Extended ACLs are one of the fundamental access control features of IOS, knowing how they work and what they can do will make your job a lot easier. To start, extended ACLs match on more than just the source address, like standard ACLs. They can also be configured to match a range of layer 4 protocols like ICMP, OSPF, EIGRP, and etc. Other great thing about Extended ACLs is they can match on protocol fields, so you can match all packets with just the SYN flag set, or you could match a specific sequence number.
Lets start by creating a simple extended access list, this access list will deny all inbound TCP port 80 traffic on the FastEthernet 0/0 interface.
SC#config t SC(config)#access-list 100 permit tcp any any eq 80 SC(config)#interface fastEthernet 0/0 SC(config-if)#ip access-group 100 in