Jan
22

As we well know, one of the best features of Cisco IOS is the parser’s context sensitive help and tab-completion when typing in configuration or verification commands. One of the lesser known features related to this, however, is the ability to view all officially supported commands available in the parser on a per-mode basis on the CLI via the show parser dump command.

show parser dump lists all commands in exec mode, global configuration mode, route-map mode, etc. prefixed by the privilege level of the command. This includes the negation (e.g. “no router rip”) and the default (e.g. “default interface”) in addition to the actual command and its arguments. The advantage of this output is that you can quickly find the complete syntax for a command, or set of commands, just by filtering through the parser dump.

For example let’s take a look at the output of the “show parser dump route-map”, which shows us all commands under the route-map subconfiguration mode.

Router#show parser dump route-map
 Mode Name :route-map
0 no description <string>
0 no description
0 no description
0 no match interface <interface>
0 no match interface
0 no match interface
0 no match metric external <1-4294967295> +- <1-4294967295>
0 no match metric external <1-4294967295> +- <1-4294967295>
0 no match metric external <1-4294967295>
0 no match metric external <1-4294967295>
0 no match metric external
0 no match metric <1-4294967295> +- <1-4294967295>
0 no match metric <1-4294967295> +- <1-4294967295>
0 no match metric <1-4294967295>
0 no match metric <1-4294967295>
0 no match metric
[output omitted]
0 default description <string>
0 default description
0 default description
0 default match interface <interface>
0 default match interface
0 default match interface
0 default match metric external <1-4294967295> +- <1-4294967295>
0 default match metric external <1-4294967295> +- <1-4294967295>
0 default match metric external <1-4294967295>
0 default match metric external <1-4294967295>
0 default match metric external
0 default match metric <1-4294967295> +- <1-4294967295>
0 default match metric <1-4294967295> +- <1-4294967295>
0 default match metric <1-4294967295>
0 default match metric <1-4294967295>
0 default match metric
[output omitted]
15 description <string>
15 description
15 description
15 match interface <interface>
15 match interface
15 match interface
15 match metric external <1-4294967295> +- <1-4294967295>
15 match metric external <1-4294967295> +- <1-4294967295>
15 match metric external <1-4294967295>
15 match metric external <1-4294967295>
15 match metric external
15 match metric <1-4294967295> +- <1-4294967295>
15 match metric <1-4294967295> +- <1-4294967295>
15 match metric <1-4294967295>
15 match metric <1-4294967295>
15 match metric
[output omitted]

Note that in the above output the commands are listed redundantly with both the prefixes “no” and “clear”, in addition to the actual command. The number at the beginning of the line is the command’s privilege level, which means that to issue the “no match interface” command you must have at least privilege level 0, but to actually issue the “match interface” command, you must be at privilege level 15.

One way to cut down on unnecessary output, while still keeping it useful, is to filter the output to only include lines that start with “15”, such as follows:

Router#show parser dump route-map | include ^15_
15 description <string>
15 description
15 description
15 match interface <interface>
15 match interface
15 match interface
15 match metric external <1-4294967295> +- <1-4294967295>
15 match metric external <1-4294967295> +- <1-4294967295>
15 match metric external <1-4294967295>
15 match metric external <1-4294967295>
15 match metric external
15 match metric <1-4294967295> +- <1-4294967295>
15 match metric <1-4294967295> +- <1-4294967295>
15 match metric <1-4294967295>
15 match metric <1-4294967295>
15 match metric
15 match tag <0-4294967295>
15 match tag
15 match tag
15 match route-type internal
15 match route-type external type-1
15 match route-type external type-2
15 match route-type external
[output omitted]

From this we can see that there is much less output than before, but we still maintain all the necessary commands we want to see. Here’s another example, where we look for all OSPF related commands at the interface level:

