June 22, 2015

LUN Masking

LUN Masking

“If you only implement SAN zoning, a host could gain access to every LUN that is available on any storage array in the zone.”

Beyond zoning, LUN masking allows the administrator to further lock down access to the storage unit. LUN Masking is done on the storage controller and it hides specific LUNs from specific servers.

LUN masking defines relationships between LUNs and individual servers and is used to further limit what LUNs are presented to a host.

"Zoning is controlling which HBAs can see which array service processors through the switch fabric. LUN masking is controlling what the service processors tell the host with regard to the LUNs that they can provide. In other words, the storage administrator can configure the service processor to lie about which LUNs are accessible.

"LUN masking is the ability of a host or an array to intentionally ignore WWNs that it can actively see (in other words, that are zoned to it)."




Zoning is a logical separation of  traffic between host and resources. A SAN zone is similar to an Ethernet VLAN.  It creates a logical, exclusive path between nodes on the SAN.

The SAN  makes storage available to servers in the form of LUNs. The LUN is potentially  accessible by every server on the SAN. In almost every case, having a LUN  accessible by multiple servers can create problems such as data corruption as  multiple servers contend for the same disk resources. To minimize such issues,  zoning and or LUN masking can be employed to isolate and protect SAN storage  devices. Zoning and LUN masking allow the administrator to dedicate storage  devices on the SAN to specific server(s).

A SAN is populated by nodes. Nodes can be either  servers or storage devices. Servers are typically referred to as initiators,  storage devices typically are the targets. Zoning creates a relationship  between initiator and target nodes on the SAN. With zoning, you create  relationships that map initiators to targets.

“Zoning lets you isolate a single server to a group of storage devices or a single storage  device, or associate a grouping of multiple servers with one or more storage  devices, as might be needed in a server cluster deployment.”

“Zoning is  implemented at the SAN switch level either on a port basis (hard-zoning) or on  a World-Wide Name (WWN) basis (soft-zoning).”

Soft-zoning  controls which WWNs can see which other WWNs through the switch.
Hard-zones are port-based and determine which ports of the switch will be  connected to storage processors.

  • Also  known as name server zoning
  • Implemented  at the switch level
  • Allows  access to the node via any port on the switch
SAN zone  have been described with analogies such as:

  • A  zone as a container, into which you place a set of SCSI initiators (HBAs) and a  set of SCSI targets (array ports).
  • A  zone is like “laying out the roads on a map: it defines where traffic is permitted  to flow.”
Zoning and  masking are two different methods of accomplishing the same thing. I.e. to  prevent or minimize the chance that a LUN is accessed by unauthorized hosts and  that the data on them is protected.