Hyper-V and Router Guard Feature
With Windows Server 2012, Microsoft added Hyper-V Router Guard feature. This feature can be enabled on VM NICs and it discards the following packets:
- ICMPv4 Type 5 (Redirect message): The ICMPv4 Redirect message is used to notify a remote host to send data packets on an alternative route using IPv4 protocol. Redirects are only sent by Gateways.
- ICMPv4 Type 9 (Router Advertisement): The ICMPv4 Router Advertisement is used to enable hosts to discover the existence of neighboring routers using IPv4 protocol. Each router periodically multicasts Router Advertisement from each of its multicast interfaces.
- ICMPv6 Type 134 (Router Advertisement): Same as the one for IPv4 but is for IPv6.
- ICMPv6 Type 137 (Redirect message): Same as the one for IPv4 but is for IPv6
In other words, this feature blocks virtual machines from acting as routers.
How to enable Hyper-V Router Guard feature using UI?
All you need to do is the following:
- Using Hyper-V Manager administrative tool, do a right click on your VM and then click on Settings…
- Go to Advanced Features under the VM NIC and then check Enable router advertisement guard option. Once done, click on OK
How to enable Hyper-V Router Guard feature using PowerShell?
Set-VMNetworkAdapter with RouterGuard switch can be used to enable router advertisement guard on VM NICs.
Set-VMNetworkAdapter: http://technet.microsoft.com/en-us/library/hh848457.aspx
We can take the following example which enables Router Guard feature on all NICs for Server1 VM:
Get-VMNetworkAdapter –VMName Server1 | Set-VMNetworkAdapter –RouterGuard on |