You can create a MAC address group consisting of a range of MAC addresses and then add this group as the source or destination in a Distributed Firewall rule. Such a rule can help protect physical machines from virtual machines or vice versa.


  1. Log in to the vSphere Web Client.
  2. Click Networking & Security and then under Networking & Security Inventory click NSX Managers.
  3. Click an NSX Manager in the Name column and then click the Manage tab.
    • You must select the primary NSX Manager if you need to manage universal MAC address groups.

  4. Click the Grouping Objects tab and then click MAC Sets.
  5. Click the Add (add) icon.
  6. Type a name for the address group.
  7. (Optional) Type a description for the address group.
  8. Type the MAC addresses to be included in the group.
  9. (Optional) Select Enable inheritance to allow visibility at underlying scopes.
  10. (Optional) Select Mark this object for Universal Synchronization to create a universal MAC address group.
  11. Click OK.