Undocumented Cisco Commands

Here is a list of the undocumented commands that can be entered into Cisco Routers.  These were commands that Cisco either created and were not fully functional or Cisco doesn't want us to know about.  Some of these commands only work on certain versions of IOS, however, I have found that many of them work well on all versions.  If you find errors or have additional commands that you have discovered, please let me know and I will post them here.

General Commands:

snmp-server priority low

ip spd enable

Enable selective packet discard (spd) to drop certain less-important types of packets if the router gets busy.  This keeps the router forwarding user traffic first and network management traffic last during high congestion times.  Attacks to overload the router with management traffic will be mitigated with this global configuration command.

service nagle

Enables the NAGLE congestion control algorithm.  This is supported in some, but not other versions of IOS.


Can generate TCP packets to test links

In 11.1, but not 11.3

Check out http://www.ccci.com/tools/ttcp/index.html

or http://www.ccci.com/product/network_mon/tnm31/ttcp.htm


ip nat service


test crash


no ip gratuitous-arps


show idb - 11.2 - shows interface descriptor block information


show isdn active

show isdn history


standby use-bia - HSRP

 no service password-recovery

Wipes out the current config and sends the user to setup

  configuration if the traditional password recovery method is used


Low Level VIP config mode:

if con <slot #> console

vip-slot0# ?

vip-slot0# test atm 0

to exit type "Ctrl-C" three times


show ip cache - ?

set ip cache policy


ip security extended-ignored


ipx sap-interval passive


show interface eth 0 stats

Yields other statistics about that interface


show interface eth 0 switching

Gives stats on how the packets are switches (fast/SSE/process) on that interface



Preferred Transport None:

line vty 0 (also for con or aux)

preferred transport none

This sequence forces you to type "telnet <hostname>" thus avoiding the

wait for a hostname resolution for telnet session when you really typed a

bad command. This is from the terminal server code Cisco had.


Bob Martin


Speaking from personal experience, it is also very useful for blocking

outbound telnet when using TACACS+ command authorization. Say, for

instance, you work in a NOC for a large insurance company. They place

routers in agent offices, which have no liability to the actual company.

The tranport preferred none command will allow tacacs+ to block telnet from

these end node routers, so if somebody breaks into a router, they can't get

any where else without bringing down the server, which would trigger an

event to the NOC.

Richard Rees


A Bunch of EIGRP commands:


show ip eigrp events

show ip eigrp event [as] [start# end#]


show ip eigrp sia-event [as] [start# end#]


show ip eigrp timers [as]


clear ip eigrp [as] event

Clear IP-EIGRP event logs

clear ip eigrp [as] logging

Stop IP-EIGRP event logging


Some EIGRP router sub-commands (i.e. under "router eigrp xx")

[no] eigrp event-logging

Controls logging of eigrp events on a per bases

[no] eigrp event-log-size

Set event log sixe to events; 0 deletes event log buffers

[no] command resets event log and SIA log size to 500 events

[no] eigrp log-event-type [dual] [xmit] [transport]

Configure the set of event types to log

[no] eigrp kill-everyone

Kill all adjacencies on an SIA event or a neighbor down event

[no] eigrp log-neighbor-changes

Log changes in peer status of neighbors

Donnie Savage


Some OSPF Commands:


show ip ospf stat

Shows detail of the last ten SPF algorithm runs with a reason for the run

Adrian Sinclair


show ip ospf event

show ip ospf maxage

show ip ospf bad-checksum

show ip ospf delete

Alex D. Zinin

ip flow-cache feature-accelerate


xxxxx(config)#ip flow-cache ?

  active-timeout      Specify the active flow timeout

  entries             Specify the number of entries in the flow cache

  feature-accelerate  Enable flow based feature acceleration

Oliver J. Albrecht     

One command that I used to diagnose a memory leak was "SHOW CHUNK"

Dave Greer

show region - Darrel Hinshaw

Does anybody know what the command "service internal" is on the Lightstream

> 1010 coder (version 11.3.5(WA48D))?

Not only on Lightstreams, though... ;)


This command switches on some code branches, containing additional checks

and debug outputs. Should not be used unless you are working with TAC upon

very hideous bug. Consumes significant portion of CPU...

Basil (Vasily)  Dolmatov 

'serv inter' allows you to enable some additional debugs that are not normally

available.  I don't think that having the command in your config has any

important CPU impact.  The debugs you can enable are a different story...

