One day I was working with a customer running NSX for micro-segmentation of virtual machines (running osx), to block traffic between a set of vms. During some periodic overview testing it was noted that virtual machines ability to ping each other was indeed blocked but within sharing in the osx based vm you could see that there were other vms on the same network. Sure, the fact that traffic was not passing directly between them is good, but we also want to eliminate the vms from even knowing that there are others on the network along side them.
After a little digging and a quick test, it was realized that this ability to be aware of other vms on the same network was due to bonjour services use of multicast IP address.
Add a rule to be source [your source network] destination
[126.96.36.199] with action