Cisco Catalyst SD-WAN Multitenancy Guide, Releases 26.x and Later

PDF

Add a new tenant

Updated: June 21, 2026

Want to summarize with AI?

Provides the procedure to create a new tenant, configure tenant settings, assign device capacity, and provision tenant resources in a multitenant Cisco Catalyst SD-WAN deployment.

Use these steps to add a new tenant in SD-WAN Manager for multitenancy deployment.

Procedure

Navigate to Administration > Tenant Management.

Click Add Tenant.

Enter tenant information.

Table 1. Tenant information
Item	Description
Tenant Name	Enter a name for the tenant. The name must match the Virtual Account used for the tenant.
Tenant Description	Enter a description with up to 256 alphanumeric characters.
Organization Name	Enter the organization name (case-sensitive, unique per tenant). Format: <Provider Org Name>-<Tenant Org Name> Maximum length: 50 characters Example: If the provider organization name is 'EFT20.17-VA-Main – 841534' and the tenant organization name is 'T1', enter the organization name as `EFT20.17-VA-Main – 841534-T1`. The tenant organization name can be T1 for Tenant 1, T2 for Tenant 2, and so on.

Enter the URL Subdomain Name.

Enter the fully qualified subdomain of the tenant.

The URL must include the service provider’s domain (example: customer1.managed-sp.com) and follow the domain naming convention set in Administration > Settings > Tenancy Mode.

Configure DNS.

For on-premises deployment, add the tenant’s FQDN to DNS and map it to all three SD-WAN Manager cluster IPs.

Provider level:
Create DNS A record and map it to the IP addresses of the SD-WAN Manager instances running in the Cisco SD-WAN Manager cluster. The A record is derived from the domain and cluster ID created while enabling multitenancy.

For example, if domain is sdwan.cisco.com and Cluster ID is vmanage123, then configure the A record as vmanage123.sdwan.cisco.com.

If you do not update the DNS entries, SD-WAN Manager fails to authenticate when you log in. To verify if DNS is configured correctly, execute nslookup vmanage123.sdwan.cisco.com.
Tenant level:
Create a DNS CNAME record for each tenant and map it to the FQDN created at the provider level. You do not need to include the cluster ID for the CNAME record.

For example, if the domain is sdwan.cisco.com and the tenant name is customer1, configure the CNAME record as customer1.sdwan.cisco.com.

To verify if DNS is configured correctly, execute nslookup customer1.sdwan.cisco.com.
For a cloud deployment, SD-WAN Manager automatically adds the tenant’s fully qualified sub-domain name (FQDN) to DNS during tenant creation. After adding the tenant, it may take up to one hour for the FQDN to resolve.

In the Number of Devices field, enter the number of WAN edge devices the tenant can deploy.

Adding more devices than allowed will trigger an error.

Click Save.

When you add a tenant, SD-WAN Manager automatically:

Creates the tenant.
Assigns two SD-WAN Controllers to the tenant and pushes a CLI template to configure tenant information on them.
Sends the tenant and controller details to the SD-WAN Validator.

What to do next

The Create Tenant window appears, and the status of the tenant creation reads In progress. To view status messages related to the creation of a tenant, click the > button to the left of the status.

After the Status column changes to Success, you can view the tenant information on the Administration > Tenant Management page.

View tenant information

From Cisco IOS XE Catalyst SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Manager Release 20.12.1, you can view detailed tenant information.

Use these steps to view detailed information about a tenant.

Procedure

From Cisco SD-WAN Manager menu, click Administration > Tenant Management.

Click Tenant to view detailed tenant information.

Table 2. Tenant details
Field	Description
Tenant Name	Name of the tenant.
Description	Tenant description
Controllers	SD-WAN Controllers assigned to the tenant.
Forecasted Edge Count	Predicted number of WAN edge devices.
Total Edge Count	Total number of both multitenant and single-tenant edge devices.
Multi-Tenant WAN Edge Devices	Click the non-zero number to view the number of multitenant edge devices.
Tenant-Provider VPN Mapping	Click the non-zero number to view tenant and device VPN mappings.
Service Connector	Shows the multitenant edge device that provides VXLAN connectivity to tenants.
Notifications	Indicates whether webhook notifications are managed by the tenant or provider.
AAA	Indicates whether remote AAA is managed by the tenant or provider.
Controller Visibility	Indicates whether controller visibility is enabled or disabled.

