Hyper-V Networking–Router Guard

Router guard is another advanced networking feature that was added in Windows Server 2012:

When you enable Router Guard Hyper-V switch will discard the following packets:

• ICMPv4 Type 5 (Redirect message)
• ICMPv4 Type 9 (Router Advertisement)
• ICMPv6 Type 134 (Router Advertisement)
• ICMPv6 Type 137 (Redirect message)

Much like DHCP guard – the two most common questions I get about router guard are:

1. Why would I want to enable this option?

   Imagine you have a virtual machine that is configured for routing services and is connected to multiple virtual networks.  You want to make sure that routing services are only provided on one specific virtual network.  In this case you would enable the router guard on any networks where you did not want the virtual machine to act as a router.

2. Why isn’t this option enabled by default everywhere?

   Router guard does have a, relatively minimal, impact on performance.  Given that most virtual machines are not running routing services it is not enabled by default, as it is not needed.

You can configure this setting through the UI or with PowerShell.  To configure it with PowerShell you should use the RouterGuard parameter on the Set-VMNetworkAdapter cmdlet:

Cheers,
Ben