Using the Hyper-V DHCP Guard Feature

Q: What does the Windows Server 2012 Hyper-V DHCP Guard feature do, and how should I use it?

A: Windows Server 2012 Hyper-V allows a DHCP Guard option to be enabled on each network adapter of a virtual machine (VM) by using the Advanced Features of the network adapters, as the screen shot below shows.

What this option does is for the network adapters configured with the DHCP guard option, any DHCP reply packets from the VM will be dropped by the Hyper-V switch. This means if the VM is pretending to be a DHCP server when it shouldn't be, although the server still sees the DHCP request from clients and responds, those responses never get to the network.

Consider a multi-tenant environment--it's very important that one tenant shouldn't pretend it's a DHCP server and affect the others. The best practice is to enable this feature on all virtual machine (VM) network adapters and only disable the feature on the servers that are known DHCP servers.

To enable this feature on all VMs, you can use the following Windows PowerShell command--but remember to turn it off on your actual DHCP servers.

Get-VM | Set-VMNetworkAdapter -DhcpGuard On