10.4 Configuring Extended Access Lists
10.4.2 Extended access list processing
The main figure shows the decision process used with extended access lists. Every condition listed in the access list statement must match for the statement to match and the permit or deny condition to be applied. As soon as one parameter or condition fails, the next line in the access list is compared.

The extended access list checks source address, protocol, and destination address. Depending on the protocol configured, there may be more protocol-dependent options tested. For example, a TCP port may be checked, allowing routers to filter at the application layer.

IP permits fragmentation to allow large packets to be split up into smaller ones (fragments) in order to cross networks that support smaller packet sizes. With extended access lists, nonfragmented packets are tested against the access list. The initial fragment of a fragmented packet set is tested against the access list. Subsequent fragments are permitted without being tested against the access list. This may be a problem if you are using access lists as a security mechanism.