Router#show parser dump interface | include ^15_(.*)ospf
15 ip ospf authentication
15 ip ospf authentication-key
15 ip ospf message-digest-key <1-255>
15 ip ospf network
15 ip ospf cost <1-65535>
15 ip ospf resync-timeout <1-65535>
15 ip ospf hello-interval <1-65535>
15 ip ospf dead-interval
15 ip ospf priority <0-255>
15 ip ospf retransmit-interval <1-65535>
15 ip ospf transmit-delay <1-65535>
15 ip ospf lls
15 ip ospf flood-reduction
15 ip ospf demand-circuit
15 ip ospf mtu-ignore
15 ip ospf database-filter
15 ip ospf <1-65535> area <address> secondaries none
15 ip ospf <1-65535> area <address>
15 ip ospf <1-65535> area <0-4294967295>
15 ip ospf authentication
15 ip ospf authentication-key
15 ip ospf message-digest-key <1-255>
15 ip ospf network
15 ip ospf cost <1-65535>
15 ip ospf resync-timeout <1-65535>
15 ip ospf hello-interval <1-65535>
15 ip ospf dead-interval
15 ip ospf priority <0-255>
15 ip ospf retransmit-interval <1-65535>
15 ip ospf transmit-delay <1-65535>
15 ip ospf lls
15 ip ospf flood-reduction
15 ip ospf demand-circuit
15 ip ospf mtu-ignore
15 ip ospf database-filter
15 ip ospf <1-65535> area <address> secondaries none
15 ip ospf <1-65535> area <address>
15 ip ospf <1-65535> area <0-4294967295>
15 ipv6 ospf authentication ipsec spi <256-4294967295>
15 ipv6 ospf authentication null
15 ipv6 ospf network
15 ipv6 ospf cost <1-65535>
15 ipv6 ospf hello-interval <1-65535>
15 ipv6 ospf dead-interval <1-65535>
15 ipv6 ospf priority <0-255>
15 ipv6 ospf retransmit-interval <1-65535>
15 ipv6 ospf transmit-delay <1-65535>
15 ipv6 ospf flood-reduction
15 ipv6 ospf demand-circuit
15 ipv6 ospf mtu-ignore
15 ipv6 ospf database-filter
15 ipv6 ospf neighbor <address>
15 ipv6 ospf neighbor <address> cost <1-65535>
15 ipv6 ospf neighbor <address> database-filter all out
15 ipv6 ospf neighbor <address>
15 ipv6 ospf neighbor <address> priority <0-255>
15 ipv6 ospf neighbor <address> poll-interval <0-4294967295>
15 ipv6 ospf neighbor <address>
15 ipv6 ospf <1-65535> area <address> instance <0-255>
15 ipv6 ospf <1-65535> area <address>
15 ipv6 ospf <1-65535> area <0-4294967295>

Note that this included both OSPFv2 and OSPFv3 commands (IPv4 vs. IPv6) since I didn’t limit the output just to “ip ospf”. Another great example for this is IPSec related commands in global configuration. These commands generally include the words “crypto”, “ipsec”, or “isakmp”. With the below output we can look for any iteration of this. Note that since the regular expression is fairly complex, the CPUHOG message appears that the exec process is becoming CPU intensive:

Router#show parser dump configure | include ^15_(.*)((crypto)|(ipsec)|(isakmp))

*Jan 19 11:31:52.032: %SYS-3-CPUHOG: Task is running for (2004)msecs, more than (2000)msecs (0/0),process = Exec.
-Traceback= 0x8005B2A4 0x8005B9F8 0x8006911C 0x8006A778 0x8006A250 0x811AB110 0x811AB004 0x811AB570 0x811A470C 0x811A39E8 0x811C3974 0x80244E10 0x80248504
*Jan 19 11:31:54.035: %SYS-3-CPUHOG: Task is running for (4007)msecs, more than (2000)msecs (0/0),process = Exec.
-Traceback= 0x80065318 0x8006A630 0x8006A250 0x811AB110 0x811AB004 0x811AB570 0x811A470C 0x811A39E8 0x811C3974 0x80244E10 0x80248504
*Jan 19 11:31:54.187: %SYS-3-CPUYLD: Task ran for (4156)msecs, more than (2000)msecs (0/0),process = Exec

