What is the sl_def_acl access list

Recenty, a lot of people were looking for information on the sl_def_acl access list. Here's the whole story: if you've configured IOS login enhancements on your router, the router generates an access list named sl_def_acl (unless you specify your own with the login quiet-mode access-class command) the first time it has to enter the quiet mode. This access-list is then applied to the VTY lines whenever the router enters the quiet mode and removed from the after the quiet period is over. The access list itself is left in the running configuration.

For those of you interested in the details, the sl_def_acl access list contains these lines in IOS release 12.4(9)T:

router#show access-list
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log
40 permit tcp any any eq 22 log

The last line makes me wonder if the programmers of this particular feature should attend the ICND course first :).

5 comments:

  1. That last line is pretty embarrassing.

    ReplyDelete
  2. Looks like a bug in that version that they fixed in the later releases, mine shows:

    Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log
    40 permit ip any any log

    running 12.4(25b) here.

    ReplyDelete
  3. Version 15.0(1)M, RELEASE SOFTWARE (fc2)
    Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log
    40 permit tcp any any eq 22 log

    ReplyDelete
  4. Hehe, the 12.4 mainstream fix never got into 15.0M ;)

    ReplyDelete
  5. Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)

    Router(config)#do sho access-lists
    Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log
    40 permit tcp any any eq 22 log
    Router(config)#

    15.1 is similarly "bugged"
    From the looks of this it would be better to create your own access list I would have thought.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.