LUN Masking vs Zoning – How Zoning is different from LUN Masking


In this article, we will be discussing about commonly asked questions like:

  1. What is Zoning and Why do we need it?
  2. Difference between Soft Zoning and Hard Zoning?
  3. On which component of Datacenter, Zoning is defined at?
  4. What is LUN masking and Why do we need it?
  5. How LUN masking is different from Zoning?
  6. Where do we configure LUN masking?

Both Zoning and LUN Masking provide ways to have control access to Storage Device in SAN environment. However, these are two different activities. Zoning provides way to restrict communication between Nodes at Fabric level whereas LUN masking allows LUN to be accessed by specific host and hide it from other hosts.

Let’s understand Zoning and Masking more in detail.



Zoning is a logical separation of traffic between Host and Resources. It enables Nodes (Initiators & Targets) within Fabric to be logically segmented into smaller groups for better isolation, security & Faster booting.



When FC nodes (Host or Storage Controller) logged into fabric, by default it can communicate to every other node logged into same Fabric. The reason being all the nodes in fabric are part of one big FAT FC Network.

This default behavior of switch get us into few very common issues like:

  • Security: Non-Critical Host/ Unwanted host might have access to Critical Storage Controller.
  • Isolation: Lack of isolation between FC nodes opens potential risk of having unauthorized access.
  • Bandwidth Congestion: If zoning is not configured, the fabric controller sends an RSCN to all the Nodes in the fabric. The amount of FC traffic generated due to this process might impact the Host to Storage Data Traffic and also create congestion in FC network.


When a Node logged into fabric, it goes through a device discovery process and registered itself with name server database along with other devices.  RSCN event sent to all nodes registered in name server database.

The Zoning function control this process by allowing only the members in the same zone to establish these link level services & RSCN event will be also restricted to only those nodes which are part of same Zone.

That’s how Zoning provides restricted way of communication between Nodes logged into Fabric.



Zoning is configured at FC Switch level. SAN administrator define paths between connected nodes ( Host or Storage Controller) based on the Node’s unique World Wide Name. Each Zone includes Server Adapter also known as Initiator and One or more Storage Controller Port also known as Target.

Zoning is done using WWPN (World wide Port Name) of HBA. For ex a Dual Port HBA will have two WWPNs to identify each port of the HBA but will have only single WWNN ( World Wide Node Name) to identify HBA itself in FC Fabric Network.
Similarly, each Storage Array will identify itself with its WWNN and each Controller port will have its own unique WWPN.
zoningvslunmaskingIn Above Diagram, There are 3 Zones:

  • Zone A has 1 Initiator and 1 Target. Single Initiator-Target zone Is good.
  • Zone B has 1 Initiator and 1 Target. Again, Single Initiator-Target Zone is good.
  • Zone C has Two Initiators and 1 Target. This is not recommended.


  • In Zone C ->
    If Host-1 rebooted, HBA Port-1 will be logged out of SAN, an RSCN event will be sent to other nodes part of ZONE-C. In our case, RSCN event will go to Host-2 Port 1 & causes all I/O going to that initiator to halt momentarily and recover within seconds.
  • Another RSCN will be sent out to Host-2 initiator in Zone-C when Host-1 logs back into SAN and cause another momentarily halt in I/O.
  • Initiators in Zone A and Zone B are protected from these events because there are no other initiators in these zones.

Multiple Targets in a Zone should not cause any problems but for configuration simplicity and troubleshooting perspective, a 1:1 Initiator: Target zone is preferable.


Zoning can be categorized into three types:

In this zoning, zones are created using FC addresses of Physical Switch Port to which Node is connected to. Access to data is determined by the Physical Switch Port WWPN. Its also known as “PORT ZONING”


  • Simplified HBA replacement
  • Since the switch hardware doesn’t allow any traffic between unauthorized nodes, its more secure.


  • Any update in fabric configuration would also require update in Zoning Configuration
  • If Cable is moved to different port, Zone has to be modified.

SOFT ZONING: In this Zoning, Zones are created using FC addresses of Nodes WWNN/WWPN. Its also known as “WWN ZONING”.  WWNs defined as part of zone “see” each other regardless of the switch port they are plugged into.


    • Flexibility : it allows the SAN to be recabled without reconfiguring the zone information.
    • Devices can be moved to different switch port without reconfiguring Zoning


  • HBA replacement would require change in Zoning Configuration to add new HBA WWN in zone table.
  • It is possible to Spoof the WWN Number and access the device in different zone.

Before discussing about LUN Masking, let’s understand LUN first.



LUN is logical storage device carved out from SAN Storage Array. Usually, Storage Arrays are in TBs or PBs capacity.
Obviously, if any host require storage, we can’t allocate entire Physical Drive of TBs storage to that Host directly. We need some way of carving out Logical piece of Storage from Big Pool of Storage Array and mapped it to host.

That’s what exactly being achieved by LUN. LUNs are logical abstraction between Physical Storage device and Host Applications. Every LUN identified by its unique ID called “LUN ID” assigned by Storage Array during creation.

From the host perspective, there will not be much difference. Host will still see LUN as Local Storage Device like /dev/sdb etc..



physical attached to the cable. For ex. my portable physical hard drive will only be accessible to host it is connected to. Since my  hard drive is not shared with any other host so no issues of Data corruption, security, isolation etc..

But In the world of SAN, it is possible that all devices attached to a SAN can see each other. If this happens then we might get into issues like Data Corruption, Security, Isolation etc..
The point here is, how would you assure limited access to LUN ( SAN device) from specific hosts in an environment where multiple hosts are having access to same Storage Array.

The Answer is LUN Masking



LUN Masking allows specific LUN to be accessed by specific host and hide it from other hosts. Using LUN Masking, it is possible to reliably attach a single LUN to single Host.  Most Importantly, other Hosts will not be able to access LUN’s to which they are not assigned to.

The important point here is, there is no new connected made between Host and Storage device to perform LUN masking. The Implementation is simply not to reveal any LUNs to a Host that have not been assigned.

For ex: This is like having an unlisted phone number. The number is accessible to only those who dials it.
similarly, LUN is present somewhere on storage array, but it will only be accessible to Host to which It is assigned. No matter how many hosts accessing the same storage.



  • Zoning is configured at Fiber Channel Switch Level.
  • LUN Masking is configured at HBA level. Preferably, At Storage Controller level.



govmlab on Emailgovmlab on Facebookgovmlab on Googlegovmlab on Linkedingovmlab on Twitter
VMware Solution Architect
I am VMware Solution Architect with 10+ Years of enriching experience in Datacenter Virtualization Technologies, Storage Area Networks and Software Defined Datacenter, Networking and Storage.
I hold Numerous certification including RHCE, CCNA, VCP4.0, VCP5.1, VCP5.5, vCloud and EMC certification.
While spending countless hours exploring the product inside and out and learning everything about it, Eventually I discovered my passion for teaching and helping others learn from my knowledge and experience so turned to Trainer cum Blogger to educate every single person keen to learn Virtualization.

Leave a Reply