Santiago Alvarez

service internal - Lawrence Rebarchik

Interface looopback 0

ip ospf network point-to-point        /* put this command on the loopback to make the lo0 not a host(/32) route

Many Others: (Submitted by Dirk Riemenschneider)

bgp common-administration

bgp dynamic-med-interval

bgp process-dpa

clear ip eigrp [as] event                       Clear IP-EIGRP event logs

clear ip eigrp [as] logging                     Stop IP-EIGRP event logging

config overwrite

copy core ?                    does a full core dump, reboots router, as write core but with more options

debug dialer detailed

debug ip packet ... dump                        Outputs a hex & ASCII dump of the packet's contents

debug isdn code

debug sanity

if-con <n>                                      attach to a vip console


ip forwarding

ip forwarding accounting

ip forwarding accounting adjacency-update

ip forwarding accounting non-recursive

ip forwarding accounting per-prefix

ip forwarding accounting prefix-length

ip forwarding switch

ip forwarding traffic-statistics

ip forwarding traffic-statistics load-interval

ip forwarding traffic-statistics update-rate

ip igmp

ip igmp immediate-leave

ip igmp immediate-leave group-list

ip local-pool

ip ospf-name-lookup

ip slow-converge

ip spd

ip spd mode

ip spd mode aggressive

ip spd queue

ip spd queue max-threshold

ip spd queue min-threshold

memory scan                                           Parity check for 7500 RSPs

modem-mgmt csm debug-rbs

no service password-recovery                        for the daring people :-)


[router bgp ASN]

 neighbor <customer-router> translate-update [nlri multicast unicast]

                                                      redistribute between BGP and MBGP

 bgp redistribute-internal                          redistribute I-BGP routes in the other routing-protocol

service internal                                     some additional debugs that are not normally available

set destination-preference

show alignment

show asp

show caller

show chunk

show chunk summary

show controller vip <slotno> log

show controller vip <slotno> tech

show fib

show fib drop

show fib interface

show fib interface detail

show fib interface loopback

show fib interface null

show fib interface statistics

show fib interface vlan

show fib linecard

show fib linecard detail

show fib not-cef-switched

show ipv6 cef internal

show fib not-fib-switched

show hardware

show idb

show interface statis

show interface switching

show interfaces stat

show interface <int> stat

show interfaces switching

show int <int> switching

show ip eigrp event [as] [start# end#]          IP-EIGRP Events

show ip eigrp sia-event [as] [start# end#]      IP-EIGRP SIA event

show ip eigrp timers [as]                       IP-EIGRP Timers

show ip ospf bad-checksum

show ip ospf delete

show ip ospf delete-list

show ip ospf ev

show ip ospf events

show ip ospf maxage

show ip ospf maxage

show ip ospf statistics

show isdn active

show isdn history

show list

show list nonempty

show llc

show media

show media access-lists

show modem mapping

show parity

show parser

show parser links

show parser modes

show parser unresolved

show profile

show profile detail

show profile terse

show refuse-message

show region

show region address

show rsh

show rsh-disable-commands

show rsp

show slip

show slot

show snmp mib

show sum

show timers

snmp-server priority low                            config command

test crash                                      makes the router crash

test ipc misc

test ipx capacity x y z                              generated IPX RIP and SAPs

                                                      Enterprise feature set (11.2+)

         where x is the network address to begin at.

         where y is the number of advertisements

         where z is the interface IPX address that is reachable from                                 

test mbus power [slot] [on off]


write core                                            does a full core dump, reboots router


router bgp ...

 bgp redistribute-internal


Redistributing BGP into another protocol only redistributes E-BGP routes. Using

this command in the BGP configuration will also redistribute I-BGP routes in

the other routing-protocol.


neighbor xxx.xxx.xxx.xxx remove-private-as


If an as path made up of private as numbers is passed to an external neighbors,

the private as's are dropped. Private as's are in the range 64512 to 65535


For routers that are not able to do MBGP and you need those BGP routes into

MBGP you need the following command on router B.


router bgp 103

neighbor <cust-router remote-as <customer-as

neighbor <cust-router translate-update [nlri multicast unicast]


If you configure the "translate-update" command with 'nlri multicast' all

routes from this neighbor go into the MBGP table. If you configure both, they go into

both tables. If you need to control specificly which route should go into MBGP

and BGP, configure the 'translate-update' command without any NLRI, and

configure a route map to do it.


ipx sap-interval passive

no ip gratuitous-arps

sh con cxbus

Needed when one is BGP peering with a Bay/Nortel router:

  router bgp <AS>

   neighbor <IP ADDR> dont-capability-negotiate

Craig J. LaCava


Commands on Cat 5500/RSMs:

ps -c/-s/-p - Urszula

The "show biga" and "show portreg" commands are technically documented, but

are usually buried in the release notes somewhere and not included in the

user manual.

