Beware of the DHCP guard setting on Hyper-V virtual machines

I have been running Hyper-V 2012 in my lab for over a year now, and this is the first time that I have been caught off guard by the DHCP guard setting (no pun intended). DHCP guard drops DHCP server messages from unauthorized virtual machines pretending to be DHCP servers. As a precautionary measure, all of my lab VMs have the “Enable DHCP guard” and “Enable router advertising guard” checkboxes checked. In general this is a pretty good policy to follow, especially in the lab.

In this particular case, I have installed a DHCP server and configured a scope on VM1. Imagine my surprise when my client virtual machine (VM2) was not able to obtain an IP address via DHCP. After going over my DHCP settings twice, I finally remembered to go back to the Hyper-V host and check the DHCP guard setting. As soon as I unchecked the DHCP guard for the VM1, VM2 was able to obtain an IP address via DHCP.

Enable DHCP guard

Keeping in line with the fact that the whole world is now PowerShell, here are the cmdlets to make these changes via PowerShell. To “uncheck” the DHCP guard setting on the VM1 (from the above example), type the following PowerShell command:

Set-VMNetworkAdapter –VMName VM1 –DhcpGuard Off

To turn it back on:

Set-VMNetworkAdapter –VMName VM1 –DhcpGuard On

To view the status of the DHCP guard setting for VM1:

Get-VMNetworkAdapter –VMName VM1 | Format-List DhcpGuard

To enable DHCP guard for all virtual machines on a particular host (SERVER1 from our example):

Get-VM -Server SERVER1 | Set-VMNetworkAdapter -DhcpGuard On

RouterGuard allows you to specify whether the router advertisement and redirection messages from unauthorized VMs should be dropped. If you have a VM for which you want to allow router advertisement and redirection messages from unauthorized VMs, you can use the following cmdlet.

Set-VMNetworkAdapter –VMName VM1 –RouterGuard Off

For all other VMs, you can block router advertisement and redirection messages from unauthorized VMs with the following cmdlet.

Set-VMNetworkAdapter –VMName VM1 –RouterGuard On

For additional information take a look at the following TechNet articles:

About Dan Perelman

Accomplished information technology management professional, prolific blogger, and avid windsurfer...
This entry was posted in Virtualization and tagged , , , , . Bookmark the permalink.