How To Perform LUN Masking in vSphere 6

What is Lun Masking?

LUN masking is a way to control which LUNs to be made visible to Esxi host. If you have a storage array with multiple LUN’s and you want that an Esxi host should only be seeing a subset of LUN’s and not all, you can use lun masking technique.

Lun masking is totally opposite of lun zoning, where the storage array configuration determines which LUNs are visible to a host.

Last year I was doing a lab on vSphere Replication setup and wanted a subset of LUN’s from my openfiler appliance to be visible in my source site and remaining lun’s in my protected site. That was the first time when I felt need for masking the paths to storage array so that all my Esxi host from both sites, should not be seeing/mounting all the Lun’s which I created on my openfiler appliance.

Although I ended up doing the configuration change on openfiler side (same like zoning), but the idea remained always in my mind to use Lun masking someday. Lun masking is something which you do directly on individual Esxi host with the help of claimrules.

What commands do i need to achieve Lun masking?

1: Find LUN ID

Run command esxcli storage core device list to list all the lun’s that are currently mapped to Esxi host. In my lab all my lun’s are coming from openfiler, so lun name start with t10 and that’s why I grepped for this keyword. In production you will see lun names starting with naa….

[root@esxi04:~] esxcli storage core device list | grep -i t10
 Display Name: OPNFILER iSCSI Disk (t10.F405E46494C45425645447059546D2E6256413D213E61776)
 Devfs Path: /vmfs/devices/disks/t10.F405E46494C45425645447059546D2E6256413D213E61776
 Display Name: OPNFILER iSCSI Disk (t10.F405E46494C45425C42417278795D203659363D22693E4A6)
 Devfs Path: /vmfs/devices/disks/t10.F405E46494C45425C42417278795D203659363D22693E4A6

so there are 2 lun’s that current mapped to Esxi host ‘esxi04’. 

Note: Lun ID can also be obtained via command: esxcfg-scsidevs -m


2: Find out path information of a given LUN

To find out via how many paths an Esxi host is reaching out to particular lun, run command: esxcfg-mpath -m | grep <device_id>

[root@esxi04:~] esxcfg-mpath -m | grep t10.F405E46494C45425645447059546D2E6256413D213E61776
vmhba33:C1:T0:L0 vmhba33 00023d000003,,t,1 t10.F405E46494C45425645447059546D2E6256413D213E61776
vmhba33:C0:T0:L0 vmhba33 00023d000002,,t,1 t10.F405E46494C45425645447059546D2E6256413D213E61776

3: Find the Multipath Plug-in that are currently installed

[root@esxi04:~] esxcfg-mpath -G

4: List claimrules : esxcli storage core claimrule list


5: Select method of lun masking

Now that we have collected all the required info and we have decided which LUN to mask, we have to choose from one of the method that is available for lun masking. These methods are:

1: Mask by path. This will be the most commonly if you want to mask a single LUN

2: Mask by transport type. (You will use this when you want to mask one type of connection like iSCSI or Fibre Channel)

3: Mask by Vendor. (This will be used when you want to mask all the LUNs from a specific storage vendor like EMC or Dell)

We will be using third method in this lab activity. 

6: Prepare claimrule and execute it

In order to mask a LUN, we need to write a claimrule. We need to pass certain arguments to successfully create a claimrule. These arguments are:

  • -r : ID number or rule number
  • -t : Type (one of the 3 method which we discussed above)
  • -A : HBA adapter.
  • -C : Channel
  • -T : Target
  • -L : LUN number
  • -P : Plugin type (Mask_Path, NMP etc)

Now using all the info which I collected via previous command, my claimrule looks like below:

# esxcli storage core claimrule add -r 300 -t vendor -V OPNFILER -M iscsi-4 -P MASK_PATH

Once you add a claimrule, list claimrules again, you will see the newly added rule to appear in list


7: Reload claim rule: Run command esxcli storage core claimrule load

8: Reclaim device/lun: To reclaim the device run below command:

# esxcli storage core claiming reclaim -d t10.F405E46494C45425C42417278795D203659363D22693E4A6

9: Verify device has been reclaimed successfully

To verify if the device was successfully reclaimed or not, run command esxcfg-scsidevs -m | grep <device_id>. If you do not get any output then it means device has been reclaimed.

# esxcfg-scsidevs -m | grep t10.F405E46494C45425C42417278795D203659363D22693E4A6

How to get back the masked lun?

In order to get back the lun which you just masked, you need to remove the claimrule and then unclaiming the device and finally rescanning the hba adapter. You will be able to see the LUN again on the host.

Here are the steps:

1: Remove claimrule

# esxcli storage core claimrule remove -r

2: Reload claim rules 

# esxcli storage core claimrule load

3: Unclaim the device reclaimed earlier. This will allow the path to be reclaimed by the default plugin.

# esxcli storage core claiming unclaim -t vendor -v OPENFILER -d

4: Rescan HBA adapter

# esxcfg-rescan vmhba33

Additional Information:

1: Lun id can also be obtained via command: esxcli storage vmfs extent list


2: Following claimrules can also be used to reclaim a lun. These rules are based on type “mask by path”

# esxcli storage core claimrule add --rule <rule_id> -t location -A vmhba33 -C 0 -T 5 -L 0 -P MASK_PATH
# esxcli storage core claimrule add --rule <rule_id> -t location -A vmhba33 -C 0 -T 4 -L 0 -P MASK_PATH

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