-node Cisco SD-WAN Manager Multitenant cluster. From Cisco IOS XE Release 17.6.3a, Cisco vManage Release 20.6.3, to support 150 tenants and 7500 devices across all tenants, create a 6-node Cisco SD-WAN Manager Multitenant cluster.
	3.	Create and configure Cisco SD-WAN Validator instances. Refer to the Deploy SD-WAN Validator topic in the Overlay Network Bring-Up Process section of the Cisco Catalyst SD-WAN Getting Started Guide. While configuring Cisco SD-WAN Validator instances, configure the service provider organization name (`sp-organization-name`) and the organization name (`organization-name`). Refer to the information about configuring an organization name in the Cisco Catalyst SD-WAN Getting Started Guide. Example: `sp-organization-name multitenancy organization-name multitenancy`
	4.	Create Cisco SD-WAN Controller instances. Refer to the Deploy SD-WAN Controller topic in the Overlay Network Bring-Up Process section of the Cisco Catalyst SD-WAN Getting Started Guide. To support 50 tenants and 1000 devices across all tenants, deploy 6 Cisco SD-WAN Controller instances. To support 100 tenants and 5000 devices across all tenants, deploy 10 Cisco SD-WAN Controller. From Cisco IOS XE Release 17.6.3a, Cisco vManage Release 20.6.3, to support 150 tenants and 7500 devices across all tenants, deploy 16 Cisco SD-WAN Controllers.
	5.	Add Cisco SD-WAN Controller to the overlay network.
	6.	Onboard new tenants. See Add a new tenant. Create a 3-node Cisco SD-WAN Manager Multitenant cluster Create a 6-node Cisco SD-WAN Manager Multitenant cluster Enable Multitenancy on Cisco SD-WAN Manager Add Cisco SD-WAN Controller

Create a 3-Node SD-WAN Manager multitenant cluster

To deploy and configure a 3-node SD-WAN Manager cluster to support a multitenant environment.

Procedure

	1.	Download the Cisco vManage Release 20.6.1 or later software image from Cisco Software Download.
	2.	Create three SD-WAN Manager instances by installing the downloaded software image file. Refer to the Deploy SD-WAN Manager topic in the Overlay Network Bring-Up Process section of the Cisco Catalyst SD-WAN Getting Started Guide. Deploy SD-WAN Manager servers with these hardware specifications: Hardware Specifications to Support 50 Tenants and 1000 Devices section of this document Choose the Compute+Data persona for each SD-WAN Manager instance. Example: vManage1, vManange2, and vManage 3.
	3.	Complete the following operations on the first SD-WAN Manager instance: Configure the following using CLI: System IP address Site ID Service Provider organization name (`sp-organization-name`) Organization-name Cisco SD-WAN Validator IP address VPN 0 Transport/Tunnel interface VPN 0 Out-of-band (OOB) interface: Ensure that you assign a static IP address to this interface. Do not enable DHCP. VPN 512 Management interface Configure only one default route in VPN 0. Enable Multitenancy on Cisco SD-WAN Manager. (Optional) Using the CLI, install the Root CA certificate for the first SD-WAN Manager instance. Skip this step if you are using a Symantec or Cisco PKI certificate. Complete these steps through SD-WAN Manager: Generate a certificate signing request. Refer to the Certificate Management section of the Cisco Catalyst SD-WAN Getting Started Guide. After getting the certificate signed, install the certificate. Configure the cluster IP address of the SD-WAN Manager server. Refer to the cluster management section of the Cisco Catalyst SD-WAN Getting Started Guide. Before proceeding to the next step, ensure that the Manager IP Address field on the Administration > Cluster Management page shows the OOB interface address.
	4.	Complete the following operations on the second and third SD-WAN Manager instances (vManage2 and vManage 3 in the example): Configure the following using the CLI: System IP address Site ID Service Provider organization name (`sp-organization-name`) Organization-name Cisco SD-WAN Validator IP address VPN 0 Transport/Tunnel interface VPN 0 Out-of-band (OOB) interface: Ensure that you assign a static IP address to this interface. Do not enable DHCP. VPN 512 Management interface (Optional) Using the CLI, install the Root CA certificate for the first SD-WAN Manager instance. Skip this step if you are using a Symantec or Cisco PKI certificate. Complete the following through SD-WAN Manager: Generate a certificate signing request. Refer to the Certificate Management section of the Cisco Catalyst SD-WAN Getting Started Guide. After getting the certificate signed, install the certificate. Log in to the SD-WAN Manager web application server. Refer to the Cisco Catalyst SD-WAN Manager How-Tos section of the Cisco Catalyst SD-WAN Getting Started Guide. Ping the OOB interfaces on the other two SD-WAN Manager instances and ensure they are reachable. Configure the cluster IP address of the SD-WAN Manager server. Refer to the cluster management section of the Cisco Catalyst SD-WAN Getting Started Guide. Before proceeding to the next step, ensure that the Manager IP Address field on the Administration > Cluster Management page shows the OOB interface address. Enable multitenancy only on the first SD-WAN Manager instance.
	5.	Log in to the first SD-WAN Manager instance and add the second instance to the cluster. The second instance reboots before being added to the cluster. While the second instance is being added to the cluster, on the Administration > Cluster Management page, the Configure Status for the second instance shows Pending. You can monitor the System Generated Cluster Sync transaction to check the progress of the adding the second instance to the cluster. When the operation is completed, on the Administration > Cluster Management page, you can view both the first and second instances, and their node personas.
	6.	Repeat the previous step to add additional SD-WAN Manager instances to the cluster. After rebooting, you have to select persona (non-cloud setup) from CLI and services starts running on the node according to the selected persona.

