Hidden IOS Commands

WARNING! These commands are not required to be known for the CCIE - rather, they are diagnostic tools for TAC and engineering/devtest to find problems with routers and switches. Again, yo do not need to know these for the exam, and what's more, they come without backup information (documentation) or any warranties. Note that some of these were previously undocumented, but are now... I'm not going to take the time to pull them out unless someone sends me a nastygram.

Note: Many of these commands are pulled from a great website, http://www.boerland.com/dotu/. Go there for updates to this list.

***********************[A]*************************
aaa accounting delay-start
[12.1] [hidden] global configuration command aaa accounting delay-start delays creation of the PPP Network start record until the peer IP address is known.

aaa authorization address-authorization-exec
[12.1] [hidden] configuration command forces address authorzation for PPP when started from an exec.

aaa group server {radius | tacacs+} server-group-name server (ip-address-1) [auth-port (port-number)] [acct-port (port-number)] server (ip-address-2) [auth-port (port-number)] [acct-port port-number] deadtime (minutes) pick-method [next | load-balanced | round-robin]
[hidden] Pick-method server-group configuration command used to specify an alternate method of selecting servers when one is not responding. As of 12.0(3)T the load-balanced and round-robin alternatives may be specified butmay not be implemented. The load-balanced keyword indicates that the initial host is selected load-balanced. The round-robin keyword indicates that the initial host is selected in a round-robin method with all servers being retried before starting from the beginning of the list of servers. The next keyword indicates that the list of servers is stepped through sequentially with each request always starting with the first server in the list. This last option is the default method of operation.

aaa nas port description text
[hidden] global configuration command causes the specified text to appear in TACACS+ accounting records with the attribute nas-description and the value of the text specified in the command. This command is useful during debugging allowing one to specify information about the environment or configuration in which the accounting record was generated.

access-list number remark (comment)
and
ip access-list extended name remark (comment)
[12.1] Option to add comments about the access list. This keyword is documented under Bug Id CSCdk14543.

atm allow-max-vci
Interface command, will allow the cisco 7000 use VCI's above 1023.

***********************[B]*************************

bgp common-administration

bgp dynamic-med-interval

bgp process-dpa

***********************[C]*************************

carrier delay (value)
[12.1] Modifies the carrier delay time. A value of 0 disables the carrier delay.

clear ip eigrp [as] event
Clear IP-EIGRP event logs.

clear ip eigrp [as] logging
Stop IP-EIGRP event logging.

clear profile
Clears CPU profiling.

clear startup-config
Same as erase startup-config

clear vtemplate
Resets the virtual templates.

clockrate {1200 | [...]| 2015232 }
There is an anomaly between what is documented, what is displayed and what is entered for this command. The documentation indicates the command is clock rate and this is what IOS shows as the valid command in configuration mode. However, a configuration display shows the command as clockrate as this is how is saved in nvram. In addition, older rom monitors do not understand the newer clock rate command which would cause problems. What actually happens here is that clockrate is implemented as a hidden command and is not completed by pressing tab and nor is there any help generated for it. But both clockrate and clock rate are accepted and there should be no problem in cutting and pasting the configurations.

config overwrite

copy core
Does a full core dump, as write core but with more options.

csim start (number)
Emulates a voice call.

***********************[D]*************************
debug buffer
Additional buffer debugging.

debug crypto isakmp detail
Crypto ISAKMP internals debugging.

debug crypto isakmp packet
Crypto ISAKMP packet debugging.

debug dialer detailed

debug ip ospf monitor
Debug command which show opsf database sync

debug ip packet ... dump
Outputs a hex and ASCII dump of the packet's contents.

debug ipx private

debug isdn code

debug oir
Debug online insertion and removal

debug parser mode

debug sanity

debug subsys
Debug discrete subsystems.

dialer mult-map-same-name
Useful if you have dialup clients using the same chap/pap username.

dhcp-server import all
Take all DHCP client info from the "ip address dhcp" client and assume that info for our DHCP server.

debug snmp {bag | dll | io | mib { all | by-mib-name } | packets | sysdb | timers}

***********************[E]*************************

exception-slave dump X.X.X.X

exception-slave protocol tftp

exception-slave corefile

execption memory fragment (amount)
Will reload router when no more fragment mem is available. DOCUMENTED:in Version 12.1(2)E

***********************[F]*************************

***********************[G]*************************

gdb kernel
gdb examine pid
gdb debug pid
(Cisco's comment: gdb commands are for debugging, only useful to cisco engineers who have a symbol table for the IOS image in question).

