Hi Alan,

Please make sure that you have configured the PAC according to the following :

• There can be at most one IPv4, one IPv6, and one MAC access list applied to the same Layer 2
interface per direction.
• The IPv4 access list filters only IPv4 packets, the IPv6 access list filters only IPv6 packets, and the
MAC access list filters only non-IP packets.
• The number of ACLs and ACEs that can be configured as part of a PACL are bounded by the
hardware resources on the switch. Those hardware resources are shared by various ACL features 
(for example, RACL, VACL) that are configured on the system. If insufficient hardware resources
to program PACL exist in hardware, the actions for input and output PACLs differ:
– For input PACLs, some packets are sent to CPU for software forwarding.
– For output PACLs, the PACL is disabled on the port.
• If insufficient hardware resources exist to program the PACL, the output PACL is not applied to the
port, and you receive a warning message.
• The input ACL logging option is supported, although logging is not supported for output ACLs.
• The access group mode can change the way PACLs interact with other ACLs. To maintain consistent
behavior across Cisco platforms, use the default access group mode.
• If a PACL is removed when there are active sessions on a port, a hole (permit ip any any) is installed
on the port.

For step by step configuration, please go through the following link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-5-0E/15-21E/configuration/guide/config.pdf