Guideline ID : ESXi.mask-zone-san
Vulnerability Discussion : You should use zoning and LUN masking to segregate SAN activity. For example, you manage zones defined for testing independently within the SAN so they do not interfere with activity in the production zones. Similarly, you can set up different zones for different departments. Zoning must take into account any host groups that have been set up on the SAN device.
Risk Profile : 1, 2, 3
Description : Mask and zone SAN resources appropriately.
Zoning provides access control in the SAN topology. Zoning defines which HBAs can connect to which targets. When you configure a SAN by using zoning, the devices outside a zone are not visible to the devices inside the zone.
Zoning has the following effects:
Reduces the number of targets and LUNs presented to a host.
Controls and isolates paths in a fabric.
Can prevent non-ESXi systems from accessing a particular storage system, and from possibly destroying VMFS data.
Can be used to separate different environments, for example, a test from a production environment.
With ESXi hosts, use a single-initiator zoning or a single-initiator-single-target zoning. The latter is a preferred zoning practice. Using the more restrictive zoning prevents problems and misconfigurations that can occur on the SAN.
You can use zoning and LUN masking to segregate SAN activity and restrict access to storage devices.
You can protect access to storage in your vSphere environment by using zoning and LUN masking with your SAN resources. For example, you might manage zones defined for testing independently within the SAN so they do not interfere with activity in the production zones. Similarly, you might set up different zones for different departments.
When you set up zones, take into account any host groups that are set up on the SAN device.
Zoning and masking capabilities for each SAN switch and disk array and the tools for managing LUN masking are vendor specific.
See your SAN vendor’s documentation and the vSphere Storage documentation.