top of page
Writer's picturevP

Deploying vSAN Witness Host on vSAN witness Appliance

Welcome back to the blog. In one of the previous blog post we discussed that the VMware vSAN 2 Node Clusters require a vSAN Witness Host and it can be configured as either physical ESXi host or vSAN Witness Appliances.


In this blog we will discuss about using the vSAN witness appliance as a vSAN Witness Host in detail. The vSAN Witness Appliance is available in an OVA (Open Virtual Appliance) format from VMware. The vSAN Witness Appliance does need to reside on a physical ESXi host.


Requirements to Host vSAN Witness Appliance

- The vSAN Witness Appliance must on an ESXi 5.5 or greater VMware host.

- The ESXi 5.5 or greater host must meet the minimum requirements for the vSAN Witness Host for the version of vSAN 2 Node that the vSAN Witness Appliance will support.

- The vSAN Witness Appliance and the vSAN 2 Node Cluster require suitable networking in order to communicate.


Where can the vSAN Witness Appliance run?

In addition to the minimal requirements for hosting the vSAN Witness Appliance, several supported infrastructure choices are available:


- On a vSphere environment backed with any supported storage (VMFS datastore, NFS datastore, vSAN Cluster)

- On vCloud Air/OVH backed by a supported storage

- Any vCloud Air Network partner-hosted solution

- On a vSphere Hypervisor (free) installation using any supported storage (VMFS datastore or NFS datastore)


CPU Requirements for vSAN Witness Appliance

The vSAN Witness Appliance is a virtual machine that has special vSphere installation that is used to provide quorum/tiebreaker services for a 2 Node vSAN Cluster. The vSphere installation inside the vSAN Witness Appliance must be compatible with the underlying CPU architecture.


As an example, a vSphere/vSAN 6.7 2 Node vSAN Cluster will require a vSAN Witness Appliance that is running vSphere 6.7. In cases where a vSAN Witness Appliance is deployed to an ESXi host that does not meet the CPU requirements, it may be deployed, but not powered on. The vSAN Witness Appliance, patched like a normal vSphere Host, cannot be upgraded to vSphere 6.7 if the underlying CPU does not support vSphere 6.7.


This consideration is important to take into account when upgrading 2 Node vSAN Clusters. The vSAN Witness is a critical part of the patching and upgrade process. VMware strongly advises keeping the vSAN Witness version and the vSphere version of the 2 Node vSAN Cluster consistent.


Networking

The vSAN Witness Appliance contains two network adapters that are connected to separate vSphere Standard Switches.

The vSAN Witness Appliance Management VMkernel is attached to one VSS, and the WitnessPG is attached to the other VSS. The Management VMkernel (vmk0) is used to communicate with the vCenter Server for normal management of the vSAN Witness Appliance. The WitnessPG VMkernel interface (vmk1) is used to communicate with the vSAN Data Nodes. This is the recommended configuration.


Alternatively, the Management VMkernel (vmk0) interface could be tagged to include vSAN traffic as well as Management traffic. In this case, vmk0 would require connectivity to both vCenter Server and the vSAN Witness Network.


A Note About Promiscuous Mode

In many ESXi in a VM environment, there is a recommendation to enable promiscuous mode to allow all Ethernet frames to pass to all VMs that are attached to the port group, even if it is not intended for that particular VM. The reason promiscuous mode is enabled in many ESXi in a VM environment is to prevent a virtual switch from dropping packets for (nested) vmnics that it does not know about on the ESXi in a VM hosts. ESXi in a VM deployments are not supported by VMware other than the vSAN Witness Appliance.


The MAC addresses of the vSAN Witness Appliance's VMkernel interfaces vmk0 & vmk1 are configured to match the MAC addresses of the ESXi host's physical NICs, vmnic0, and vmnic1. Because of this, packets destined for either the Management VMkernel interface (vmk0) or the WitnessPG VMkernel interface, are not dropped. Because of this, promiscuous mode is not required when using a vSAN Witness Appliance.

Courtesy - VMware

Since the vSAN Witness Appliance will be deployed on a physical ESXi host the underlying physical ESXi host will need to have a minimum of one VM network preconfigured. This VM network will need to reach both the management network and the vSAN network shared by the ESXi hosts on the data sites. An alternative option that might be simpler to implement is to have two preconfigured VM networks on the underlying physical ESXi host, one for the management network and one for the vSAN network. When the virtual ESXi witness is deployed on this physical ESXi host, the network will need to be attached/configured accordingly.


I hope you find this informative.


Thank you for reading!


*** Explore | Share | Grow ***

24 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page