Comprehensive and Detailed 250 to 350 words of Explanation From VMware Cloud Foundation (VCF) documents:

Nested virtualization---where a hypervisor like ESXi is run as a virtual machine---imposes unique challenges on the virtual networking layer. In a standard VCF environment, an NSX segment port expects to see exactly one MAC address: the MAC address assigned to the VM's vNIC.

When you run a nested hypervisor, that single vNIC now acts as an 'uplink' for multiple 'inner' virtual machines. Consequently, traffic originating from that single nested ESXi VM will contain many different source MAC addresses (one for each nested VM). By default, the NSX/VDS security and switching logic will drop this traffic because it appears as MAC Spoofing---packets are arriving from a port with source MACs that do not match the port's registered ID.

To support this, a MAC Discovery Segment Profile must be configured and applied to the segment. Within this profile, the administrator must enable MAC Learning. MAC Learning allows the NSX virtual switch to 'learn' and permit multiple MAC addresses on a single logical port. Without this, only the primary MAC of the nested ESXi host would be allowed, and all nested VMs would lose connectivity to the rest of the network.

In VCF 5.x and 9.0 documentation, this is a standard requirement for 'Lab-on-a-Lab' designs or development environments. While IP Discovery (Option A) and Spoof Guard (Option D) are important for maintaining the IP-to-MAC binding and preventing IP theft, they do not address the fundamental Layer 2 requirement of allowing multiple MAC identities on a single port. Therefore, MAC Discovery with MAC learning enabled is the verified profile choice for nested hypervisor support.

===========