Symptoms:

• Environment requires high availability with a small footprint.
  
  
• Planning a two‑node vSAN deployment where two ESXi hosts are directly connected with a 10Gb link (no switch).
  
  
• Direct connection intended exclusively for vSAN traffic.
  
  
• Current LAN network does not meet vSAN requirements.

vSAN Stretched/Robo cluster

1. Is this a supported configuration?

Yes. vSAN 6.5 and later allows the two hosts at the data site to be directly connected. Based on your update you are planning to use standalone host for witness appliance.

Refer Broadcom Techdocs : Two Node vSAN Deployments

2. Can there be two network cables between the servers and does load balancing work between the links?

Redundancy: Yes, Ensure there are two cables configured between esxi hosts for redundancy or to avoid a single point of failure. 

Load Balancing: vSAN does not load balance between multiple VMkernel adapters. However, it can load balance across multiple physical NICs if using an appropriate NIC teaming policy.

Example :

Route Based on Physical NIC Load since this does not need physical switch configuration

Route Based on Physical NIC Load: 

Route Based on Physical NIC Load is based on Route Based on Originating Virtual Port, where the virtual switch monitors the actual load of the uplinks and takes steps to reduce load on overloaded uplinks. This load-balancing method is available only with a vSphere Distributed Switch, not on vSphere Standard Switches.

The distributed switch calculates uplinks for each VMkernel port by using the port ID and the number of uplinks in the NIC team. The distributed switch checks the uplinks every 30 seconds, and if the load exceeds 75 percent, the port ID of the VMkernel port with the highest I/O is moved to a different uplink.

Pros

• No physical switch configuration is required.
• Although vSAN has one VMkernel port, the same uplinks can be shared by other VMkernel ports or network services. vSAN can benefit by using different uplinks from other contending services, such as vMotion or management.

Cons

• As vSAN typically only has one VMkernel port configured, its effectiveness is limited.
• The ESXi VMkernel reevaluates the traffic load after each time interval, which can result in processing overhead.

Refer : Configure Load Balancing for NIC Teams

Refer Broadcom Techdocs : Designing the vSAN Network

3. Is a dedicated distributed virtual switch required for vSAN traffic?

No. A standard vSwitch is sufficient for vSAN traffic, as long as you configure VMkernel ports correctly and tag them for vSAN. Configuring VMware vDS (vSphere Distributed Switch) switch is optional.

4. Spanning Tree Protocol (STP) support for vSAN.

Answer : vSAN does not support Spanning Tree Protocol setup for vSAN network configuration. As per KB #  1003804, In a switched network environment which uses Spanning Tree Protocol (STP), you experience these symptoms: 

• An ESXi or ESX host temporarily loses network connectivity when a failover or failback event occurs.
• Virtual machines temporarily lose network connectivity when a failover or failback event occurs.
• A VMware High Availability (HA) isolation event occurs after one of the teamed NICs of the COS is unplugged and plugged in to a different port.

Please refer KB # 1003804 : STP may cause temporary loss of network connectivity when a failover or failback event occurs for more details. 

Addition KB and Broadcom TechDocs for Reference :

•  KB # How to configure a witness appliance for use with a direct connect 2-node vSAN cluster
•  KB # Configure Network Interface for Witness Traffic
•  Broadcom Techdocs # Configure Load Balancing for NIC Teams