You have picked a very old thread to bring back to life (original discussion in 2009 with additional question in 2015). But having brought it back to life let us consider other answers that are possible.
First let us remember that when access-class was introduced and when the original question was asked that our networks were much simpler and our devices had fewer interfaces. There was a concern about how to control access to our network devices, and especially how to control where the request came from. There was not much reason to be concerned about which interface had received the request. access-class was developed to address this requirement. I would assert that it was a very effective solution to that requirement.
Now think about the environment quite a few years later. Our networks are more complex. Our devices have more interfaces. The sophistication of attacks has increased. Now from a security perspective we are concerned not only about where the request came from but are concerned about how the request got to us. (remember that the question in 2015 was how to differentiate a request received on the management interface from a request received on a data interface) This is quite a change in terms of scope and complexity. While it might have been able to meet this requirement by making changes in access-class that would have been difficult and would have presented significant challenges in backward compatibility to older versions of code implementation of access-class. It was easier and cleaner to solve this new requirement by developing a new feature. And that is what Cisco chose to do.
access-class is still available when our requirement is just to control where the access request came from. And the new control place control processes are available when we need to address other requirements such as which interface received the request.
HTH
Rick
HTH
Rick
