I don't quite understand your question. The document states that both setups in option 2 are a supported configuration and that the traffic is handled via L2 and therefore no routing (L3) is needed.

In this configuration, static routing is not required because Layer 2 networking is use.

This is a supported configuration.

alexanderleutz​ - I maintain the 2 Node Guide.

I'll try to address your question and then look at the doc to see if any updates are required.

Static routes are required when:

A vSAN interface needs to connect somewhere that a vSAN VMkernel interface would need to use vmk0's default gateway.

This is because vSAN uses the same TCP stack as the Management VMkernel interface (vmk0) and vSAN does not honor specifying a default gateway on vSAN VMkernel interfaces today.

Example 1 Static Routing Required)

vSAN 2 Node using Direct Connect, with Data Node vmk1 setup for "witness" traffic and the vSAN Witness Host interface ('vsan' traffic) is not on the same segment.

NODE1 -

• Management vmk0 - 192.168.10.11 (netmask 255.255.255.0) - Tagged management
• Witness vmk1 - 192.168.20.11 (netmask 255.255.255.0) - Tagged witness
• vSAN vmk2 - 192.168.30.11 (netmask 255.255.255.0) - Tagged vsan
• vMotion vmk3 - 192.168.30.11 (netmask 255.255.255.0) - Tagged vmotion

NODE2 -

• Management vmk0 - 192.168.10.12 (netmask 255.255.255.0) - Tagged management
• Witness vmk1 - 192.168.20.12 (netmask 255.255.255.0) - Tagged witness
• vSAN vmk2 - 192.168.30.12 (netmask 255.255.255.0) - Tagged vsan
• vMotion vmk3 - 192.168.30.12 (netmask 255.255.255.0) - Tagged vmotion

vSAN Witness Host -

• Management vmk0 - 192.168.110.13 (netmask 255.255.255.0) - Tagged management
• WitnessPg vmk1 - 192.168.120.13 (netmask 255.255.255.0) - Tagged vsan

*Static Routes are required from

• 192.168.20.11 & 12 to 192.168.120.13
• 192.168.120.13 to 192.168.20.11 & 12

Example 2 Static Routing Not Required)

vSAN 2 Node using Direct Connect, with Data Node vmk1 setup for "witness" traffic and the vSAN Host interface ('vsan' traffic) is on the the same segment

NODE1 -

• Management vmk0 - 192.168.10.11 (netmask 255.255.255.0) - Tagged management
• Witness vmk1 - 192.168.20.11 (netmask 255.255.255.0) - Tagged witness
• vSAN vmk2 - 192.168.30.11 (netmask 255.255.255.0) - Tagged vsan
• vMotion vmk3 - 192.168.30.11 (netmask 255.255.255.0) - Tagged vmotion

NODE2 -

• Management vmk0 - 192.168.10.12 (netmask 255.255.255.0) - Tagged management
• Witness vmk1 - 192.168.20.12 (netmask 255.255.255.0) - Tagged witness
• vSAN vmk2 - 192.168.30.12 (netmask 255.255.255.0) - Tagged vsan
• vMotion vmk3 - 192.168.30.12 (netmask 255.255.255.0) - Tagged vmotion

vSAN Witness Host -

• Management vmk0 - 192.168.110.13 (netmask 255.255.255.0) - Tagged management
• WitnessPg vmk1 - 192.168.20.13 (netmask 255.255.255.0) - Tagged vsan

Static Routes are not required from 192.168.20.11/12 to 192.168.20.12 (and vice versa) because they are on a Layer 2 segment.

Example 3 Static Routing Not Required)

vSAN 2 Node using Direct Connect, with Data Node vmk0 (yes this is management) setup for 'witness' traffic and Witness host has 'vsan' tagged on Management

Expectations: Data Nodes vmk0 have route to Witness Host vmk0 & vice versa, regardless of where the Host resides.

NODE1 -

• Management vmk0 - 192.168.10.11 (netmask 255.255.255.0) - Tagged management & witness
• vSAN vmk2 - 192.168.30.11 (netmask 255.255.255.0) - Tagged vsan
• vMotion vmk3 - 192.168.30.11 (netmask 255.255.255.0) - Tagged vmotion

NODE2 -

• Management vmk0 - 192.168.10.12 (netmask 255.255.255.0) - Tagged management & witness
• vSAN vmk2 - 192.168.30.12 (netmask 255.255.255.0) - Tagged vsan
• vMotion vmk3 - 192.168.30.12 (netmask 255.255.255.0) - Tagged vmotion

vSAN Witness Host -

• Management vmk0 - 192.168.110.13 (netmask 255.255.255.0) - Tagged management & vsan
  • This could be Layer 3 in this example if there is a route between the vmk0 of NODES/Witness
  • The Witness's vmk0 could be even on the same segment as NODE1/2 (Layer 2)
• WitnessPg vmk1 - 192.168.120.13 (netmask 255.255.255.0) - Not used because nothing is tagged.

*Note: The vSAN Witness Host cannot have vmk0 and vmk1 on the same segment if vmk1 is used for 'vsan' traffic. This results in a multi-homing issue and causes an error. KB 2010877 details this, and it is not a vSAN specific issue.

The TL/DR, is that 2 Node vSAN using Direct Connect (Witness Traffic Separation) can use a L3 connection to a vSAN Witness Host if that vSAN Witness Host resides on another network somewhere else. That somewhere else could be in a different segment in a local datacenter, remote datacenter, or in another hosting facility. If the vSAN Witness Host is on the same segment, like in a remote site, then Layer 2 is supported.