Every condition listed in the access list statement must match for the statement to match and the permit or deny condition to be applied. As soon as one parameter or condition fails, the next line in the access list is compared.
The extended access list checks source address, protocol, and
destination address. Depending on the protocol configured, there may
be more protocol-dependent options tested. For example, a TCP port
may be checked, allowing routers to filter at the application layer.
IP permits fragmentation to allow large packets to be split up
into smaller ones (fragments) in order to cross networks that
support smaller packet sizes. With extended access lists,
nonfragmented packets are tested against the access list. The
initial fragment of a fragmented packet set is tested against the
access list. Subsequent fragments are permitted without being tested
against the access list. This may be a problem if you are using
access lists as a security mechanism.