Deploy vSRX Virtual Firewall Chassis Cluster Nodes Across Different ESXi Hosts Using dvSwitch
Before you deploy the vSRX Virtual Firewall chassis cluster nodes for ESXi 6.0 (or greater) hosts using distributed virtual switch (dvSwitch), ensure that you make the following configuration settings from the vSphere Web Client to ensure that the high-availability cluster control link works properly between the two nodes:
In the dvSwitch switch settings of the vSphere Web Client, disable IGMP snooping for Multicast filtering mode.
In the dvSwitch port group configuration of the vSphere Web Client, enable promiscuous mode.
For more information, see VMware vSphere Documentation.
This chassis cluster method uses the private virtual LAN (PVLAN) feature of dvSwitch to deploy the vSRX Virtual Firewall chassis cluster nodes at different ESXi hosts. There is no need to change the external switch configurations.
On the VMware vSphere Web Client, for dvSwitch, there are two PVLAN IDs for the primary and secondary VLANs. Select Community in the menu for the secondary VLAN ID type.
Use the two secondary PVLAN IDs for the vSRX Virtual Firewall control and fabric links. See Figure 1 and Figure 2.
The configurations described above must reside at an external switch to which distributed switch uplinks are connected. If the link at the external switch supports native VLAN, then VLAN can be set to none in the distributed switch port group configuration. If native VLAN is not supported on the link, this configuration should have VLAN enabled.
You can also use regular VLAN on a distributed switch to deploy vSRX Virtual Firewall chassis cluster nodes at different ESXi hosts using dvSwitch. Regular VLAN works similarly to a physical switch. If you want to use regular VLAN instead of PVLAN, disable IGMP snooping for chassis cluster links.
However, use of PVLAN is recommended because:
PVLAN does not impose IGMP snooping.
PVLAN can save VLAN IDs.
When the vSRX Virtual Firewall cluster across multiple ESXi hosts communicates through physical switches, then you need to consider the other Layer 2 parameters at: Troubleshooting a SRX chassis cluster that is connected through a layer 2 switch.