***********************[H]*************************

hangup
Alias for "quit"

***********************[I]*************************

ip cef accounting per-prefix non-recursive prefix-length

if-con (slot number)
Attach to a vip console.

if-quit
Gets out of if-con mode.

ip forwarding accounting adjacency-update

ip forwarding accounting non-recursive

ip forwarding accounting per-prefix

ip forwarding accounting prefix-length

ip forwarding switch

ip forwarding traffic-statistics

ip forwarding traffic-statistics load-interval

ip forwarding traffic-statistics update-rate

[no] ip gratuitous-arps
This disables unsolicited ARP replies that are useful to signal to a second (redundant) router on the same LAN segment that a remote gateway is present or has changed.

ip igmp

ip igmp immediate-leave

ip igmp immediate-leave group-list

ip local-pool
Legacy form of ip local pool, for backwards compatability

ip ospf interface-retry (x)
Retry for ospf process

ip ospf-name-lookup

ip slow-converge

ip spd

ip spd mode

ip spd mode aggressive

ip spd queue

ip spd queue max-threshold

ip spd queue min-threshold

ip tftp boot-interface

ip tmstats bin [internal | external]
When ip cef accounting non-recursive is configured

isdn network
Tell a router to be the "master" on T1-CCS link using isdn switch-type primary-ni

ipx flooding-unthrottled
[12.1] Global configuratiom command, specifies that NLSP flooding should be unthrottled.

ipx netbios-socket-input-checks
[12.1] Global configuration command limits the input of non-type 20 netbios broadcast packets.

ipx potential-pseudonode
[12.1] Global configuration command specifies to keep backup route and service data for NLSP potential pseudocode.

ipx saps follow-route-paths
[12.1] An undocumented global configuration command. See Bug Id CSCdm12190

ipx server-split-horizon-on-server-paths
[12.1] Global configuratiom command specifies that split horizon SAP occurs on server, not route, paths. This command is documented in Bug Id CSCdm12190

ipx update interval {rip | sap} {seconds | passive | changes-only}
[12.1] The undocumented passive keyword specifies to listen but does not send normal periodic SAP updates nor flashes/changes updates. Queries will still be replied to. The update interval is set to the same interval as changes-only. The passive keyword is documented under Bug Id CSCdj59918.

isdn {n200 | t200 | t203} (number)
Changes the value of various layer 2 ISDN timer settings. The number parameter is milliseconds for t200 and t203 and the maximum number of retransmits for the keyword n200. The current value of ISDN timers can be displayed using the show isdn timers EXEC command.The values of the timer settings depend on the switch type and typically are used only for homologation purposes. The typical value for t200 is 1 second, for t203 is 10 seconds and for n200 is 3 retransmits.

***********************[J]*************************

***********************[K]*************************

***********************[L]*************************

llc attach [interface]

llc close aaaa

llc offset aaaa

llc open [interface]

llc send aaaa

logging event {link-status | subif-link-status}
The no form of the undocumented logging event link-status interface commmand is used to turn off sending up, down and change messages for an interface to the syslog. This is very useful on live systems since these systems generate so many of these messages that other important messages are often hard to see. This is a companion command to the documented command no snmp trap link-status which prevents sending the associated snmp trap.

loopback diag

loopback dec

loopback test

loopback micro-linear

loopback motorola

***********************[M]*************************

memory scan
Parity check for 7500 RSP's.

modem log {cts | dcd | dsr | dtr | ri | rs232 | rts | tst}
[12.1] Configuration command is used to specify which rs232 log events are to be saved for display by the show modem log command. When performing log analysis, various RS232 events fill the log within seconds rendering it useless for analysis (see Bug Id CSCdk86001). This command helps to filter out unwanted entries in the log.

modem-mgmt csm debug-rbs
[12.1] Turns on debugging for Channelized T1 links in the AS5x00 series, providing info about ABCD bits in phone call supervision. Documented, here. Debug cas replaced this 'broken' command. INTERNAL privileged EXEC command enables robbed bit signaling debugging within CSM. Issuing the command once turns on rbs debugging. Issuing the command a second time turns on special rbs debugging. Issuing the command using the no-debug-rbs keyword turns off all degugging. This command is useful in looking at modem pooling and channelized T1s. To make this command available, the service internal global configuration command must be issued first.

multilink bundle-name {authenticated | both | endpoint}
[12.1] This undocumented global configuration command selects the method for naming multilink bundles. Authenticated specifies using the peer's authenticated name, endpoint specifies using the peer's endpoint discriminator and both specifies using both the peer's authenticated name and endpoint discriminator.

