There seems to be some confusion about this topic for you. Let's begin by clearing up a few details.
I am familiar with the mac access-list command but every manual I had seen explicitly says that ACLs filter only non-IP protocols.
If you think about this a bit, it makes sense. An IP packet doesn't contain a MAC addresses, so this would be difficult. However, IP traffic is encapsulated in a L2 protocol, typically Ethernet which does utilize MAC addresses.
You cannot apply named MAC extended ACLs to Layer 3 interfaces.
Again, this is natural. Since MAC ACLs function on L2, they wouldn't really need/want them on a L3 interface anyway.
However, by default interfaces on a 2960-X are layer 2 interfaces, so you can apply a MAC access-list to them.
So, this series of commands should provide the result you want (using the first SFP port on a WS-C2960X-48FPS-L so adjust as necessary):
! Create the ACL
mac access-list extended TestACL
deny host 8877.6655.4433 any
permit any any
! Now apply to the interface
interface Gi1/0/49
mac access-group TestACL in
Edit based on comments: if you want to rule out the source port being incorrect, you can use the following with the above ACL to block all traffic from that MAC going out the second SFP port:
! Now apply to the interface
interface Gi1/0/50
mac access-group TestACL out
If that doesn't work, then the MAC address has to be incorrect and you need to provide more information.
The ACL will work no matter if the MAC address table is updated dynamically or if you add a static entry. However, if the dynamic entry for this MAC is flapping between different ports, that could explain why the ACL didn't work as intended. Additionally, without additional features configured, the static entry will not have an effect on traffic arriving on a port, only on the destination port used for the traffic.
And finally, the packet being highlighted in red by Wireshark doesn't tell me much. Different versions of Wireshark have used different coloring rules, the default rules typically include a number of matches that get colored red, and many of us use our own custom rules. You would need to provide more detail or the actual capture for us to know what exactly that means.
Best Answer
Go for IEEE 802.1x Port-Based Authentication. Port security was not really designed for that.
HTH Adam