10.4 Configuring Extended Access Lists
10.4.1 Higher degree of control
Standard access lists offer quick configuration and low overhead in limiting traffic based on the source address within a network. Extended access lists provide a higher degree of control by enabling filtering based on the session-layer protocol, source and destination IP address, and application port number. These features make it possible to limit traffic based on the uses of the network.

In the main figure, if the requirement is to restrict network access based on department, standard access lists would work fine. You could create a list that allowed only Accounting (and deny every other department) to talk to Sales and Sales to talk only to Manufacturing (and deny every other department). If, however, Manufacturing had a database of inventory levels that could be accessed via Telnet, and you wanted to allow Sales only Telnet access to Manufacturing, standard access lists would not suffice. Similarly, if Sales had the latest price list on a server accessible via Telnet, and you wanted Accounting to have only Telnet access to Sales, extended access lists are required for this degree of control. With extended access lists, you can filter based not only on the source address, but also on the destination address or application port number.

Note that a router cannot be a full firewall solution, although routers are important components of firewalls.