*Jan 19 11:32:32.538: %SYS-3-CPUHOG: Task is running for (2003)msecs, more than (2000)msecs (0/0),process = Exec.
-Traceback= 0x8006A40C 0x8006A250 0x811AB110 0x811AB004 0x811AB570 0x811A470C 0x811A39E8 0x811C3974 0x80244E10 0x80248504
*Jan 19 11:32:34.541: %SYS-3-CPUHOG: Task is running for (4006)msecs, more than (2000)msecs (0/0),process = Exec.
-Traceback= 0x8006A414 0x8006A250 0x811AB110 0x811AB004 0x811AB570 0x811A470C 0x811A39E8 0x811C3974 0x80244E10 0x80248504
*Jan 19 11:32:34.606: %SYS-3-CPUYLD: Task ran for (4068)msecs, more than (2000)msecs (0/0),process = Exec15 ip nbar port-map ipsec
15 crypto pki token default max-retries
15 crypto pki token default removal timeout
15 crypto pki token default user-pin
15 crypto pki token default secondary config
15 crypto pki token <string>
15 crypto pki authenticate <string>
15 crypto pki enroll <string> interface <string> use <string> password <string>
15 crypto pki enroll <string> interface <string> use <string>
15 crypto pki enroll <string>
15 crypto pki enroll
15 crypto pki import <string> pkcs12 terminal <string>
15 crypto pki import <string> pkcs12 <URL>
15 crypto pki import <string> pem usage-keys exportable terminal <string>
15 crypto pki import <string> pem usage-keys exportable url <URL>
15 crypto pki import <string> pem usage-keys
15 crypto pki import <string> pem
15 crypto pki import <string> certificate
15 crypto pki export <string> pkcs12 terminal <string>
15 crypto pki export <string> pkcs12 <URL>
15 crypto pki export <string> pem terminal 3des <string>
15 crypto pki export <string> pem terminal des
15 crypto pki export <string> pem terminal
15 crypto pki export <string> pem url <URL>
15 crypto pki crl request <string>
15 crypto pki certificate query
15 crypto pki certificate map <string>
15 crypto pki certificate map <string> <1-65535>
15 crypto pki certificate validate <string>
15 crypto ca
15 crypto provisioning petitioner
15 crypto provisioning registrar
15 crypto wui tti
15 crypto engine software ipsec
15 crypto engine nm <0-3>
15 crypto engine onboard Number
15 crypto engine aim Number
15 crypto engine em <0-3>
15 crypto engine slot Number
15 crypto engine accelerator
15 crypto engine accelerator Number
15 crypto key generate rsa usage-keys label <string> modulus <360-2048> exportable
15 crypto key generate rsa usage-keys label <string> modulus <360-2048>
15 crypto key generate rsa usage-keys label <string>
15 crypto key generate rsa usage-keys
15 crypto key generate rsa general-keys
15 crypto key generate rsa
15 crypto key generate
15 crypto key zeroize rsa <string>
15 crypto key zeroize rsa
15 crypto key zeroize
15 crypto key export rsa <string> pem terminal 3des <string>
15 crypto key export rsa <string> pem terminal des
15 crypto key export rsa <string> pem url <URL>
15 crypto key import rsa <string> pem usage-keys exportable terminal <string>
15 crypto key import rsa <string> pem usage-keys exportable url <URL>
15 crypto key import rsa <string> pem usage-keys
15 crypto key import rsa <string> pem
15 crypto key pubkey-chain rsa
15 crypto key encrypt write rsa name <string> passphrase <string>
15 crypto key encrypt write rsa name <string>
15 crypto key encrypt write rsa
15 crypto key encrypt
15 crypto key decrypt write rsa name <string> passphrase <string>
15 crypto key decrypt write rsa name <string>
15 crypto key decrypt write rsa
15 crypto key decrypt
15 crypto keyring <string> vrf <string>
15 crypto keyring <string>
15 crypto xauth <interface>
15 crypto logging session
15 crypto isakmp aggressive-mode disable
15 crypto isakmp invalid-spi-recovery
15 crypto isakmp policy <1-10000>