Create a 6 node SD-WAN Manager multitenant cluster

To deploy and configure a 6-node SD-WAN Manager cluster to support a multitenant environment.

Procedure

	1.	Download the Cisco vManage Release 20.6.1 or later software image from Cisco Software Download.
	2.	Create six SD-WAN Manager instances by installing the downloaded software image file. Refer to the Deploy SD-WAN Manager topic in the Overlay Network Bring-Up Process section of the Cisco Catalyst SD-WAN Getting Started Guide. To support 100 tenants and 5000 devices across all tenants, deploy SD-WAN Manager servers having the hardware specifications in the table Hardware Specifications to Support 100 Tenants and 5000 Devices of this document. From Cisco IOS XE Release 17.6.3a and Cisco vManage Release 20.6.3, to support 150 tenants and 7500 devices across all tenants, deploy SD-WAN Manager servers with these hardware specifications: Hardware Specifications to Support 150 Tenants and 7500 Devices Choose the Compute+Data persona for three SD-WAN Manager instances Example: vManage1, vManange2, and vManage 3. Choose the Data persona for the other three SD-WAN Manager instances. Example: vManage4, vManage5, and vManage6.
	3.	Complete the following operations on the first SD-WAN Manager instance: Configure the following using CLI: System IP address Site ID Service Provider organization name (`sp-organization-name`) Organization-name Cisco SD-WAN Validator IP address VPN 0 Transport/Tunnel interface VPN 0 Out-of-band (OOB) interface: Ensure that you assign a static IP address to this interface. Do not enable DHCP. VPN 512 Management interface Configure only one default route in VPN 0. Enable Multitenancy on Cisco SD-WAN Manager. (Optional) Using the CLI, install the Root CA certificate for vManage1. Skip this step if you are using a Symantec or Cisco PKI certificate. Complete the following through SD-WAN Manager: Generate a certificate signing request. Refer to the Certificate Management section of the Cisco Catalyst SD-WAN Getting Started Guide. After getting the certificate signed, install the certificate. Configure the cluster IP address of the SD-WAN Manager server. Refer to the cluster management section of the Cisco Catalyst SD-WAN Getting Started Guide. Before proceeding to the next step, ensure that the Manager IP Address field on the Administration > Cluster Management page shows the OOB interface address.
	4.	Complete the following operations on the second and third SD-WAN Manager instances (vManage2 and vManage 3 in the example): Configure the following using the CLI: System IP address Site ID Service Provider organization name (`sp-organization-name`) Organization-name Cisco SD-WAN Validator IP address VPN 0 Transport/Tunnel interface VPN 0 Out-of-band (OOB) interface: Ensure that you assign a static IP address to this interface. Do not enable DHCP. VPN 512 Management interface (Optional) Using the CLI, install the Root CA certificate for vManage1. Skip this step if you are using a Symantec or Cisco PKI certificate. Complete the following through the Cisco SD-WAN Manager: Generate a certificate signing request. Refer to the Certificate Management section of the Cisco Catalyst SD-WAN Getting Started Guide. After getting the certificate signed, install the certificate. Log in to the SD-WAN Manager web application server. Refer to the Cisco Catalyst SD-WAN Manager How-Tos section of the Cisco Catalyst SD-WAN Getting Started Guide. Ping the OOB interfaces on the other two SD-WAN Manager instances and ensure they are reachable. Configure the cluster IP address of the SD-WAN Manager server. Refer to the cluster management section of the Cisco Catalyst SD-WAN Getting Started Guide. Before proceeding to the next step, ensure that the Manager IP Address field on the Administration > Cluster Management page shows the OOB interface address. Do not enable multitenancy on vManage2 and vManage3.
	5.	Log in to the first SD-WAN Manager instance and add the second instance to the cluster. The second instance (vManage2 in the example) reboots before being added to the cluster. While the second instance is being added to the cluster, on the Administration > Cluster Management page, the Configure Status for the second instance shows Pending. You can monitor the System Generated Cluster Sync transaction to check the progress of the adding the second instance to the cluster. When the operation is completed, on the Administration > Cluster Management page, you can view both the first and second instances, and their node personas.
	6.	Repeat the previous step to add additional SD-WAN Manager instances to the cluster (vManage3 through vManage6 in the example).

