A month ago I passed my VCAP-DCA exam, which I blogged about in this post. And one of the DCA exam topics in the blueprint was LUN masking using PSA-related commands.
Being honest, I can hardly imagine a use case for this as LUN masking is always done on the storage array side. I’ve never seen LUN masking done on the hypervisor side before.
If you have a use case for host LUN masking leave me a comment below. I’d be curious to know. But regardless of its usefulness it’s in the exam, so we have to study it, right? So let’s get to it.
Overview
There are many blog posts on the Internet on how to do VMware LUN Masking, but only a few explain what is the exact behaviour after you type each of the commands and how to fix the issues, which you can potentially run into.
VMware uses Pluggable Storage Architecture (PSA) to claim devices on ESXi hosts. All hosts have one plug-in installed by default called Native Multipathing Plug-in (NMP) which claims all devices. Masking of a LUN is done by unclaiming it from NMP and claiming using a special plug-in called MASK_PATH.
Namespace “esxcli storage core claimrule add” is used to add new claim rules. The namespace accepts multiple ways of addressing a device. Most widely used are:
- By device ID:
- -t device -d naa.600601604550250018ea2d38073cdf11
- By location:
- -t location -A vmhba33 -C 0 -T 0 -L 2
- By target:
- -t target -R iscsi -i iqn.2011-03.example.org.istgt:iscsi1 -L 0
- -t target -R fc –wwnn 50:06:01:60:ba:60:11:53 –wwpn 50:06:01:60:3a:60:11:53 (use double dash for wwnn and wwpn flags, WordPress strips them off)
To determine device names use the following command:
# esxcli storage core device list
To determine iSCSI device targets:
# esxcli iscsi session list
To determine FC paths, WWNNs and WWPNs:
# esxcli storage core path list
Mask an iSCSI LUN
Let’s take iSCSI as an example. To mask an iSCSI LUN add a new claim rule using MASK_PATH plug-in and addressing by target (for FC use an FC target instead):
# esxcli storage core claimrule add -r 102 -t target -R iscsi -i iqn.2011-03.example.org.istgt:iscsi1 -L 0 -P MASK_PATH
Once the rule is added you MUST load it otherwise the rule will not work:
# esxcli storage core claimrule load
Now list the rules and make sure there is a “runtime” and a “file” rule. Without the file rule masking will not take effect:
The last step is to unclaim the device from the NMP plug-in which currently owns it and apply the new set of rules:
# esxcli storage core claiming unclaim -t location -A vmhba33 -C 0 -T 0 -L 0
# esxcli storage core claiming unclaim -t location -A vmhba33 -C 1 -T 0 -L 0
# esxcli storage core claimrule run
You can list devices connected to the host to confirm that the masked device is no longer in the list:
# esxcli storage core device list
Remove maskig
To remove masking, unclaim the device from MASK_PATH plug-in, delete the masking rule and reload/re-run the rule set:
# esxcli storage core claiming unclaim -t location -A vmhba33 -C 0 -T 0 -L 0
# esxcli storage core claiming unclaim -t location -A vmhba33 -C 1 -T 0 -L 0
# esxcli storage core claimrule remove -r 102
# esxcli storage core claimrule load
# esxcli storage core claimrule run
Sometimes you need to reboot the host for the device to reappear.
Conclusion
Make sure to always mask all targets/paths to the LUN, which is true for iSCSI as well as FC, as both support multipathing. You have a choice of masking by location, target and path (masking by device is not supported).
For a FC LUN, for instance, you may choose to mask the LUN by location. If you have two single port FC adapters in each host, you will typically be masking four paths per LUN. To accomplish that specify adapters using flag -A and LUN ID using flags -C, -T and -L.
Hope that helps you to tick off this exam topic from the blueprint.
Niktips's Blog 