• A segment security profile is used that has DHCP Server Block disabled.
• DHCP Server block is still applied.

• The DHCP server block still being applied can be verified via the host CLI command.

Host Command to execute:

nsxdp-cli swsec get config --dvport <dv-portid> --dvs-alias <DVS-Name>

Response:

Features Enabled : DHCP snooping, DHCP server block, DHCPv6 server block

• The --dvs-alias name can be retrieved from vCenter. This is the name of the DVS switch. 
• The --dvport can be retrieved on the host CLI with the following command and is listed under the column "DVSPort".

nsxcli -c get ports

This issue is resolved in VMware NSX 4.2, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

Workaround:

Create a new segment security profile with all features disabled. This will ensure the DHCP block is not automatically enabled.