TTechclick ⚡ XP 0% All lessons
Versa · Secure SD-WAN · Segmentation & Multi-TenancyInteractive · L1 / L2 / L3

Versa Segmentation & Multi-Tenancy — Tenants, VRFs & End-to-End Isolation

Versa was built multi-tenant from day one. This lesson untangles its two levels of separation — tenants (organizations in Director, full administrative isolation for MSPs and multi-BU) and segments (VRFs carried end-to-end across the overlay, each with its own routing and security policy) — so you can explain exactly why Versa is strong for service providers and regulated networks.

📅 2026-06-18 · ⏱ 16 min · 5 infographics · live overlay demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Versa SD-WAN segmentation and multi-tenancy (2026): organizations and sub-organizations as tenants in Director, network segments built as VRFs, the segment-aware overlay that carries isolation end-to-end, per-segment routing and security policy, and how MSPs and regulated enterprises keep traffic apart.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Two levels

Tenants vs segments — why Versa separates twice.

 2

Tenants in Director

Organizations, sub-orgs, RBAC and the MSP model.

 3

Segments as VRFs

Per-segment routing, end-to-end overlay isolation.

 4

Policy & use cases

Per-segment security, PCI, guest, IoT/OT, M&A.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does Versa separate traffic at just one level?

Answered in Two levels.

2. What is a tenant in Versa Director?

Answered in Tenants in Director.

3. How is a network segment actually implemented on the branch?

Answered in Segments as VRFs.

Most engineers think…

Most people picture SD-WAN segmentation as 'a few VLANs and an ACL on the branch'. That mental model collapses the moment an interviewer asks how Versa serves dozens of customers on shared boxes, or how PCI traffic stays isolated all the way across the WAN.

Versa separates traffic at two distinct levels. Tenants are organizations in Director — each gets fully isolated config, policy, RBAC and analytics, and a provider org can contain sub-organizations. Segments are VRFs on the branch — Corp, Guest, PCI, IoT, OT — and the isolation rides the overlay end-to-end, not just locally. Knowing which level solves which problem is the whole interview.

① Two levels of separation — tenants and segments

The single idea to anchor on: Versa separates traffic twice. The outer level is the tenant — an organization in Director that gives a customer or business unit full administrative isolation. The inner level is the network segment — a VRF on the branch that keeps Corp, Guest, PCI, IoT and OT traffic apart.

This matters because the two levels solve different problems. Tenants answer 'how does one platform serve many customers or business units with separate admins and separate dashboards?' Segments answer 'how does PCI traffic stay isolated from Guest traffic — locally and all the way across the WAN?'

Versa carries the heritage of service-provider / managed SD-WAN, so it was multi-tenant from the start rather than bolting it on later. That is why both levels feel native instead of like an afterthought.

Figure 1 — Two levels of separation
Versa separates twice — tenants for administrative isolation, then segments for traffic isolation inside each tenant.Two levels of separationTenant (organization)Isolated config, policy, RBAC and analyticsSub-organizationPer-customer view under a provider org (MSP)Network segment (VRF)Corp / Guest / PCI / IoT / OT routing instancesSegment-aware overlayTagged tunnels keep segments apart end-to-end
Versa separates twice — tenants for administrative isolation, then segments for traffic isolation inside each tenant.
Quick check · Q1 of 10 · Understand

Versa separates traffic at how many levels, and which?

Correct: b. Versa separates twice: the outer level is the tenant (an organization in Director with full administrative isolation) and the inner level is the network segment (a VRF carried end-to-end across the overlay). The two levels solve different problems.
👉 So far: Versa separates traffic twice — tenants (organizations in Director, administrative isolation) and segments (VRFs, traffic isolation). Each level solves a different problem.

② Tenants in Director — organizations, sub-orgs and RBAC

A tenant in Versa is an organization hosted in Director. Each organization has its own isolated configuration, policy set, RBAC and analytics, so one platform can serve many customers or many internal business units without leaking between them.

The provider / sub-organization model

A provider organization can contain sub-organizations. This is the classic multi-tenancy shape an MSP uses — the provider manages the estate while each customer sub-org sees only its own config, policy and reports. An enterprise uses the same shape to split finance, retail and corporate IT into separate administrative tenants.