Patrick Douglas

Engineer Mode:

Enable engineer also allows you to access undocumented commands.

do a show ver to get the version number of the HW, FW and SW off the

Supervisor card.  On the Torrance Lab switch, it's:

1   2    WS-X5009   010968808 Hw : 3.1

                              Fw : 2.2(2)

                              Fw1: 2.2(1)

                              Sw : 4.2(2)

type "enable engineer"

The password is : passwordHWFWSWenablepassword.  So, if the password is

"pass", and the enable password is "epass", the enable engineer password is


The number of additional commands varies by IOS version.  Do a ? to see what

else you get.

Jonathon D. Paul

Engineer Mode:

To use this mode, first determine the software versions on your switch. Below is an extract from 'show version':
Module Ports Model Serial # Hw Fw Fw1 Sw
------ ----- ---------- --------- ------ ------- ------- ------
1 2 WS-X5009 003127015<?color><?param ffff,0000,0000> 1<?/color>.<?color><?param ffff,0000,0000>8<?/color><?color><?param ffff,0000,0000> 2<?/color>.<?color><?param ffff,0000,0000>1<?/color> 2.1<?color><?param ffff,0000,0000> 2<?/color>.<?color><?param ffff,0000,0000>4<?/color>(5)
Note the hardware, firmware and software versions above. Concatenate these (marked above in red) to form a six digit number (ignore full stops, Fw1 and Sw subrelease). e.g. 182124 from above.
Type 'enable engineer'. You will be prompted for a password.
The password is the concatenation of telnet password, 'magic' number from above and enable password.
i.e. If telnet password is 'password' and enable password is 'enable', then the enable engineer password for this switch is 'password182124enable'.

Matthew Coy,  Network Systems Consultant

In your switch, do a sh ver.  From the output, take numbers underneath the Hw, Fw, and Sw headings of the line cards (not the RSM, if you have one).  For example, mine is as follows:
Module Ports Model      Serial #  Hw     Fw      Fw1     Sw
------ ----- ---------- --------- ------ ------- ------- --------------
1      2     WS-X5530   008146920 1.5    3.1(2)  3.1(2)  3.1(1)
So I would take the following numbers (no periods, no minor rev #s): 153131
Using your telnet password and enable password, put them together and type the following: (we'll use telnet and enable as the passwords)
enable engineer
at the password prompt, type the following:
Your prompt now changes to:
hostname (debug-eng)
and you have access to the commands.
Keith Booe


whichbus tells you which bus a particular card is on but that is not as cool as enable engineer !

Jon Diamond


Shows the backplane statistics

show traffic

Shows interface counters – I don’t know the command to clear these counters (clear counters only clears the “show interface” counters)

show counters <mod/port>


Some GSR goodies:

1. To log into the line card, for 7500, you use "if-con" command; but you

use "attach" for GSR

2. dCEF is always enabled by default and can NOT be removed.

3. IOS only supports IP.

4. You can upgrade the whole IOS, or only mircrocode on selected line card.

Sometimes you need to upgrade images on chips, so use "upgrade all" command.

5. The back plane consists of SFC and CSC. Try to install two CSC, otherwise

one CSC blows up, you lose 3/4 back plane bandwidth.

check the release notes on CCO. Everything is there.

Yifan (Eric) Wang



set option errport enable

VoIP Command:
You can do a "csim start ####" to test.
#### = extension you want to dial.

<sh snmp mib>

"service internal" on an LS1010

'show interface xxx switching' 

ipx sap-interval passive

From the CIM - Basic Voice over IP CDROM:

  • modem-mgmt csm debug-rbs
    This is an undocumented Cisco IOS® command because it is a hidden command. You won't find it listed in the regular IOS® command reference. It is used specifically to debug in-band signaling and is available in IOS versions 11.3 through 12.0. This command is included because it is common knowledge and is used frequently in debugging CAS.  In the IOS, this command will eventually be replaced with debug cas from IOS version 12.0.


test dhcp [allocate xxx.xxx.xxx.xxx] | [release] | [renew]

test crash [value] or <cr> to enter crash menu

test dsp memory


Bert Boerland's Document the Undocumented site:




                        Document the undocumented


Project DOTU Web Site



Yet another version



Hidden IOS Commands:

Paulus Sugeng Widodo’s List



Any Others?

If anyone knows of any others I would definitely like to hear about them.

Just e-mail them to me at Scott Hogg

Page last updated 4/16/2002