iSCSI LUN masking in ESXi 6 – Step by Step

Today, while setting up things for SRM home lab, i was using the same iSCSI Storage server for the Protected and Recovery Site, i know this is a bad design but for a home lab it should be fine and obviously the ESXi hosts at both protected and recovery sites see the LUNs presented at each site. To avoid this, LUN masking has to be done on all ESXi hosts, so i thought i would also blog about it with step by step procedure. Although this task is mostly done from the storage end, it is a good thing to know how to do it from ESXi.

Below is how the datasores are before LUN masking. As you can see, all the datastores are visible to all the hosts in Protected and Recovery Sites.


LUN masking can only be done on the LUNs that are managed by VMware NMP multipathing service, if you have any third party multipathing software plugin like EMC PowerPath, this procedure does not apply. Masking the paths reduces the chance of APD issue to occur.

Keep the host in maintenance mode.

Find the Multipath Plug-in that are currently installed using below command.

esxcfg-mpath -G

By default, ESXi5 shows only NMP although it has MASK_PATH

2016-09-21 23_29_59-esxi-1p.vmmaster.local - PuTTY.jpg

Now check all the device mappings using the command below.

esxcfg-scsidevs -m

2016-09-21 23_31_58-esxi-1p.vmmaster.local - PuTTY.jpg

Make a note of the datastores that needs to be masked on this host, in my case it is LUN1-R, LUN2-R, Recovery Datastore.

Also get the list of paths that a device have using below, in my case, there is only one path to device and below are the paths for the three LUNs.

esxcfg-mpath -b -d

2016-09-21 23_53_27-esxi-1p.vmmaster.local - PuTTY.jpg

Now look at the claimrules currently on the ESXi using below.

esxcli storage core claimrule list

2016-09-21 23_41_04-esxi-1p.vmmaster.local - PuTTY.jpg

To mask the path, add a claim rule with any number that is not listed in the above step. To add a claimrule use the command as below. There are many ways a claimrule can be added in my case, i am using the type and location.

2016-09-22 00_30_01-esxi-1p.vmmaster.local - PuTTY.jpg

esxcli storage core claimrule add --rule 120 -t location -A vmhba33 -C 0 -T 5 -L 0 -P MASK_PATH
esxcli storage core claimrule add --rule 121 -t location -A vmhba33 -C 0 -T 4 -L 0 -P MASK_PATH
esxcli storage core claimrule add --rule 122 -t location -A vmhba33 -C 0 -T 3 -L 0 -P MASK_PATH

Verify the claimrules after adding them.

2016-09-22 00_22_14-esxi-1p.vmmaster.local - PuTTY.jpg

Load the claimrules and verify a runtime is present.

esxcli storage core claimrule load

2016-09-22 00_26_11-esxi-1p.vmmaster.local - PuTTY.jpg

Now that the claimrule is loaded, we need to unclaim the path to the devices and run the rules. Unclaiming disassociates the paths from PSA plugin, disassociates them from NMP and associate them with the MASK_PATH.

esxcli storage core claiming reclaim -d eui.0db0a424bb3fda82
esxcli storage core claiming reclaim -d eui.7c183560cfc13e1d
esxcli storage core claiming reclaim -d eui.bf146f1ac97a9f0f

Now run the rules and rescan the HBA

esxcli storage core claimrule run

Reboot the host. That’s it. We have now masked the LUNs. To verify the same, use the mappings command we used earlier.

2016-09-22 17_35_53-esxi-1p.vmmaster.local - PuTTY.jpg

Exit out of the maintenance mode. I performed the same on all other hosts and below is how the datastores look now in both protected and recovery sites.

2016-09-22 18_32_04-vSphere Web Client.jpg

Hope this was informative. Thanks!


#claimrule, #esxi-6, #lun-masking, #mask_path, #nmp, #storage-core, #vmfs