Thank you for your reply. 

I am not concerned about router resources being overloaded. At this stage I am more into the mode "is this even possible?" What you are suggesting is a workaround and sure, if my original plan doesn't work, I can try that. But, is this possible or Cisco is right when saying:

By design, access-class only matches the source IP address of the access-list. Access-class allows access to the router as a whole, not access to the router only on a particular router address.

Hi Josip;

Technically speaking you can restrict Router telnet session on specific address / interface by applying access-class on vty line. It's only check the source address and take decision either allow or drop. VTY lines are solely used to control inbound Telnet/SSH connections either coming from any interface.

To achieve your requirement is do able via applying the ACL on all the physical interface of Router and allow/drop telnet traffic for specific source/destination. But be remember by default the last statement of ACL is deny-all which will drop all the traffic. To avoid legitimate traffic to be drop you need to put allow all statement or allow all the trusted traffic.

Thanks & Best regards; 

Thank you.

Based on Cisco documentation and your answer,  extended ACL can not be used in a way that it is applied to vty lines to restricting access to only certain router interface by filtering destination IP address. Going back to my original plan, it can not be done. Do you agree?

It is quite true that with access-class it is not possible to restrict telnet access to a particular router interface. If your requirement is to restrict access to a particular interface then you might want to look into Control Plane Policing, assuming that this feature is supported on your platform and its version of code.

HTH

Rick