Hello,

I'm attempting to filter IP packet traffic based on MAC address using a 2960 switch.   I have several questions, are there any debug commands to view the success or failure of the mac address filtering?   The wireshark packet display is further down.   I just noticed while posting this issue that the Mac Addresses that I care about are in the 802.11 WLAN section of the packet, this probably means that I can't filter based on these particular  mac addresses.   The other problem that I see concerns the CAPWAP headers that are before the actual information that I care about.   I will post a message in the Wireless group also to see if I filter at the LWAPP controller.  Any help would be greatly appreciated Thank You in advance.

Regards,

Douglas Faron

My switch configuration is shown below:

!
Version 12.2
no service pad
service timestamps debug datatime msec
service timestamps log datetime msec
no service password-encryption
serice sequence-numbers
!
hostname WSLSwitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$GiOp$E/c4FWpIs9D236URVbgJd/
enable password aquila
!
!
!
no aaa new-model
clock timezone UTC -8
switch 1 provision ws-c2960s-24ps-l
!
!
no ip igmp snooping
vtp domain WSL
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-788601984
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-788601984
 revocation-check none
 rsakeypair TP-self-signed-788601984
!
!
crypto pki certificate chain TP-self-signed-788601984
 certificate self-signed 01
  30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 37383836 30313938 34301E17 0D393330 33303130 30303233
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3738 38363031
  39383430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C154B76F C96C4D77 1606212E 2B0C567F 99E6DE3C D99C2B65 F7031D7D A2383A94
  85A9A8B9 83452423 E63FAB2B A1C20665 3C829B0C EF0923FB D4995D7C D982A517
  62CABFCC 3A473DAF 328985AC AC98F71F 3BDC0720 98A458D5 48E5B101 54E267CA
  6342026F 845E2CB7 E0B6D884 71CC6371 D7E12C1D 5843BD68 A0126686 1B3FE5C5
  02030100 01A36A30 68300F06 03551D13 0101FF04 05300301 01FF3015 0603551D
  11040E30 0C820A57 534C5377 69746368 2E301F06 03551D23 04183016 8014C502
  1D6710FA 9C60AAE0 31720211 73F8D9F8 E188301D 0603551D 0E041604 14C5021D
  6710FA9C 60AAE031 72021173 F8D9F8E1 88300D06 092A8648 86F70D01 01040500
  03818100 8CE7C76D B2B61087 BF69B333 BB36EFC6 7F0EBA60 1AC19967 D7C09CE6
  7AB6A559 452C070E 4E128F61 C87F0C40 D53939F7 8FBCEE88 533B19A2 59A37709
  0D7BEE80 3FA40682 76D797A9 8E536DA9 355F1CDF 3E2A1F0B 978B4871 D73327C1
  65E2405B 959B1C10 AE117F8C 4073A6C6 6524FB5A A65A7D7E 63E10B8C 2E104D23 BCCE60
F9
  quit
!
mac access-list extended MAC
 deny   host 0010.4067.4f6f host 0100.5e01.0101
 permit any any
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
no errdisable detect cause loopback
!
vlan internal allocation policy ascending
!
vlan 36
 name WSLWired
!
vlan 110
 name WSLPSK
!
vlan 111
 name WSLPSK2
!
vlan 112
 name WSLIAS1X
!
vlan 113
 name WSLIASWPA
!
vlan 114
 name WSLIASWPA2
!
vlan 115
 name WSLCISCO1X
!
vlan 116
 name WSLCISCOWPA
!
vlan 117
 name WSLCISCOWPA2
!
vlan 118
 name WSLFUNK1X
!
vlan 119
 name WSLFUNKWPA
!
vlan 120
 name WSLFUNKWPA2
!
vlan 121
 name WSLTEST1
!
vlan 122
 name WSLTEST2
!
vlan 123
 name WSLTEST3
!
vlan 124
 name WSLWEP128
!
vlan 125
 name WSLWEP64
!
vlan 250
 name WSLroaming
!
vlan 251
 name WSLOPEN
!
vlan 304
 name JHarriganNet
!
!
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1
 description Jack 1.11; TestServer
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/2
 description Jack 1.26; Replacement Roaming Station
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/3
 description HP GB Switch step up to LWAPP Controller
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/4
 description Jack 1.19 Roaming Access Point
 switchport trunk native vlan 250
 switchport mode trunk
!
interface GigabitEthernet1/0/5
 description POE Jack 1.20; Roaming AP1
 switchport access vlan 250
 switchport trunk native vlan 250
 switchport mode trunk
!
interface GigabitEthernet1/0/6
 description Jack 1.21: Roaming AP 2
 switchport access vlan 250
 switchport trunk native vlan 250
 switchport mode trunk
!
interface GigabitEthernet1/0/7
 description Jack 1.25
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/8
 description POE; Jack 1.22; Roaming AP 2
 switchport access vlan 250
 switchport trunk native vlan 250
 switchport mode trunk
!
interface GigabitEthernet1/0/9
 description Jack 1.13 WSLSSAMC
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/10
 description Jack 1.12 WSLACS
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/11
 description Jack 1.16
 switchport access vlan 250
 switchport mode access
!
interface GigabitEthernet1/0/12
 description Jack 1.9
 switchport access vlan 36
 switchport mode access
 ip access-group 101 in
!
interface GigabitEthernet1/0/13
 description Jack 1.14
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/14
 description Jack 1.15
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/15
 description Jack 1.6
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/16
 description Open
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/17
 description Jack 1.24
 switchport access vlan 36
 switchport mode access
 mac access-group MAC in
!
interface GigabitEthernet1/0/18
 description Open
 switchport access vlan 36
 switchport mode access
 ip access-group 100 in
!
interface GigabitEthernet1/0/19
 description Jack 1.17
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/20
 description Jack 1.8
 switchport access vlan 36
 switchport mode access
!
interface GigabitEthernet1/0/21
 description Jack 1.23; Roaming WDS
 switchport trunk native vlan 250
 switchport mode trunk
!
interface GigabitEthernet1/0/22
 switchport access vlan 304
 switchport mode access
!
interface GigabitEthernet1/0/23
 switchport trunk native vlan 36
 switchport mode trunk
!
interface GigabitEthernet1/0/24
 description 2C/G48: SWTestSwitch Port 0/3
 switchport mode trunk
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 172.31.31.1 255.255.255.0
 no ip route-cache
 shutdown
!
interface Vlan36
 ip address 172.31.31.250 255.255.255.0
 no ip route-cache
!
interface Vlan250
 ip dhcp relay information trusted
 no ip address
 no ip route-cache
!
ip default-gateway 172.31.31.1
ip http server
ip http secure-server
access-list 100 deny   ip host 172.31.31.31 host 172.31.31.241 log
access-list 100 permit ip any any log
banner login ^Che WSLSwich in the Cisco 2960 located in Wireless lab^C
!
line con 0
 logging synchronous
 stopbits 1
line vty 0 4
 password xxxxxx
 login
line vty 5 15
 password xxxxxx
 login
!
!
monitor session 1 source interface Gi1/0/17
monitor session 1 destination interface Gi1/0/23
ntp broadcastdelay 1000
ntp server 172.31.31.5 key 0
end

The packet that I'm attempting to filter (the problem is that I want to filter based on the WLAN Mac addresses) :