Standard access lists offer
quick configuration and low overhead in limiting traffic based
on the source address within a network. Extended access lists provide a higher degree of control by enabling filtering based on the session-layer
protocol, source and destination IP address, and application port number.
These features make it possible to limit traffic based
on the uses of the network.
In the main figure, if the requirement is to restrict network
access based on department, standard access lists would work fine.
You could create a list that allowed only Accounting (and deny every
other department) to talk to Sales and Sales to talk only to
Manufacturing (and deny every other department). If, however,
Manufacturing had a database of inventory levels that could be
accessed via Telnet, and you wanted to allow Sales only Telnet
access to Manufacturing, standard access lists would not suffice.
Similarly, if Sales had the latest price list on a server accessible
via Telnet, and you wanted Accounting to have only Telnet access to
Sales, extended access lists are required for this degree of
control. With extended access lists, you can filter based not only
on the source address, but also on the destination address or
application port number.
Note that a router cannot be a full firewall solution, although
routers are important components of firewalls.