Whatever your chosen acronym for distributed vSwitches, the default security policy is to accept MAC address changes and forged transmits. Even the hardening guides think this is a bad idea (and we know how checking those security those checkboxes from the hardening guide spreadsheet makes us feel, miright?).
GeekAfterFive has the code from his vCloud deployment that also works handy for 5.0 VDS's (and probably 5.1 and 5.5).
Even the 5.0 and 5.1 hardening guides don't have PowerCLI code to change the setting from the default insecure to reject this traffic. Pretty awesome resource there, GeekAfterFive. Good and bad that you're not blogging anymore from "the mothership".