Is it supported in Security ACLs (PACLs and VACLs) in IOS 12.2(33)SXH ?
Is it possible to filter IPv4 traffic in hardware by MAC with ACLs on this platform?
The same question for ARP traffic.
This should work for you. You would need to enable PI MAC ACL filtering by using the command 'mac packet-classify' on the ingress interface (or vlan interface if L2). This was supported as of 12.2(18)SXD - here is a link to the config guide in the SXF train:
For arp you can just create an arp access-list:
Test6k(config)#arp access-list ARP_FILTER
ip Sender IP address
request ARP Request
response ARP Response