***********************[N]*************************

[no] environment-monitor
Disable environment monitoring.

[no] ppp chap ignoreous
For router with same hostname

[no] service auto-reset
On linecards

***********************[O]*************************

***********************[P]*************************

ppp direction {callin | callout | dedicated}
[12.1] Identifies the direction of ppp activity. PPP attempts to determine if a call is callin or a callout or a dedicated line. This is how it detects spoofed CHAP challenges. When an async interface is added to a dialer interface, ppp cannot detect the difference between a dedicated line and a callin. So it assumes that it is a callin. Adding the ppp direction dedicated overcomes this.

ppp ipcp accept-address
Interface command specifies that IOS is to revert to the previous operation regarding the acceptance of ip addresses from users. When enabled, the peer IP address will be accepted but is still subject to AAA verification, it will have precedence over any local address pool however. In IOS releases after 11.0(11), PPP IPCP negotiation was changed to accepts a remote peer's "Her" proposed address regardless, and the "Her" address is subsequently added to the IP routing table as a host route. With IOS Releases later than 11.0(11) the software checks the "Her" address against the corresponding dialer map and if the address is different than the IP address detailed within the dialer map, a NAK will be sent and the dialer map IP address will be added as a host route in the IP routing table.

ppp ipcp ignore-map

ppp lcp fast-start
[12.1] Interface configuration command specifies to ignore the carrier timer and start PPP when an LCP packet arrives.

ppp restart-timer (msec)
Interface configuration command modifies the default value (2 seconds) for the restart timer. The translate command also has a similar keyword, restart.

ppp timeout absolute (sec)
Determines how long PPP link can be up [default is infinity, configurable as 0] used under virtual-template interfaces.

ppp timeout idle (sec) [inbound | either]
Determines how long PPP can wait until bringing the link down if there is no traffic. Default is infinity, configurable as 0. Used under virtual-template interfaces.

profile (start) (stop) (granularity)

***********************[Q]*************************

***********************[R]*************************

radius-server attribute 44 on-for-access-req
Global configuration command sends attribute 44 in all access request packets. The command may be present in IOS 11.3(9+)AA (reference BugID CSCdk74429). This command is replaced by the radius-server attribute 44 include-in-access-req command.

radius-server attribute 6 on-for-login-auth
Global configuration command sends attribute 6 in all authentication packets (e.g., access requests). This command may be present in IOS 11.3(9+)T and 12.0(3+)T (reference BugID CSCdk81561).

radius-server attribute 6 support-multiple
Global configuration command specifies that IOS is to support multiple Service-Type values per Radius profile in violation of the RFC for Radius. This command was added in IOS 12.1(2.3)T2 and 12.1(3.3)T (reference BugID CSCdr60306).

radius-server authorization default framed-protocol ppp
Used to specify the default framed-protocol as PPP when this RADIUS attribute is missing.

radius-server authorization permit missing service-type
Global command is used to specify that a RADIUS entry without service-type information is permitted. It is used when RADIUS is being used as a database without regard to service-type.

radius-server attribute nas-port extended
Command is replaced by the radius-server attribute nas-port format b command in some releases of IOS. For this reason it may be hidden in the IOS configuration mode but documented. In these versions of IOS, the command will be accepted but ignored.

radius-server challenge-noecho
[12.1] global configuration command specifies that data echoing to the screen is disabled during Access-Challenge.

radius-server directed-request [restricted] [right-to-left]
Right-to-left keyword, which first appeared in IOS 12/0(7)T, enables right-to-left parsing of the user information (reference Bugid CSCdm77820).

radius-server extended-portnames
Global configuration command, which displays expanded interface information in the NAS-Port-Type attribute, has been replaced by the radius-server attribute nas-port extended command. This command configures RADIUS to expand the size of the NAS-Port attribute field to 32 bits. The upper 16 bits of the NAS-Port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface undergoing authentication. This command first appeared in IOS Release 11.1. It has been hidden in IOS 11.3+ and IOS 12.0+ since the command has been replaced (reference Bugid CSCdj06817).

radius-server host {hostname | ip-address} [auth-port (port-number)] [acct-port (port-number)] [timeout (seconds)] [retransmit (retries)] [key string] [ignore-acct-authenticator]
The ignore-acct-authenticator keyword specifies to ignore accounting authenticator errors and warn only (11.3(+)AA).

radius-server ipc-limit done limit

radius-server retry method round-robin
Global configuration command is used to specify an alternate method of selecting servers when one is not responding. As of 12.0(3)T alternates may not be defined and the round-robin alternative may not be implemented.

radius-server secret (string)
Global configuration command is used to specify the key shared with the RADIUS server. This command is hidden because it has been replaced with the radius-server key command (reference BugID CSCdi44081). This command first appeared in IOS Release 11.1.

radius-server unique-ident value
Global configuration command is used to set high order bits for the accounting identifier. The identifier field is a one octet field included in all RADIUS accounting packets which aids in matching requests and replies.

