Port 2361: TL1 (Legacy) — The Backward-Compatible Door into Telecom's Past

What Port 2361 Does

Port 2361 carries TL1, which stands for Transaction Language 1. TL1 is the command language used to manage SONET rings, optical multiplexers, DSL equipment, and other telecommunications infrastructure across North America.

But port 2361 specifically is the legacy door. Cisco ONS equipment, for example, exposes TL1 over three ports: 3082 (raw TCP), 3083 (telnet), and 2361, which is "supported for backward compatibility with earlier releases" and behaves identically to 3083.¹ In other words, port 2361 exists so nothing breaks. Old network management systems that learned to dial this port decades ago still work, unchanged.

What TL1 Is

TL1 was developed by Bellcore in 1984 as a standardized language for Regional Bell Operating Companies to manage network elements.² Before TL1, every vendor had their own management interface. Bellcore said: no, there will be one language, and it will work across all equipment.

The result was a text-based command protocol that looks something like this:

ACT-USER::CISCO:ctag::cisco;

That command means: act (log in) as user CISCO, correlation tag "ctag", password "cisco". TL1 commands read like structured English, which made them writable by telecom engineers who weren't programmers.

TL1 never got the modern polish of REST APIs or SNMP. It's a 1984 protocol still doing serious work in 2026. The same SONET rings that were installed in the 1990s are still being managed through TL1 sessions, often on this same port.

The Range: Registered Ports

Port 2361 sits in the registered port range (1024-49151). These ports are assigned by IANA upon request for specific services. However, port 2361 isn't formally listed as assigned in the IANA registry — it's a de facto convention within Cisco ONS gear and similar equipment, not an official IANA registration.³

This is common. The telecom world predates the modern port registry and didn't always file paperwork with IANA when it chose port numbers. TL1's primary ports (3082 and 3083) carry the same informal status.

Security Notes

TL1 over port 2361 uses telnet, which means no encryption. Credentials and commands travel in plaintext. This was acceptable in 1984 when network management systems were air-gapped from public networks. Most deployments today sit inside carrier management networks that are isolated from the Internet.

But if you see port 2361 open on a device exposed to public networks, that's worth investigating. A telnet management interface for telecom gear shouldn't be publicly reachable.

Security researchers have also noted that port 2361 has historically appeared in malware signatures, which is worth knowing if you're doing incident response.⁴

How to Check What's Listening

On Linux/macOS:

ss -tlnp | grep 2361
# or
lsof -i :2361

On Windows:

netstat -ano | findstr :2361

If you see something on this port and you're not running telecom management software, it warrants a closer look.