Restrict a tenant's access

Using this procedure, a provider admin is able to suspend or restore a tenant's access to SD-WAN Manager.

A provider administrator can control a tenant's access. They can suspend or restore SD-WAN Manager access for individual tenants. After suspension of access, there are changes in tenant's access to SD-WAN Manager.

This table lists what access is restricted or allowed after a tenant is suspended.

Table 3. Tenant's access after suspension
Post‑Suspension Access	Descripton
Restricted for a tenant user	No access to the SD-WAN Manager GUI.
	No access to the SD-WAN Manager APIs.
	Cannot schedule or perform configuration or operational changes.
	Existing logged‑in sessions are forcibly terminated.
Accessible for a provider‑admin user	Data plane traffic continues uninterrupted.
	Monitoring data (device statistics and SD-WAN Analytics) remains available.
	Scheduled reports continue to be delivered.
	Webhook notifications, including critical alarms, continue to work.

Note

After suspending a tenant access, provider‑as‑tenant view remains available to the provider.

Before you begin

You must have provider admintrator user access.

Follow these steps to modify a tenant’s access in SD-WAN Manager:

Procedure

	1.	Log in to Cisco SD-WAN Manager as the provider admintrator user.
	2.	From the Cisco SD-WAN Manager menu, choose Administration > Tenant Management.
	3.	To modify user access, click ... adjacent to the tenant and click Edit Tenant. The Edit Tenant side panel appears.
	4.	Toggle the user access button to suspend access.

The provider has access to tenant information even after suspending user access for the tenant.

What to do next

Verify that a tenant's access is suspended by reviewing the user acess column on the Tenant Management page.

Delete a tenant

Before you delete a tenant, delete all tenant WAN edge devices. See Delete a WAN edge device from a tenant network.

Use these steps to delete a tenant.

Procedure

	1.	Log in to Cisco SD-WAN Manager as the provider admin user.
	2.	From the Cisco SD-WAN Manager menu, choose Administration > Tenant Management.
	3.	In the left pane, click the name of the tenant. The tenant information is displayed in a pane on the right.
	4.	In the right pane, click the trash icon.
	5.	In the Delete Tenant dialog box, enter the provider admin password and click Save.

Add a tenant in a Cisco-hosted multitenant environment

Use these steps to add a new tenant in a Cisco-hosted multitenant environment.

Procedure

Navigate to Administration > Tenant Management.

Click Add Tenant.

Enter tenant information.

Table 4. Tenant information
Item	Description
Tenant Name	Enter a name for the tenant.
Tenant Description	Enter a description with up to 256 alphanumeric characters.
Organization Name	Enter the organization name (case-sensitive, unique per tenant). Format: <SP Org Name>-<Tenant Org Name> Maximum length: 50 characters Example: If the provider organization name is 'multitenancy' and the tenant organization name is 'Customer1', while adding the tenant, enter the organization name as multitenancy-Customer1. Any mismatch with controller profile causes device sync failure

Enter the sub-domain URL in FQDN format.

The sub-domain name must include sdwan.cisco.com.

For example, a valid sub-domain could be Eftt1.sdwan.cisco.com.

Ensure the sub-domain is unique by performing a nslookup or ping on the expected domain. If the domain already exists, choose a different URL.

The tenant’s FQDN is automatically added to DNS during the tenant creation process. After adding the tenant, it may take up to one hour for the FQDN to resolve.

In the Number of Devices field, enter the maximum number of WAN edge devices the tenant can deploy field.

Exceeding this limit will cause Cisco SD-WAN Manager to report an error and prevent additional device additions.

Choose Auto placement or manual option for controller assignment.

Click Save.

After tenant creation completes, Cisco SD-WAN Manager automatically generates the controller profile in the tenant’s Virtual Account and creates the FQDN. You will receive an email notification once the process is finished.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.