The interview phrasing: tenants are administrative isolation. Different admins, different dashboards, different policy trees — one Director, many organizations.

Figure 2 — One Director, many organizations
A provider organization in Director hosts isolated customer and business-unit tenants, each with its own RBAC and analytics.One Director, many organizationsVersa Directorprovider orgCustomer A (sub-org)Customer B (sub-org)Finance BURetail BUCorporate ITGuest services
A provider organization in Director hosts isolated customer and business-unit tenants, each with its own RBAC and analytics.
🏢
Organization (tenant)
tap to flip

A customer or business unit in Director with fully isolated config, policy, RBAC and analytics. One platform, many organizations.

🧩
Sub-organization
tap to flip

A tenant nested under a provider organization — the MSP shape where each customer sees only its own config and reports.

🛤️
Network segment (VRF)
tap to flip

A routing instance on the branch — Corp, Guest, PCI, IoT, OT — with its own routing table, isolated from other segments.

🌐
Segment-aware overlay
tap to flip

The SD-WAN tunnels tag traffic so each segment and tenant stays separate across shared transport — isolation end-to-end.

Say 'two levels' out loud

In an interview, lead with the two-level model: tenants (organizations in Director — administrative isolation for MSP / multi-BU) and segments (VRFs carried end-to-end across the overlay, each with its own routing and security policy). Naming both levels and what each solves is the answer interviewers want.

Quick check · Q2 of 10 · Remember

What does an organization (tenant) in Versa Director isolate?

Correct: a. Each organization is a tenant with its own isolated configuration, policy, RBAC and analytics. A provider org can contain sub-organizations, which is exactly the MSP multi-tenancy model.
👉 So far: A tenant = an organization with isolated config, policy, RBAC and analytics; a provider org can hold sub-organizations — the MSP multi-tenancy model, reused by enterprises to split business units.

③ Segments as VRFs — isolation carried end-to-end

Inside a tenant, you carve traffic into network segments, each implemented as a VRF / routing instance. A segment such as Corp, Guest, PCI, IoT or OT gets its own routing table and is isolated from the others — addresses in one segment cannot reach another unless you deliberately leak routes.

End-to-end, not just local

The key Versa point: that isolation is carried end-to-end across the SD-WAN overlay. On the LAN side, user VLANs and subnets map into segments. On the transport side, the segment-aware overlay tags traffic so segments ride the shared tunnels without mixing.

So PCI on Branch A reaches PCI on Branch B over the overlay, but never touches the Guest segment in between. That is end-to-end isolation — and it is what a VLAN-and-ACL answer misses.

Figure 3 — How a segment stays isolated end-to-end
A VLAN maps into a VRF, rides the tagged overlay, and lands in the same segment at the far branch — never mixing in transit.How a segment stays isolated end-to-endLAN VLANuser subnet on branchVRFmapped to a segmentTagsegment-aware overlayTunnelshared transportSame VRFlands at far branch
A VLAN maps into a VRF, rides the tagged overlay, and lands in the same segment at the far branch — never mixing in transit.
Figure 4 — Tenants vs network segments
Two different tools for two different jobs — administrative isolation versus traffic isolation.Tenants vs network segmentsTenant (organization)Admin isolation in DirectorOwn config, RBAC, analyticsProvider org + sub-orgsBest for MSP / multi-BUSegment (VRF)Traffic isolation per zoneOwn routing + security policyCarried end-to-end on overlayBest for PCI / guest / IoT-OT
Two different tools for two different jobs — administrative isolation versus traffic isolation.
'Segmentation = a VLAN and an ACL' under-sell

A VLAN and an ACL only isolate traffic on the local switch. Versa segments are VRFs whose isolation is carried end-to-end by the segment-aware overlay, so PCI on one branch reaches PCI on another without ever touching Guest in transit. Always say 'end-to-end', not 'local'.

▶ Watch PCI traffic cross the WAN without touching Guest

How one segment stays isolated end-to-end across the overlay. Press Play for the healthy path, then Break it to see the classic failure.

