The VSA cluster network must have at least 1 dedicated Ethernet switch that supports IEEE 802.1Q VLAN trunking.

You can have 2 dedicated switches to eliminate a single point of failure in the physical network. The switches must be configured to support the IP ranges of the front-end and back-end networks of the VSA cluster. To isolate front-end and back-end networks, you should use VLANs instead of physical isolation. VLAN isolation protects the VSA virtual NICs from Ethernet broadcast storms and malicious capturing and parsing of Ethernet frames. If VLANs are to be used with the VSA Cluster, all of the NICs must go into trunking ports.

You can configure two VLAN IDs on your switches to isolate traffic between the front-end and back-end networks. You can use the VLAN IDs in the VSA Installer and VSA Automated Installer to specify the VLAN IDs for the front-end and back-end networks. Using VLAN IDs is not mandatory.

A VSA back-end VLAN isolates VSA private network traffic and VSA front-end network traffic from network traffic initiated by non-VSA virtual machines on the VM Network port group. The private network includes clustering and RAID1 replication for a three-node VSA cluster and RAID1 replication only for a two-node VSA cluster. In addition, the VSA-VMotion VMkernel Port must be assigned the same VLAN ID as the VSA-Front End Port Group, even though the vMotion traffic is routed through the same vSwitch as the VSA-Back End.


VLAN IDs can range from 1 to 4094. You cannot use 0 and 4095.

Table 1. VLAN ID Configuration for a VSA Cluster

VSA Cluster Network

Example VLAN ID

Front-end network


Back-end network


For information about best practices for networking, refer to