Tenant management

Updated: June 21, 2026

Want to summarize with AI?

Explains tenant management capabilities and how device forecasting helps allocate controller capacity and enforce tenant-specific WAN edge device limits.

A tenant or the provider acting on behalf of a tenant can:

Add WAN edge devices to the tenant network.
Configure the devices.
Remove the devices from the tenant network.
Access the device through the SSH terminal.

Tenant device forecasting

When a service provider adds a new tenant to the multitenant Cisco Catalyst SD-WAN deployment, they can forecast the number of WAN edge devices the tenant may deploy in their overlay network. Cisco SD-WAN Manager enforces this forecast limit. If the tenant tries to add devices beyond this limit, Cisco SD-WAN Manager returns an appropriate error message, and the device addition fails.

From Cisco IOS XE Release 17.6.2 and Cisco vManage Release 20.6.2, you can modify a tenant’s device forecast after adding the tenant.

Benefits of tenant device forecasting

The service provider uses Cisco Catalyst SD-WAN controller resources more efficiently.
A multitenant deployment supports a fixed number of WAN edge devices across all tenants, depending on the configuration. By forecasting how many devices each tenant may add, the service provider assigns a quota for each tenant from the overall pool of supported edge devices.

Restrictions for tenant management

In a multitenant deployment, a tenant can only add up to 1000 devices to their overlay network.

Each pair of SD-WAN Controllers can serve a maximum of 24 tenants and 1000 tenant devices.

Prerequisites for adding a tenant

Follow these prerequisites to prevent configuration or synchronization failures when adding a tenant.

Ensure at least two Cisco SD-WAN Controllers are operational and in Manager mode before adding a new tenant.
- A controller enters Manager mode when a template is pushed from SD-WAN Manager.
- SD-WAN Controllers in CLI mode cannot serve multiple tenants.
Ensure that at least two controllers can serve the new tenant. If not, add two controllers and change their mode to Manager.
When adding a second tenant immediately after another, SD-WAN Manager processes them sequentially, not in parallel.
Each tenant must have a unique Virtual Account (VA) on Plug and Play Connect within Cisco Software Central. The tenant VA must belong to the same Smart Account (SA) as the provider VA.

For on-premises deployments, create a Validator controller profile for the tenant on Plug and Play Connect.

Table 1. Controller profile fields
Field	Description/Value
Profile Name	Enter a name for the controller profile.
Multi-Tenancy	From the drop-down list, select Yes.
SP Organization Name	Enter the provider organization name.
Organization Name	Enter tenant organization in the format <SP Org Name>-<Tenant Org Name>. The organization name can contain up to 50 characters. A mismatch between the controller profile organization name and the tenant organization name causes device synchronization to fail.
Primary Controller	Enter the host details for the primary Cisco SD-WAN Validator.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.