none
How to configure DHCP guard in Hyper-V 2012?

    質問

  • Hello,

    I would like to know how to configure Hyper-V 2012 DHCP guard, and how it works.

    In some Microsoft documents, the function is explained like following.
    DHCP guard drops server messages from unauthorized virtual machines that are acting as DHCP servers.
    DHCP server traffic from other virtual switch ports is automatically dropped.

    Q. What does "unauthorized virtual machines" mean?
        I could find DHCP guard turn on and off check box in Hyper-V setting, but I couldn't find any other configuration about "authorize".    Is there any configuration to authorize DHCP? As a self-test, I tried to build a DHCP server on a VM, and turn on DHCP guard on other VMs, then IP addresses were delivered to all VMs on the network. I didn't do any authorize procedure for the DHCP server at all. I think this DHCP server should be blocked, but actually not. Could you let me know how to configure and how it works?

    # In my self-test, VMs are not on domain.

    2012年12月13日 0:07

回答

  • Hi,

    DHCPGuard allows you to specify whether DHCP server messages coming from a VM should be dropped. For VMs that are running an authorized instance of the DHCP server role, you can turn DHCPGuard off by using the following cmdlet:

    Set-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard Off

    Authorized DHCP server is the server specified in above command. Other DHCP server or un-claimedDHCP server are unauthorized.

    > I could find DHCP guard turn on and off check box in Hyper-V setting, but I couldn't find any other configuration about "authorize".   

    Currently, we can use PowerShell command to configure DHCP guard, examples:

    For all other VMs that are not authorized DHCP servers, you can prevent them from becoming a rogue DHCP server by turning DHCPGuard on, using the following cmdlet.

    Set-VMNetworkAdapter –VMName CustomerVM –DhcpGuard On

    Enables DHCP Guard on all the virtual network adapters of virtual machine Redmond. When DHCP Guard enabled, if virtual machine Redmond replies to requests from DHCP clients, these replies are dropped.

    PS C:\> Set-VMNetworkAdapter -VMName Redmond -DhcpGuard On

    > and turn on DHCP guard on other VMs, then IP addresses were delivered to all VMs on the network.

    How you configured DHCP guard, try PowerShell command and check the result.

    For more information please refer to following MS articles:

    DHCPGuard
    http://technet.microsoft.com/en-us/library/jj679878.aspx#bkmk_dhcp
    Set-VMNetworkAdapter
    http://technet.microsoft.com/en-us/library/hh848457
    Hyper-V Virtual Switch Overview
    http://technet.microsoft.com/en-us/library/hh831823(v=ws.11).aspx

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Lawrence

    TechNet Community Support

    2012年12月13日 3:29
    モデレータ

すべての返信

  • Hi,

    DHCPGuard allows you to specify whether DHCP server messages coming from a VM should be dropped. For VMs that are running an authorized instance of the DHCP server role, you can turn DHCPGuard off by using the following cmdlet:

    Set-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard Off

    Authorized DHCP server is the server specified in above command. Other DHCP server or un-claimedDHCP server are unauthorized.

    > I could find DHCP guard turn on and off check box in Hyper-V setting, but I couldn't find any other configuration about "authorize".   

    Currently, we can use PowerShell command to configure DHCP guard, examples:

    For all other VMs that are not authorized DHCP servers, you can prevent them from becoming a rogue DHCP server by turning DHCPGuard on, using the following cmdlet.

    Set-VMNetworkAdapter –VMName CustomerVM –DhcpGuard On

    Enables DHCP Guard on all the virtual network adapters of virtual machine Redmond. When DHCP Guard enabled, if virtual machine Redmond replies to requests from DHCP clients, these replies are dropped.

    PS C:\> Set-VMNetworkAdapter -VMName Redmond -DhcpGuard On

    > and turn on DHCP guard on other VMs, then IP addresses were delivered to all VMs on the network.

    How you configured DHCP guard, try PowerShell command and check the result.

    For more information please refer to following MS articles:

    DHCPGuard
    http://technet.microsoft.com/en-us/library/jj679878.aspx#bkmk_dhcp
    Set-VMNetworkAdapter
    http://technet.microsoft.com/en-us/library/hh848457
    Hyper-V Virtual Switch Overview
    http://technet.microsoft.com/en-us/library/hh831823(v=ws.11).aspx

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Lawrence

    TechNet Community Support

    2012年12月13日 3:29
    モデレータ
  • DHCP Guard is a feature that you can use (as the owner of the hypervisor) to prevent VMs that you do not authorize from acting as DHCP Servers.

    Unauthorized and Authorized is a procedural / process phrase.  It is not a technical phrase or any setting that can be applied.  It is the business decision to call machine authorized or not.

    DHCP Guard is specific to the port / vNIC of a VM.  And the setting moves with the VM / vNIC.


    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

    2012年12月13日 16:42
    モデレータ
  • Thanks Lawrence and Brian,

    OK. I totally misunderstood the function.
    I thought it prevent VMs from malicious DHCP server. So I thought DHCP clients should turn on DHCP guard.
    Now I realized that this function is for DHCP server and vSwitch to prevent VMs working as DHCP servers.

    > Laurence
    I turned on DHCP guard only on DHCP-client VMs , and not on a DHCP server in my previous testing.
    I verified this function working well in my test environment, turning on DHCP guard on DHCP server side.

    2012年12月13日 19:25
  • Ok but here's the thing...if this is what MS gives as the description as DHCP guard:

    DHCP guard drops server messages from unauthorized virtual machines that are acting as DHCP servers.
    DHCP server traffic from other virtual switch ports is automatically dropped.

    Then one would assume that turning on DHCP guard on a VM (no DHCP server role installed) would prevent that machine from obtaining an IP reservation from a non-trusted server.  But that isn't the case at all. 

    "For all other VMs that are not authorized DHCP servers, you can prevent them from becoming a rogue DHCP server by turning DHCPGuard on, using the following cmdlet."  ---What you said here however is the real function of DHCP guard.  To prevent unauthorized elevation of alternate VM's into rogue DHCP servers.  SO WHY DOESN'T MS JUST SAY THAT?  It is needlessly confusing. 

    2018年5月2日 19:19