Hyper-V Networking–DHCP Guard

Hyper-V Networking–DHCP Guard

Rate This
  • Comments 3

If you start digging into the advanced settings section of a virtual network adapter – there is a lot of interesting stuff to look at.  Today I’m going to talk about the DHCP guard setting:

image

This setting stops the virtual machine from making DHCP offers over this network interface.  To be clear – this does not affect the ability to receive a DHCP offer (i.e. if you need to use DHCP to acquire an IP address that will work) it only blocks the ability for the virtual machine to act as a DHCP server.

Two questions that I often get about this feature are:

  1. Why would I want to enable this option?

    Imagine you have a DHCP server virtual machine that is connected to multiple virtual networks.  You want to make sure that DHCP offers are only provided on one specific virtual network.  In this case you would enable the DHCP guard on any networks where you did not want the virtual machine to act as a DHCP server.
  2. Why isn’t this option enabled by default everywhere?

    DHCP guard does have a, relatively minimal, impact on performance.  Given that most virtual machines are not running DHCP servers it is not enabled by default, as it is not needed.

You can configure this setting through the UI or with PowerShell.  To configure it with PowerShell you should use the DHCPGuard parameter on the Set-VMNetworkAdapter cmdlet:

image

Cheers,
Ben

Leave a Comment
  • Please add 6 and 8 and type the answer here:
  • Post
  • If the MS implementation works the same way as the Cisco DHCP Snooping feature, it does not block the DHCP offer packet. It blocks the DHCP Discover packet reaching any non-trusted DHCP server. So the rogue DHCP server does not even have a chance to respond to client requests, because the DHCP discover packet is not transmitted to those rogue servers. Big difference allowing the request received but not allowing to transmit a rogue answer OR not even allowing to receive the request.

  • Soder -

    You are correct.  We block both discover and outbound offer packets.

    Cheers,

    Ben

  • Using this functional impact on performance?

Page 1 of 1 (3 items)