Isolating vSphere Replication Traffic

Prior to vSphere 6, the replication traffic was sent and received using the management interfaces of ESXi and VRA appliances. With vSphere 6 it is possible to send the replication traffic over a separate dedicated interface.

By default, the vSphere Replication appliance has one VM network adapter that is used for various traffic types.

  • Management traffic between vSphere Replication Management Server and vSphere Replication Server.

  • Replication traffic from the source ESXi hosts to the vSphere Replication Server.

  • Traffic between vCenter Server and vSphere Replication Management Server.

  • NFC (Network File Copy) traffic which is used to copy VM replication data from the vSphere Replication Server appliance at the target site to the destination datastores.

VR Traffic Flow

We will use below image for understanding the flow of replication traffic


Typically these are the sequence of events that take places when a VM is configured for replication and initial sync has completed:

  • As data is written to VM disks, the writes pass through the vSCSI filter on the host where the VM is running
  • The vSCSI filter monitors all I/O to the VMs disks and tracks those changes.
  • The vSCSI filter periodically replicates the changed data to the vSphere Replication Appliance at the target site
  • The vSphere Replication Appliance sends the replicated data to the vSphere host with access to the target datastore over NFC

Why we need VR traffic isolation?

By isolating the vSphere replication traffic from critical business network traffic’s helps in enhancing the network performance in the data center. You can use a dedicated uplink for VR traffic and you can apply prioritization and QoS methods individually on different traffic types. Also monitoring and troubleshooting becomes easy when each traffic is flowing through a dedicated link.

You isolate the network traffic to the vSphere Replication Server by dedicating a VMKernel NIC on each ESXi host on the primary site that sends data to the vSphere Replication Server.

Lets jump into lab now and get our hands dirty.

1: Set Up a VMkernel Adapter for VR traffic on a source and destination Esxi hosts.At source site the vmkernel adapter should be enabled only for VR traffic and nothing else.

My lab config looks like below. I have 3 Esxi host in source site and all hosts are connected to the replication portgroup. 



At destination site, I have 2 Esxi host and both are connected to portgroup which is dedicated for vSphere replication


2: Shutdown the VR appliance and add a new network adapter to use for incoming replication traffic. 

Post adding the NIC, power on the VR appliance.


3: Login to VR appliance VAMI interface and configure the eth 1 (newly added nic) by navigating to Network > Address tab.

In my lab, my management traffic flows on network and for replication traffic I have created a new subnet :


4: Use the IP which we set on eth1 to be used for storage traffic as shown below.


5: Add static route on VR appliance for newly added NIC

You can also add the static routes information to /etc/sysconfig/network/routes file so that routes are persistent across reboots.

Verify the newly added route appears in routing table

6: Add static route on Esxi host. Please see VMware KB-2001426 for this.

This configuration is fine for isolating replication tarffic. However if you want to isolate NFC traffic as well, then you have to add a 3rd NIC to your VR appliance. Brett Kennelly has wrote a wonderful article on this. 

And thats it for this post.

Sources and Inspirations

vSphere Replication Traffic Isolation

Understanding vSphere Replication traffic isolation

VMware Docs

I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