Background

Beginning with vSphere 5.1, the default port setting for distributed virtual switches disallows forged transmits. This change has been implemented to provide greater security with the default settings. 

Note: The information in this article only applies to uplinks on distributed port groups that are created using the VIM API.

Symptom

When using the VIM API to create an uplink distributed port group on distributed virtual switch, if forged transmits are not allowed the uplinks drop received packets whose destination addresses do not match the MAC addresses of the uplinks. This is because packets from outside of ESXi that are received by uplinks do not have the MAC addresses that match the MAC address known to the uplink. ESXi drops the packets, and port clients fail to connect to outside the ESXi system.

VMware vCenter Server 5.5.x
VMware vCenter Server 6.x
VMware vSphere ESXi 6.7
VMware vSphere ESXi 6.5
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.0

Do not disable forged transmit on a distributed virtual switch port group security policy, or use Vim::Dvs::VmwareDistributedVirtualSwitch::VmwarePortConfigPolicy to enable or re-enable forged transmits on a distributed switch port group.

Note: In vSphere 6.7 Forged Transmits are not allowed to be set to False on the Uplink Port Groups by default.