vSAN witness appliance is isolated, but can establish a ping over the vSAN network. 

vSAN 7.0

vSAN 8.0

vSAN witness traffic tag on the vSAN witness. 

Confirm witness network configuration does not contain 'vSAN witness traffic' on the witness. 

• This is intended for the vSAN hosts to reach the witness and only send witness copies. 

There are two ways to configure a vSAN witness appliance. 

1: Have the vSAN witness able to reach from vmk1 the vSAN enabled vSAN network (or another 'vSAN witness network' on the data nodes). 

2: For the vSAN witness, enable vSAN as well along with management on vmk0. Then on the vSAN hosts, enable on management as well 'vSAN witness traffic' through command line. 

Having multiple vSAN networks enabled, or having vSAN witness and 'vSAN network' that can reach witness. Can cause isolation (if wrong network is hit). Where only one dedicated data path on that subnet/vLAN should be routed for the vSAN network. 

Deploying a vSAN witness appliance.