Partilhar via


Hyper-V Networking–DHCP Guard

If you start digging into the advanced settings section of a virtual network adapter – there is a lot of interesting stuff to look at.  Today I’m going to talk about the DHCP guard setting:

image

This setting stops the virtual machine from making DHCP offers over this network interface.  To be clear – this does not affect the ability to receive a DHCP offer (i.e. if you need to use DHCP to acquire an IP address that will work) it only blocks the ability for the virtual machine to act as a DHCP server.

Two questions that I often get about this feature are:

  1. Why would I want to enable this option?

    Imagine you have a DHCP server virtual machine that is connected to multiple virtual networks.  You want to make sure that DHCP offers are only provided on one specific virtual network.  In this case you would enable the DHCP guard on any networks where you did not want the virtual machine to act as a DHCP server.

  2. Why isn’t this option enabled by default everywhere?

    DHCP guard does have a, relatively minimal, impact on performance.  Given that most virtual machines are not running DHCP servers it is not enabled by default, as it is not needed.

You can configure this setting through the UI or with PowerShell.  To configure it with PowerShell you should use the DHCPGuard parameter on the Set-VMNetworkAdapter cmdlet:

image

Cheers,
Ben

Comments

  • Anonymous
    March 24, 2014
    If the MS implementation works the same way as the Cisco DHCP Snooping feature, it does not block the DHCP offer packet. It blocks the DHCP Discover packet reaching any non-trusted DHCP server. So the rogue DHCP server does not even have a chance to respond to client requests, because the DHCP discover packet is not transmitted to those rogue servers. Big difference allowing the request received but not allowing to transmit a rogue answer OR not even allowing to receive the request.

  • Anonymous
    March 25, 2014
    Soder - You are correct.  We block both discover and outbound offer packets. Cheers, Ben

  • Anonymous
    April 23, 2014
    Using this functional impact on performance?

  • Anonymous
    February 03, 2015
    Thanks for your helpful explaination. I don't understand, why block both discovery and offer packets. It's senseless, by blocking only offer packets I'm pretty sure that my VM won't act like a rogue DHCP!

  • Anonymous
    October 17, 2015
    I know its a bit old ..But im not a catching a point. this feature is enabled at VNIC level and enabling this it will prevent the VNIC from sending DHCP Discover package. You mentioned it does not prevent the VNIC from receiving   DHCP offer pacakge !!! If there is no DHCP Discover eventually there is no DHCP offer ....???? With this , if a VM is configured to obtain IP address automatically , this feature cannot be enabled on its VNIC . So how " DHCP Guard" protects against rogue DHCP servers ?