Virtual Insider

Blog archive

How To Prevent Uncontrolled Use of VMs as Routers or DHCP Servers with Hyper-V R3

Hyper-V R3 has two advanced but somewhat overlooked networking features that can be handy and I'm sure administrators would appreciate them and put them to good use, so we'll cover them here.

You've worked in the enterprise long enough, so you've come across rogue DHCP servers and routers that show up on the network and could cause headaches. Many years ago before virtualization and even VMware, I had to deal with these types of problems, especially with physical developer workstations acting as DHCP servers (among other things) that our friendly developer colleagues innocently believed weren't a big deal. Back then tracking down these machines that were offering these services was not as easy or simple. Sure, there are ways of configuring the switches and routers to handle this issue, but this is only aspect of it -- we still need to get to them and turn them off. In later years, software was available to help track them down.

The problem still exists, except now they're in virtual machines. There are many ways to control them depending on how you provision these VMs. So while the problem isn't as widespread as it used to be, I still find that it is useful to know that safeguards are available to deal with them should the need arise. 

The two features in Hyper-V R3 that address this issue are DHCP Guard and Router Guard. Both are accessible from the Network Adapter's Advanced Features node of a virtual machine's settings. As the names imply, if you enable either of the two guards you can prevent a VM from being able to broadcast packets or acting as a DHCP server; with Router Guard enabled, you can prevent a VM from acting as a router and redirecting packets. 

Where such features can be very handy is in the event of a VM being connected to multiple virtual networks and where you only want this service to be broadcast on a specific virtual network rather than all of them. You can then enable DHCP or Router Guard on those networks that should not be receiving these broadcasts. It's useful for both servers and desktop VM implementations. They don't always have to be implemented to prevent misuse or abuse -- you can leverage them to address a situation where you are designating those VMs for a specific purpose.

One final thought on these two features: While some of you may want to enable this by default and make it part of the process of provisioning these VMs, keep in mind that these two features have a light performance penalty when enabled. So make sure you are testing, comparing and contrasting before you decide to use them.

Posted by Elias Khnaser on 04/02/2014 at 11:18 AM