• First you apply the same Spoof Guard profile to a segment and its segment ports respectively.
• Then you apply another Spoof Guard profile to the segment.
• As a result, on datapath, the Spoof Guard profile is applied to the logical ports as well.
• On GUI, you see the segment ports still have the same Spoof Guard profile applied as before.
• You see symptoms that the virtual machines are allowed unintended traffic or has communication problems.
  For example, if you apply a profile with Spoof Guard disabled to a segment, it will also be disabled on the virtual machine connected to logical port.

VMware NSX 4.x

It results in the configuration not being saved correctly for the logical port to first apply the same Spoof Guard profile to a segment and its segment ports and then apply another Spoof Guard profile to the segment.

Broadcom is aware of this issue and working on a fix.

Workaround:
Apply different Spoof Guard profiles to segments and their segment ports.