You can create a MAC address group (MAC set) consisting of a range of MAC addresses and then add this group as the source or destination in a Distributed Firewall rule. Such a rule can help protect physical machines from virtual machines or the reverse.


  1. In the vSphere Web Client, click Networking & Security > Groups and Tags.
  2. Navigate to MAC Sets:
    • In NSX 6.4.1 and later, ensure that you are in the MAC Sets tab.
    • In NSX 6.4.0, ensure that you are in the Grouping Objects > MAC Sets tab.
  3. If multiple IP addresses are available in the NSX Manager drop-down menu, select an IP address, or keep the default selection.
    • To manage universal MAC address groups, the primary NSX Manager must be selected.
  4. Click Add or the Add (add) icon.
  5. Type a name for the address group.
  6. (Optional) Type a description for the address group.
  7. Type the MAC addresses to be included in the group.
  8. (Optional) Select Inheritance or Enable inheritance to allow visibility at underlying scopes.
    When inheritance is enabled, grouping objects created at the global scope are accessible from derived scopes, such as datacenter, Edge, and so on.
  9. (Optional) Select Universal Synchronization or Mark this object for Universal Synchronization to create a universal MAC address group.
  10. Click Add or OK.