By planning the mapping of VM-Series Firewall vNICs
and interfaces, you can avoid reboots and configuration issues.
The following table describes the default mapping between VMware
vNICs and VM-Series interfaces when all 10 vNICs are enabled on ESXi.
Ethernet 1/0 (mgmt)
Ethernet 1/1 (eth1)
Ethernet 1/2 (eth2)
Ethernet 1/3 (eth3)
Ethernet 1/4 (eth4)
Ethernet 1/5 (eth5)
Ethernet 1/6 (eth6)
Ethernet 1/7 (eth7)
Ethernet 1/8 (eth8)
Ethernet 1/9 (eth9)
The mapping on the VM-Series Firewall remains the same no matter
which vNICs you add on ESXi. Interfaces you activate on the firewall
always take the next available vNIC on ESXi.
In the following diagram, eth3 and eth4 on the VM-Series Firewall
are paired to vNICs 2 and 3 on ESXi, and eth1 and eth2 are unmapped,
as shown on the left.
If you want to add two additional interfaces while maintaining
the current mapping, activate vNICs 4 and 5 and reboot down the
firewall. The existing vNIC mapping is preserved because you added
the interfaces after the last-mapped inteface.
If you activate eth1 and eth2 on the VM-Series firewall, the
interfaces reorder themselves as shown on the right, resulting in
a mapping mismatch that impacts traffic.
To avoid the issues described in the preceding example, you can
do the following:
When provisioning your ESXi host for the first time,
activate all nine vNICs beyond the first. Adding all nine vNICs
as placeholders before powering on the VM-Series Firewall allows
you to use any VM-Series interfaces regardless of order.
If all vNICs are active, adding additional interfaces no
longer requires a reboot. Because each vNIC on ESXi requires that
you choose a network, you can create an empty port group as a network
Do not remove VM-Series firewall vNICs to avoid mapping mismatches.