***********************[S]*************************

scheduler max-task-time 200
Last value in milliseconds.

scheduler heapcheck process

scheduler heapcheck poll

scheduler run-degraded

service internal
Allows additional debugs that are not normally available.

service slave-coredump

service log backtrace
Provides traceback with every logging instance.

set destination-preference

show alignment

show asp

show async bootp
No extended data will be sent in BOOTP responses.

show bridge group verbose
Shows additional information on each port that the bridge group is enabled.

show caller

show chunk [summary]

show counters [slot/port]

show compress hardware

show controller vip (slotno) log
show controller vip (slotno) tech

show fib drop
show fib interface
show fib interface detail
show fib interface loopback
show fib interface null
show fib interface statistics
show fib interface vlan
show fib linecard
show fib linecard detail
show fib not-cef-switched
show fib not-fib-switched

show idb

show interface status
show interface switching
show interface (int) stat
show interfaces switching
show interfaces (int) switching
Shows switching path information for the interface

show ip cef internal

show ip eigrp event [as] [start# end#]

show ip eigrp sia-event [as] [start# end#]

show ip eigrp timers [as]

show ip ospf bad-checksum

show ip ospf delete

show ip ospf delete-list

show ip ospf events

show ip ospf maxage-list

show ip ospf statistics

show ipx backup [network]

show ipx cache cbus

show ipx cache hash

show ipx eigrp event [event-number]

show ipx eigrp sia-event

show ipx private cache-history aaa

show ipx urd [0-fffffffe]

show isdn {active | history | memory | services | status [dsl | serial number] | timers}
active: Displays current call information, including called number, the time until the call is disconnected, AOC charging units used during the call, and whether the AOC information is provided during calls or at end of calls. history: Displays historic and current call information, including the called number, the time until the call is disconnected, AOC charging time units used during the call, and whether the AOC information is provided during calls or at the end of calls. status serial number: Displays the status of a specific ISDN PRI interface created and configured as a serial interface.

show isis timers
show isis tree
show isis tree level-2
show isis private

show list

show list nonempty

show llc

show media

show media access-lists

show modem mapping

show parity

show parser

show parser links

show parser modes

show parser unresolved

show proc all-events
Shows all process events

show profile
Shows cpu profiling.

show profile detail
Shows cpu profiling.

show profile terse
Shows cpu profiling.

show refuse-message

show region (address)
Shows image layout at given address.

show registry cr | brief | statistics | registry-name

show rsh

show rsh-disable-commands

show rsp

show slip

show smrp private | request |response

show snapshot private

show snmp chassis
show snmp contact
show snmp community
show snmp location
show snmp mib [detailed | dll]
show snmp newcom
show snmp view

show sum
Show current stored image checksum
show timers
Show timers for timer command in config mode.

show traffic
Shows the current backplane utilization and peak utilization for all three busses.

show queueing interface (interface)
Gives queueing information on a per interface basis

snmp-server priority {low | normal | high}
Global configuration command can be used to change the priority of SNMP processes. To avoid extensive polling, use the priority should be set to low . All SNMP queries sent to a router are prioritized as either low or medium priority, depending on the version of code run by the route processor. This means that processes with a higher priority than the SNMP process will be serviced before SNMP. So, regardless of SNMP polling intensity, routing processes will generally be processed before SNMP requests because route processes are "high" priority. You can view the priorities of each of the router's processes by doing a show process and looking in the Q column (L == Low, M == Medium, H == High). See Cisco's website for documentation. This command has no impact on the priority of the snmp trap process.

[no] snmp-server sparse-tables
Get the complete SNMP MIB table. On controller interface you get without this command e.g. no out bytes counter. With these commands you get every object with SNMP get-next.

[no] sscop quick-poll Suppose to help recover if sscop has problems, global command.

