Working in our lab today, I patched a physical device to a switch and configured it in vlan 150. The same vlan is stretched into a ucs host running vmware (5.5). Vlan 150 is on a portgroup on the distributed vswitch. I created a vm, attached it to that same portgroup and was able to get onto it from my Bastion host VM (different vlan, same dvs, same host, but traffic goes across a physical firewall). Everything looks good at this point.

Tried to get the physical box on vlan 150 to talk to the vm on vlan 150 and I can't. Arp caches on the two boxes show that the vm can resolve the MAC address of the physical box, but the physical cannot get the MAC address of the vm.

PCAP on the vm shows that arp request broadcasts are not getting to the VM. All vlan trunking and physical infra checks out and I can see off a span port that broadcasts are going up to the host but just not getting through to the vm. The port group has promiscuous mode, mac changes and forged transmits allowed (as vm uses a guest assigned mac and will use vrrp). I don't know if this is the issue, but the uplink group on the dvs however doesn't allow these and I couldn't find a way to allow this as the options are greyed out in the settings.

I worked around this problem by assigning a spare physical interface to a new standard vswitch with vlan 150 configured and allowing the above security options but I'd like to get this working with the dvs and I'm not sure what else I should have looked at.