Extended IP access lists are similar to standard IP ACLs in that you enable extended access lists on
interfaces for packets either entering or exiting the interface. IOS then searches the list sequentially. The first
statement matched stops the search through the list and defines the action to be taken. The key difference
between the extended ACLs and standard ACLs is the variety of fields in the packet that can be compared
for matching by extended access lists. A single extended ACL statement can examine multiple parts of the
packet headers, requiring that all the parameters be matched correctly in order to match that one ACL
statement. That matching logic is what makes extended access lists both much more useful and much more
complex than standard IP ACLs. You can configure extended ACL to match the IP protocol type, which
identifies what header follows the IP header. You can specify all IP packets, or those with TCP headers,
UDP headers, ICMP, etc, by checking the Protocol field. You can also check the source and destination IP
addresses, as well as the TCP source and destination port numbers.
An extended access list is more complex than standard access lists. Therefore the configuration commands
are more complex. The configuration command for extended access lists is:
• access-list access-list-number action protocol source source-wildcard destination
destination-wildcard [log | log-input], which can be used to enable access lists;