VMware recommends that the vSAN communications between vSAN nodes and the vSAN Witness host be:
The maximum supported roundtrip time (RTT) between the vSAN 2-node cluster and the Witness is 500 milliseconds (250 milliseconds each way).
In the VxRail implementation of the vSAN 2-node cluster, a VMkernel interface is designated to carry traffic destined for the Witness host.
Figure 3. 4x10G Direct-connect port configuration
Each vSAN host’s vmk5 VMkernel interface is tagged with “witness” traffic. When using Layer 3, each vSAN host must have a static route configured for vmk5 and be able to properly access the vmk1 on the vSAN Witness host, which is tagged with “vSAN” traffic.
Likewise, the vmk1 interface on the Witness host must have a static route configured to properly communicate with vmk5 on each vSAN host.