DVS dropping traffic due to port blockage for security violations, despite the fact the security features have been set to allow for these traffic types in vCenter GUI.

In other scenarios, you would observe Virtual machines residing on a trunk port group are unable to reach the default gateway. Network traffic for all configured VLANs is failing to egress the ESXi host uplinks.

VMware vCenter Server 8.0 Update 3
VMware ESXI

When unsupported configuration combinations are used in conjunction with MAC Learning, the vSphere security policies may not be applied as expected at the ESXi host level. This can result in inconsistent or unintended behavior.

To resolve the issue, perform one of the following workarounds:

1.  Migrate to vSS: As the most stable mitigation, migrate affected Virtual Machines to a Standard Switch (vSS) until a patch is released.
2.  If the MAC Learning and MAC address changes are enabled, Promiscuous mode must be disabled and Forged Transmissions must be enabled. 

In a future release of vCenter, validation logic will be introduced to detect and notify administrators when a port group is configured in an unsupported state, helping to prevent misconfiguration.

Related Knowledge Base Articles:

KB 317477: vDS ports go into blocked state for security violations even when the security policy is enabled.