***********************[T]*************************


tclsh
Unverified but very interesting, you can program with loop control, expressions, etc from the IOS CLI. Prerelease?


telnet timeout

test appletalk
[12.1] The test appletalk command will enter appletalk test mode. The sub-commands available in this mode are:


test cbus
For old AGS+ and 7000. Lets you prod stuff right into cbus memory. *VERY* dangerous if you don't know what you're doing.

test cch323

test crash
Makes the router crash any way you want.

test dhcp [allocate xxx.xxx.xxx.xxx] | [release | renew]

test eigrp (as-number) {ack | neighbor-states ipx-address ipx-mask}
[12.1] As-number id from 1 to 65535, neighbor-states is either 1local (Neighbor states 1), 1successor (Neighbor states 3), 2local (Neighbor states 1 - 2), 2successor (Neighbor states 3 - 2), 3local (Neighbor states 1 - 0), 4local (Neighbor states 1 - 0 - 2), 5local (Neighbor states 1 - 0 - FC fail - 1), 6local (Neighbor states 1 - 2 - FC fail - 3), and delete (Delete a phoney entry in the topology table). The keyword ack toggles EIGRP fast acking.

test ifs appn {read | write}{hostname | ip-address}
The test ifs appn command reads or writes an appn file.

test ifs boot boot-command-line
The test ifs boot command parses the bootstrap 'boot' command line.

test ifs defaults
The test ifs defaults command shows the default boot files.

test ifs show hidden The test ifs show hidden command toggles the display of hidden file systems and files.

test ifs slot slot (url)
The test ifs slot command will produce a core dump of slots on crashes.

test interfaces

test ipc misc

test ipx capacity w x y z
Generated IPX RIP and SAPs. Enterprise feature set (11.2+), where:
test ipx debug [0-ffffffff] [0-ffffffff] [0-ffffffff]

test ipx echo router-address [times-sent] [interval]
Sends 1447 RIP requests for 1-182 random networks; remote end sends echo reply back (ipx ping works the same way, but it always requests network 00000000)

test ipx gns [type] [numb-tries] [timeout] [network-to-send-request-on]
Types: 1-User, 2-User Group, 3-Print Queue, 4-File Server, 5-Job Server, 6-Gateway, 7-Print Server, 8-Archive Queue, 9-Archive Server, A-Job Queue, B-Administration Object, F-Novell TI-RPC, FF-Wild, FFFF-Request Response.

test ipx netbios find [name] [numb-tries] [timeout] [network-to-send-request-on]
Sends out un-interpreted packets.

test ipx query [sending-SAP-type] [type] [server-name] [network] [maskf] [numb-tries] [timeout]
Sending-sap-types: 2-Response (in), 4-Nearest Server type, C-General Name Query, D-General Name Response, E-Nearest Name Query, F-Nearest Name Response

test ipx ripreq (network)
Sends rip request for network specified.

test ipx watchdog (host-address)
Sends watchdog (IPX Keep-alive) packet to specified host.

test leds

test mbus power (slot) [on | off]
[no]Shut a line card.

test memory

test rsp cache memd-fastswitch uncached
The processor in the router has its own cache. There were bugs in working with this cache. With this exec-command you can disable the use of this cache. Because this is a exec-command you have to type it again after a reboot.
test rsp slot [mask/unmask]
Use this command to shut down a VIP from CLI (mask) or return it to service (unmask). Note that this will also remove the VIP from a "sho diag."

test transmit

test modem back-to-back (first-slot/port) (second-slot/port)
Performs modem testing. Test the transmission of L2 frames.

test vines
Enter VINES test mode. The sub-commands available in this mode are: build [Build tables], checksum [Checksum test], data [Set data values used in various places], end [Exit VINES test mode], flush [Flush tables], generate [generate information], send [Send a VINES packet], set [Send a VINES value], ss [Do Server Service things], st [Send a vines streettalk packet].

test voip scripts
Allow to run self-created IVR (Interactive Voice Response) scripts. Cisco included 7 IVR scripts in IOS. Self-created scripts must be specially signed. Issuing this command in priviliged mode before loading self-created script you turn off the signature checking procedure. The only problem is that the command must be issued every each router reboot. Cisco promises to remove totally the signature checking procedure in future IOS releases.

test vpdn

timeout absolute (minutes) (seconds)
[12.1] command is available to enforce timeouts on an interface.

trace display
Displays the trace buffer when connected with if-con 0

ttcp
Like the unix ttcp, to generate traffic.
tunnel carry-security

***********************[U]*************************

***********************[V]*************************

vpdn aaa override-server {hostname | ip-address}
[12.1] Global configuration command specifies the name or ip address of a designated AAA server to be used for VPDN authorization.

***********************[W]*************************

who
Alias for show users

write core
Does a full core dump, reboots router


Filesystem - interesting hidden files
cd system:/vfiles and 'dir' and there are three files available:
tmasinfo
tmstats.ascii
tmstast.binary
tmstats.ascii: