4 equallogic members arrays in a group, 22 esx hosts, 41 esx san volumes.
The problem: its a nightmare in management. What we have been doing is adding the iscsi iniator name of each esx host to each esx volume on the SAN. We have been doing this to ensure that no other iscsi host will ever see the esx san volumes (excluding our backup servers of course). Im sure you can all imagine how much work is involved in adding an additional host and mapping it to all available volumes. Likewise when adding a new volume to the SAN and having to map each host to that volume. Equallogic really needs a copy function where you can copy the access rights of one volume to another and make modifications as necessary. Its like 12 clicks per volume to add a host multiplied by 22 hosts. And we are growing constantly.
We have tried using chap so we could use a single chap user per volume and that simplifies things considerably, note however you must use the iscsi discovery filter otherwise all other hosts that map to any other volume on the SAN can see the volumes. They cannot connect to them without the proper chap information obviously, but they still show as available targets - with 41 san volumes its a bit confusing to see all those targets listed and have to scroll through to find the correct target.
The downside to CHAP however is that if you need to pull a host off a specific LUN for any reason, you cant simply remove the CHAP credentials from the esx host otherwise you lose access to all LUNs. You would need to add multiple chap accounts on the SAN to map to each invididual volume. ESX does not appear to accept multiple chap accounts though.
Sooo....with that being said I am interested to hear how other organizations and companies are handling their volume management with their equallogic arrays. Are you mapping based on IP, IP wildcard 172.16.121.*, Iniator name, chap, etc? Do you have concerns about limiting specific LUN's to different hosts but allowing others, a case where CHAP or entire IP range assignment is not a feasible option? Do you just tolerate the pain in adding a new host to 15, 20, 50+ luns and consider it to come with the terroritory?
Please let me know in case there are some other ideas out there we have not thought about it.
PS, we have tried creating an IP range specific to our esx hosts for mapping vmfs volumes to the SAN but have not had great success in getting it to work any better than CHAP. Same limitations apply where you can not pull a single host from X number of LUN's if you ever had to for a particular reason.