Site Recovery Manager

vSphere Replication Traffic Isolation


If you are using or looking at using vSphere Replication you may have concerns about managing and/or isolating your replication traffic. This post will walk through the available options and provide instructions for how to take advantage of them. Note that this configuration requires vSphere Replication version 6.0 or later.


To understand how to isolate vSphere Replication network traffic it is important to first understand how traffic flows when using vSphere Replication. At a high level here are the steps it takes, follow along in the graphic above:

  • A VM is running on a vSphere host and is configured for vSphere Replication. The initial replication has already completed.
  • As the VM writes to its disks the writes pass through the vSCSI filter on the host where the VM is running
  • The vSCSI filter monitors all I/O to the VMs disks and tracks those changes
  • The vSCSI filter periodically replicates the changed data to the vSphere Replication Appliance at the target site
  • The vSphere Replication Appliance sends the replicated data to the vSphere host with access to the target datastore over NFC

If you have additional questions about the normal flow of traffic or function of vSphere Replication take a look at the vSphere Replication Technical Overview or the vSphere Replication FAQ. For a deepdive on vSphere Replication functionality watch this vSphere Replication Technical walkthrough with Engineering session from VMworld.

To isolate traffic a few things need to happen:

  • Each host needs an additional portgroup and vmkernal interface on the desired isolated network (instructions here and here).
  • The vSphere Replication Appliance(s) (the VRMS and any additional VRSs) need to have an additional vNIC added and placed on the isolated network portgroup (instructions here)
  • Within the vSphere Replication Appliance management interface, the additional NIC needs an IP address and to be configured for incoming storage traffic (instructions here)
  • Static routes need to be defined on each host at the source site with how to communicate with the target site and vice versa (instructions here). If replications will ever flow in the opposite direction, reverse routes should also be configured on what are currently the target site hosts.

With these steps in place traffic can be isolated on a completely separate network allowing for improved security, manageability and quality of service.


5 comments have been added so far

  1. Now I am completely understood how to isolate vSphere Replication network traffic and my all the doubts has been cleared .very useful information. The way you explain each and every is a very good. Thanks a lot for knowledge .

  2. In official documentation information about additional steps with esxi routing should be included! I don’t understand, why should I have to search for such information in blogs (and generally over the internet). It is not for the first time for vmware product.

  3. I agree. The documentation is in the process of being updated and will reflect this shortly (within the month).

  4. It is also possible to isolate NFC traffic from the VR appliance to the target host on a separate network.
    By default, VRA will send this traffic through its management interface to the management interface of the ESXi server.

    However, I believe it is not supported yet as the documentation doesn’t mention this scenario at all.

  5. I have a query regarding vsphere replication on isolation traffic. Though we have configured the vsphere replication and the primary site with service as vsphere replication traffic checked and on the target DR site the vsphere replication NFC is checked. In my case when the failover is done and while re-protecting do we have to change the service in vice-versa like vsphere replication tarffice and vsphere replication NFC traffic in vice versa or no change is required.

Leave a Reply

Your email address will not be published.