① LAN inA card-terminal VLAN at Branch A sends traffic; the branch maps that VLAN into the PCI segment (a VRF).
② Tag on overlayThe segment-aware overlay tags the packets as PCI before they ride the shared SD-WAN tunnel.
③ TransitThe tagged PCI traffic crosses the WAN alongside Guest and Corp traffic but never enters their routing tables.
④ Land in PCIAt Branch B the overlay drops the traffic into the PCI VRF only — same segment in, same segment out, fully isolated.
Press Play to step through the isolated PCI path end-to-end. Then press Break it.
Quick check · Q3 of 10 · Understand

A network segment on a Versa branch is implemented as…

Correct: c. Segments are VRFs (routing instances). Each gets its own routing table and is isolated from the others, and the segment-aware overlay carries that isolation end-to-end across the WAN, not just locally.
👉 So far: Segments are VRFs: each has its own routing table, and the segment-aware overlay carries that isolation end-to-end across the WAN, not just on the local switch.

④ Per-segment policy and the real-world use cases

Segmentation is only half the value — the other half is per-segment policy. Each segment can have its own SD-WAN steering and its own security policy. PCI is locked down with strict firewall and inspection; Guest gets Internet-only breakout and never sees corporate routes; IoT/OT is tightly fenced; Corp gets full app-aware steering.

Where this earns its keep

The headline use cases: an MSP serving many customers on shared infrastructure (tenants do the heavy lifting); an enterprise isolating PCI/finance, guest Wi-Fi and IoT/OT (segments do the heavy lifting); and merging networks after an M&A without IP-overlap headaches, because separate VRFs can carry overlapping address space.

The clean interview close: two levels — tenants for administrative isolation (MSP / multi-BU) and segments (VRFs carried end-to-end, each with its own routing and security policy). That is why Versa is strong for service providers and regulated networks.

Figure 5 — Per-segment policy in action
Each segment carries its own steering and security posture, from locked-down PCI to Internet-only guest.Per-segment policy in actionPCI segmentStrict firewall + inspection, locked downCorp segmentFull app-aware SD-WAN steeringIoT / OT segmentTightly fenced, minimal reachabilityGuest segmentInternet-only breakout, no corp routes
Each segment carries its own steering and security posture, from locked-down PCI to Internet-only guest.

Priya at a Pune retail chain faces this

After acquiring a smaller chain, both networks use 10.10.0.0/16 and the new stores cannot be onboarded — addresses overlap and routes clash.

Likely cause

The teams tried to merge everything into one flat routing table, so the duplicate 10.10.0.0/16 ranges collide.

Diagnosis

Check Director — both the existing and acquired sites are mapped into the same segment/VRF, so the overlapping subnets fight for the same routes.

Director ▸ Organization ▸ Network Segments (VRFs) ▸ LAN-to-segment mapping
Fix

Place the acquired sites in a separate network segment (VRF). Each VRF carries its own routing table, so the overlapping 10.10.0.0/16 ranges coexist; leak only the specific routes both sides genuinely need.

Verify

Onboard a new store: it joins its own segment, the overlap no longer clashes, and inter-segment reachability is limited to the explicitly leaked routes.

Prove isolation from the routing table, not a hunch

Don't claim two segments are isolated — show it. Each VRF has its own routing table in Director; confirm the Guest VRF has no corporate routes and PCI has no path to Guest. The per-segment routing view answers most isolation questions without guessing.

Quick check · Q4 of 10 · Apply

You must give guest Wi-Fi Internet access but no path to corporate apps. Best Versa approach?

Correct: d. Each segment can carry its own steering and security policy. A dedicated Guest VRF with Internet-only breakout keeps guests off corporate routes while PCI or Corp segments stay locked down independently.
👉 So far: Each segment carries its own steering and security policy — PCI locked down, Guest Internet-only — and separate VRFs let M&A networks merge despite overlapping IPs.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which Versa construct provides administrative isolation for a whole customer or business unit?

Correct: a. An organization (tenant) in Director isolates config, policy, RBAC and analytics for a customer or business unit. Segments (VRFs) isolate traffic; VLANs and NAT do not provide tenant-level administrative isolation.
Q6 · Understand

What is the relationship between a provider organization and a sub-organization?

