Hyper-V Networking–Router Guard

Hyper-V Networking–Router Guard

Rate This
  • Comments 2

Router guard is another advanced networking feature that was added in Windows Server 2012:

image

When you enable Router Guard Hyper-V switch will discard the following packets:

  • ICMPv4 Type 5 (Redirect message)
  • ICMPv4 Type 9 (Router Advertisement)
  • ICMPv6 Type 134 (Router Advertisement)
  • ICMPv6 Type 137 (Redirect message)

Much like DHCP guard – the two most common questions I get about router guard are:

  1. Why would I want to enable this option?

    Imagine you have a virtual machine that is configured for routing services and is connected to multiple virtual networks.  You want to make sure that routing services are only provided on one specific virtual network.  In this case you would enable the router guard on any networks where you did not want the virtual machine to act as a router.

  2. Why isn’t this option enabled by default everywhere?

    Router guard does have a, relatively minimal, impact on performance.  Given that most virtual machines are not running routing services it is not enabled by default, as it is not needed.

You can configure this setting through the UI or with PowerShell.  To configure it with PowerShell you should use the RouterGuard parameter on the Set-VMNetworkAdapter cmdlet:

image

Cheers,
Ben

Leave a Comment
  • Please add 6 and 4 and type the answer here:
  • Post
  • Ben, is there any estimate for the performance impact of router/dhcp guard feature? What does it impact? CPU of the host? vCPU of the VM? Or physical NICs in the host (in case this is somehow offloaded)?

    Say we need to enable both guards on 300 VMs in a cluster, what kind of performance impact are we looking at?

    Thanks

  • Hello Ben,

    in your first example, would it not be smarter to disable Advertising on these interfaces (with no performance impact)?

    The biggest problem in my opinion with Router Guard  is that it is only working outbound (RA inside the virtual machine).  I would prefer the Guard working inbound to secure my machines to rouge RAs in my network. Or is this possible and I have overseen some settings?

Page 1 of 1 (2 items)