Enable multitenancy on SD-WAN Manager

Administrator triggered disaster recovery is supported for multitenant clusters from Cisco vManage Release 20.6.1 or later releases.

After you enable multitenancy on SD-WAN Manager, you cannot migrate it back to single tenant mode.

SD-WAN Manager reboots in multitenant mode and when a provider user logs in to SD-WAN Manager, the provider dashboard appears.

Before you begin

Do not migrate an existing single-tenant SD-WAN Manager into multitenant mode, even if you invalidate or delete all devices from the existing SD-WAN Manager. Instead, download and install a new software image of Cisco vManage Release 20.6.1 or a later release.

Procedure

	1.	Launch SD-WAN Manager using the URL https://vmanage-ip-address:port. Log in as the provider admin user.
	2.	From the SD-WAN Manager menu, choose Administration > Settings > Tenancy Mode. If you are using SD-WAN ManagerRelease 20.12.x or earlier, click Edit.
	3.	In the Tenancy field, click Multitenant.
	4.	In the Domain field, enter the domain name of the service provider (for example, managed-sp.com).
	5.	Enter a Cluster Id (for example, cluster-1 or 123456).
	6.	Click Save. If you are using SD-WAN Manager Release 20.12.x or earlier, click Proceed to confirm that you want to change the tenancy mode. The Domain and Cluster Id values created in steps 5 and 6 serve as the Provider FQDN. Ensure these values conform to current DNS naming conventions. You can not modify these values after the configuration is saved. To change these values, a new SD-WAN Manager cluster need to be deployed. For more details on provider and tenant DNS requirements, refer to step 3d in Add a new tenant.

Add SD-WAN Controller

Follow these steps to add SD-WAN Controller

Procedure

	1.	Log in to SD-WAN Manager as the provider admin user.
	2.	From the SD-WAN Manager menu, choose Configuration > Devices.
	3.
	4.	Click Controllers.
	5.	Click Add Controller.
	6.	In the Add Controller dialog box, do the following: In the Controller Management IP Address field, enter the system IP address of the SD-WAN Controller. Enter the Username and Password required to access the Cisco SD-WAN Controller. Select the protocol to use for control-plane connections. The default is DTLS. If you select TLS, enter the port number to use for TLS connections. The default is 23456. Check the Generate CSR check box for SD-WAN Manager to create a Certificate Signing Request. Click Add.
	7.	From the SD-WAN Manager menu, choose Configuration > Certificates. For the newly added SD-WAN Controller, the Operation Status reads CSR Generated. For the newly added SD-WAN Controller, click More Options icon and click View CSR. Submit the CSR to the Certificate Authority (CA) and obtain a signed certificate.
	8.	Install certificate. From the SD-WAN Manager menu, choose Configuration > Certificates. Click Install Certificate. In the Install Certificate dialog box, paste the Certificate Text or click Select a file upload the certificate file. Click Install. SD-WAN Manager installs the certificate on the SD-WAN Controller. SD-WAN Manager also sends the serial number of the certificate to other controllers. On the Configuration > Certificates page, the Operation Status for the newly added SD-WAN Controller reads as Validator Updated. On the Configuration > Devices page, the new controller is listed in the Controller table with the controller type, hostname of the controller, IP address, site ID, and other details. The Mode is set to CLI.
	9.	Change the mode of the newly added SD-WAN Controller to Manager Mode by attaching a template to the device. From the SD-WAN Manager menu, choose Configuration > Templates. Click Device Templates. In Cisco vManage Release 20.7.x and earlier releases, Device Templates is titled asDevice Find the template to be attached to the SD-WAN Controller. Click ..., and click Attach Devices. In the Attach Devices dialog box, move the new controller to the Selected Device list and click Attach. Verify the Config Preview and click Configure Devices.

SD-WAN Managerpushes the configuration from the template to the new controller.
In the Configuration > Devices page, the Mode for the SD-WAN Controller shows Manager Mode. The new SD-WAN Controller is ready to be used in your mutitenant deployment.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Initial setup for multitenancy

Prerequisites for Cisco Catalyst SD-WAN multitenancy

Initial setup for Cisco Catalyst SD-WAN multitenancy

Procedure

Example:

Create a 3-Node SD-WAN Manager multitenant cluster

Procedure

Create a 6 node SD-WAN Manager multitenant cluster

Procedure

Enable multitenancy on SD-WAN Manager

Before you begin

Procedure

Add SD-WAN Controller

Procedure