Correct: b. A provider organization can contain sub-organizations. Each sub-org is an isolated tenant that sees only its own config and reports, which is exactly how an MSP manages many customers on shared infrastructure.
Q7 · Apply

PCI traffic must reach PCI at another branch but never mix with Guest in transit. What makes that work?

Correct: c. Each segment is a VRF with its own routing table, and the segment-aware overlay tags traffic so PCI rides the shared tunnels without entering the Guest table — isolation is carried end-to-end, not just locally.
Q8 · Analyze

After an M&A both companies use 10.10.0.0/16. How does Versa avoid the IP clash cleanly?

Correct: d. Separate VRFs each have their own routing table, so two segments can carry the same 10.10.0.0/16 without clashing. You leak only the specific routes both sides genuinely need, avoiding a painful re-IP.
Q9 · Evaluate

Why is Versa often described as strong for service providers and regulated networks?

Correct: a. Versa's service-provider heritage means multi-tenancy is native: tenants give MSPs and multi-BU enterprises administrative isolation, while segments carried end-to-end give regulated zones like PCI true traffic isolation with their own security policy.
Q10 · Evaluate

An interviewer asks how to give Guest, PCI and Corp different security postures on the same branch. Best answer?

Correct: b. Per-segment policy is the point: each VRF carries its own SD-WAN steering and security policy on the same box, so Guest gets Internet-only breakout, PCI is locked down, and Corp gets full app-aware steering — no extra hardware needed.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does Versa separate traffic at two levels instead of one? Then compare with the expert version.

Expert version: Because the two levels solve different problems. Tenants (organizations in Director) give administrative isolation — separate config, policy, RBAC and analytics — so one platform serves many customers (MSP) or many business units, with provider orgs holding sub-organizations. Segments (VRFs) give traffic isolation — each has its own routing table and its own security and steering policy, and the segment-aware overlay carries that isolation end-to-end across the WAN. You need tenants for who-administers-what and segments for which-traffic-touches-what, which is exactly why Versa fits both service providers and regulated networks.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Organization (tenant)
A customer or business unit hosted in Versa Director with its own isolated config, policy, RBAC and analytics — the outer level of separation.
Sub-organization
A tenant nested under a provider organization, seeing only its own config and reports — the shape an MSP uses to manage many customers.
Multi-tenancy
One shared platform hosting many logically isolated tenants at once; native to Versa thanks to its service-provider heritage.
Network segment
A traffic zone such as Corp, Guest, PCI, IoT or OT, implemented as a VRF and isolated from the other segments.
VRF / routing instance
Virtual Routing and Forwarding — a separate routing table per segment, so overlapping or isolated address spaces coexist cleanly.
Segment-aware overlay
SD-WAN tunnels that tag traffic per segment so each segment and tenant stays separate while sharing the same transport.
End-to-end isolation
Separation between segments that holds across every WAN hop, not just on the local switch — what a VLAN-and-ACL answer misses.
RBAC
Role-Based Access Control — admins only see and edit the tenants and functions assigned to their role, keeping tenants apart.
Versa Director
The management and orchestration plane that hosts every tenant, pushes config and policy, and shows per-tenant analytics.

📚 Sources

  1. Versa Networks — Versa SASE / Secure SD-WAN product pages and multi-tenancy overview. versa-networks.com
  2. Versa Networks — Versa Director: organizations, sub-organizations and RBAC. docs.versa-networks.com
  3. Versa Networks — Network segmentation with VRFs / routing instances on Versa Operating System (VOS). docs.versa-networks.com
  4. Versa Networks — Segment-aware SD-WAN overlay and LAN-to-segment mapping. docs.versa-networks.com
  5. Versa Networks — Per-segment security policy and Internet breakout (guest, PCI, IoT/OT). versa-networks.com
  6. Versa Networks — Managed SD-WAN for service providers (MSP multi-tenant deployments). versa-networks.com

What's next?

Got tenants and segments? Next, go deep on Versa security services per segment — the firewall, IPS, URL filtering and SASE/SSE breakout that ride each VRF, and how policy follows the user no matter which segment they sit in.

Next · All interview lessons → Practice on exam.techclick.in →