What is the sl_def_acl access list

Recenty, a lot of people were looking for information on the sl_def_acl access list. Here's the whole story: if you've configured IOS login enhancements on your router, the router generates an access list named sl_def_acl (unless you specify your own with the login quiet-mode access-class command) the first time it has to enter the quiet mode. This access-list is then applied to the VTY lines whenever the router enters the quiet mode and removed from the after the quiet period is over. The access list itself is left in the running configuration.

For those of you interested in the details, the sl_def_acl access list contains these lines in IOS release 12.4(9)T:

router#show access-list
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log
40 permit tcp any any eq 22 log

The last line makes me wonder if the programmers of this particular feature should attend the ICND course first :).

7 comments:

  1. That last line is pretty embarrassing.
  2. Looks like a bug in that version that they fixed in the later releases, mine shows:

    Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log
    40 permit ip any any log

    running 12.4(25b) here.
  3. Version 15.0(1)M, RELEASE SOFTWARE (fc2)
    Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log
    40 permit tcp any any eq 22 log
  4. Hehe, the 12.4 mainstream fix never got into 15.0M ;)
  5. Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)

    Router(config)#do sho access-lists
    Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log
    40 permit tcp any any eq 22 log
    Router(config)#

    15.1 is similarly "bugged"
    From the looks of this it would be better to create your own access list I would have thought.
  6. how iam access router via putty, ?

    i can try test ....my device cannot be access telnet or ssh to router

    sl_acl_def ...i use apply at telnet, ssh and line 2
  7. use console to access
Add comment
Sidebar