Masking Paths will allow you to prevent an ESX/ESXi host from accessing storage devices or LUNs or from using individual paths to a LUN. When you mask paths, you create claim rules that assign the MASK_PATH plug-in to the specified paths. Use the vSphere CLI commands to mask the paths.

• Look at the Multipath Plug-ins currently install on your ESX/ESXi host:

# esxcfg-mpath –G

The output indicates that there are, at a minimum, 2 plug-ins: the VMware Native Multipath Plug-in (NMP) and the MASK_PATH plug-in, which is used for masking LUNs

• List all the claimrules currently on the ESX/ESXi host:

# esxcli corestorage claimrule list

There are two MASK_PATH entries: one of class runtime and the other of class file. The runtime is the rules currently running in the PSA. The file is a reference to the rules defined in /etc/vmware/esx.conf. These are identical, but they could be different if you are in the process of modifying the /etc/vmware/esx.conf.

• Add a rule to hide the LUN with the command

# esxcli corestorage claimrule add –rule <number> -t location –A <hba_adapter> -C <channel> -T <target> -L <lun> -P MASK_PATH

Note – Use the esxcfg-mpath –b and esxcfg-scsidevs –l commands to identify disk and LUN information

• Verify that the rule has taken with the command:

# esxcli corestorage claimrule list

• Re-examine your claim rules and you verify that you can see both the file and runtime class:

# esxcli corestorage claimrule list

• Unclaim all paths to a device and then run the loaded claimrules on each of the paths to reclaim them:

# esxcli corestorage claiming reclaim –d <naa.id>

• Verify that the masked device is no longer used by the ESX/ESXi host:

# esxcfg-scsidevs –m

The masked datastore does not appear in the list

• To verify that a masked LUN is no longer an active device

# esxcfg-mpath –L | grep <naa.id>

Empty output indicates that the LUN is not active

Source: VMware KB 1009449 and KB 1014953