permit tcp any any eq <protocol-port>

Allows any traffic with a destination TCP port == protocol-port

permit tcp any eq <protocol-port> any

Allows any traffic with a source TCP port == protocol-port

Example

ACLs tend to use fixed ports for the server-side of a client-server connection. Typically, the client connects to a well-known port on a server; when you posted to Stack Exchange, your web-browser (client) connected to the Stack Exchange server on TCP port 80.

            POS1/0        Gi0/0
              +-----------+
Internet -----|   Router  |----- Webserver (listening on TCP/80)
              +-----------+

So pretend Stack Exchange was applying these ACLs to the router above, they could use this inbound on their POS1/0 interface; because traffic to the Stack Exhange webserver would be going to TCP/80

ip access-list extended WEB_in
 permit tcp any any eq 80
 deny ip any any log

They could apply this outbound on POS1/0, because traffic leaving the Stack Exhange webserver would be sourced from TCP/80

ip access-list extended WEB_out
 permit tcp any eq 80 any
 deny ip any any log

In this example, keep in mind that applying an ACL to "any eq 80" isn't terribly useful; normally you would limit it to specific IP addresses that you want to expose TCP 80 to the internet.