Hyper-V Networking–Router Guard

Hyper-V Networking–Router Guard

Rate This
  • Comments 3

Router guard is another advanced networking feature that was added in Windows Server 2012:


When you enable Router Guard Hyper-V switch will discard the following packets:

  • ICMPv4 Type 5 (Redirect message)
  • ICMPv4 Type 9 (Router Advertisement)
  • ICMPv6 Type 134 (Router Advertisement)
  • ICMPv6 Type 137 (Redirect message)

Much like DHCP guard – the two most common questions I get about router guard are:

  1. Why would I want to enable this option?

    Imagine you have a virtual machine that is configured for routing services and is connected to multiple virtual networks.  You want to make sure that routing services are only provided on one specific virtual network.  In this case you would enable the router guard on any networks where you did not want the virtual machine to act as a router.

  2. Why isn’t this option enabled by default everywhere?

    Router guard does have a, relatively minimal, impact on performance.  Given that most virtual machines are not running routing services it is not enabled by default, as it is not needed.

You can configure this setting through the UI or with PowerShell.  To configure it with PowerShell you should use the RouterGuard parameter on the Set-VMNetworkAdapter cmdlet:



Leave a Comment
  • Please add 7 and 1 and type the answer here:
  • Post
  • Ben, is there any estimate for the performance impact of router/dhcp guard feature? What does it impact? CPU of the host? vCPU of the VM? Or physical NICs in the host (in case this is somehow offloaded)?

    Say we need to enable both guards on 300 VMs in a cluster, what kind of performance impact are we looking at?


  • Hello Ben,

    in your first example, would it not be smarter to disable Advertising on these interfaces (with no performance impact)?

    The biggest problem in my opinion with Router Guard  is that it is only working outbound (RA inside the virtual machine).  I would prefer the Guard working inbound to secure my machines to rouge RAs in my network. Or is this possible and I have overseen some settings?

  • Why is there not one single site, including the MS ones, that spell it out clearly: Is Router Guard and DHCP Guard a setting for INCOMING or OUTGOING packets. The explanation in the HyperV Mgmt console, and for a guy who has worked with Cisco for over 15 years spells incoming, but everyone seems to understand magically that it is for incoming use. Why would an administrator set up a VM that pretends to be an authorized DHCP Server, as the explanation for DHCP Guard says, and then block that DHCP server from sending Offer messages later on? If it is not supposed to be a DHCP server just not let it be.

    This is really frustrating, and call me stupid, or whatever you want, but I would appreciate it if someone provided an explanation.

Page 1 of 1 (3 items)