LunMaskingI’ve been asked by a few customers about the location of the VMware ESX\ESXi LUN masking feature and how the LUN masking is done at the VMware ESX\ESXi level in version 4.
In VMware ESX 3.0/3.5 the settings for LUN masking were available in the UI via the Advance Software settings under Disk -> Disk.MaskLUNs as shown in screenshot below.

VMware ESX\ESXi 3.x Disk.MaxLUNs Settings


Well, here is the reason why you can’t find the Disk.MaskLUNs in the UI of ESX\ESXi 4. The component is no longer accessible under the ESX\ESXi’s 4 UI. The chance is implemented as a result of the re-architecture of the storage stack. The VMware Pluggable Storage Architecture (PSA)  is completely new. Old code and features were left behind in order to provide better, faster, and more reliable options and features. The Disk.MaskLUNs access via the UI was one of those left behind.

I agree with the point of taking the LUN masking feature out of the UI. Most vSphere administrators shouldn’t be manipulating those settings, unless they also happen to be in charge of the SAN environment, which hopefully means that there is a good amount of experience with storage technologies. The masking of LUN’s is something that should should be handled by the SAN team and executed on the hardware side.  For configurations such as the presentation and removal of LUN’s and Volumes, it’s best to simply contact the SAN team and ask for a certain LUN or certain range of LUN’s not to be presented to the servers. LUN masking is less error-prone at the storage array than at the hosts.

One reason as to why someone would want to configure software LUN masking (ESX\ESXi) is to protect against screw-up’s by SAN administrators. In boot from SAN scenarios this would be beneficial in order to keep the ESX Servers from seeing each others booting LUN and corrupting them.  With that said, as you can’t configure LUN masking from the UI in ESX\ESXi 4, you’ll have to do it from the Service Console, vCLI or vMA appliance. The new procedures on how to achieve LUN masking in ESX\ESXi 4 are listed below.

vCLI LUN Masking Procedure:

You can prevent the ESX/ESXi host from accessing storage devices or LUNs or from using individual paths to a LUN. Use the vSphere CLI commands to mask the paths. When you mask paths, you create claim rules that assign the MASK_PATH plug-in to the specified paths.

Configuration Steps

1- Check what the next available rule ID is. The claim rules that you use to mask paths should have rule IDs in the range of 101 – 200. If this command shows that rule 101 and 102  already exist, you can specify 103 for the rule to add.

esxcli corestorage claimrule list

2- Assign the MASK_PATH plug-in to a path by creating a new claim rule for the plug-in.

esxcli corestorage claimrule add -r <claimrule_ID> -t <type> <required_option> -P <MASK_PATH>

3- Load the MASK_PATH claim rule into your system.

esxcli corestorage claimrule load

4- Verify that the MASK_PATH claim rule was added correctly.

esxcli corestorage claimrule list

5- If a claim rule for the masked path exists, remove the rule.

esxcli corestorage claiming unclaim <type> <required_option>

6- Run the path claiming rules.

esxcli corestorage claimrule run

After you assign the MASK_PATH plug-in to a path, the path state becomes irrelevant and is no longer maintained by the host. As a result, commands that display the masked path’s information might show the path state as dead.

Implementation Example:

This example masks the LUN 20 on targets T1 and T2 accessed through storage adapters vmhba2 and vmhba3.

#esxcli corestorage claimrule list
#esxcli corestorage claimrule add -P MASK_PATH -r 109 -t location -A vmhba2 -C 0 -T 1 -L 20
#esxcli corestorage claimrule add -P MASK_PATH -r 110 -t location -A vmhba3 -C 0 -T 1 -L 20
#esxcli corestorage claimrule add -P MASK_PATH -r 111 -t location -A vmhba2 -C 0 -T 2 -L 20
#esxcli corestorage claimrule add -P MASK_PATH -r 112 -t location -A vmhba3 -C 0 -T 2 -L 20
#esxcli corestorage claimrule load
#esxcli corestorage claimrule list
#esxcli corestorage claiming unclaim -t location -A vmhba2
#esxcli corestorage claiming unclaim -t location -A vmhba3
#esxcli corestorage claimrule run

For more on Storage masking, check out Duncan Epping’s post on Storage Masking best practice at Enjoy!