15 crypto isakmp key <string> hostname <string> no-xauth
15 crypto isakmp key <string> hostname <string>
15 crypto isakmp key <string> address <address> <address>
15 crypto isakmp key <string> address <address>
15 crypto isakmp key <string>
15 crypto isakmp key <0-9>
15 crypto isakmp key
15 crypto isakmp key
15 crypto isakmp identity
15 crypto isakmp keepalive
15 crypto isakmp client configuration address-pool local
15 crypto isakmp client configuration group <string>
15 crypto isakmp xauth timeout
15 crypto isakmp peer hostname <string> vrf <string>
15 crypto isakmp peer hostname <string>
15 crypto isakmp peer address <address>
15 crypto isakmp nat keepalive
15 crypto isakmp profile <string>
15 crypto ipsec optional retry
15 crypto ipsec optional
15 crypto ipsec security-association lifetime seconds
15 crypto ipsec security-association lifetime seconds
15 crypto ipsec security-association lifetime kilobytes
15 crypto ipsec security-association idle-time
15 crypto ipsec security-association idle-time default
15 crypto ipsec security-association idle-time
15 crypto ipsec security-association replay disable
15 crypto ipsec security-association replay disable
15 crypto ipsec security-association replay window-size
15 crypto ipsec security-association replay window-size
15 crypto ipsec transform-set <string>
15 crypto ipsec fragmentation
15 crypto ipsec df-bit
15 crypto ipsec nat-transparency spi-matching
15 crypto ipsec nat-transparency udp-encapsulation
15 crypto ipsec profile <string>
15 crypto identity <string>
15 crypto call admission limit ike sa
15 crypto mib ipsec flowmib history tunnel size
15 crypto mib ipsec flowmib history failure size
15 crypto dynamic-map <string> <1-65535>
15 crypto dynamic-map <string>
15 crypto dynamic-map <string> <1-65535>
15 crypto map <string> <1-65535>
15 crypto map <string>
15 crypto map <string> <1-65535> ipsec-manual
15 crypto map <string> <1-65535> ipsec-isakmp dynamic <string> discover
15 crypto map <string> <1-65535> ipsec-isakmp dynamic <string>
15 crypto map <string> <1-65535> ipsec-isakmp profile <string>
15 crypto map <string> <1-65535> ipsec-isakmp
15 crypto map <string> <1-65535>
15 crypto map <string> local-address
15 crypto map <string> redundancy replay-interval inbound <0-1000> outbound <1000-100000>
15 crypto map <string> client configuration address initiate
15 crypto map <string> client authentication list
15 crypto map <string> client accounting list
15 crypto map <string> isakmp authorization list
15 crypto map <string> isakmp-profile
15 ip mobile tunnel crypto
15 snmp-server enable traps isakmp policy add
15 snmp-server enable traps isakmp policy delete
15 snmp-server enable traps isakmp tunnel start
15 snmp-server enable traps isakmp tunnel stop
15 snmp-server enable traps ipsec cryptomap add
15 snmp-server enable traps ipsec cryptomap delete
15 snmp-server enable traps ipsec cryptomap attach
15 snmp-server enable traps ipsec cryptomap detach
15 snmp-server enable traps ipsec tunnel start
15 snmp-server enable traps ipsec tunnel stop
15 snmp-server enable traps ipsec too-many-sas
15 snmp-server host <string> vrf <string> traps version 1 <string> isakmp
15 snmp-server host <string> vrf <string> traps version 1 <string> ipsec

For outputs that you want to reference frequently, like the “crypto” output above if you are in the CCIE Security Lab Exam, you can either log your output to a file through your terminal emulation software, or you can redirect the output to a file in flash, as seen below.

Router#show parser dump router router.output.dump
Router#dir flash:
Directory of flash:/

    1  -rw-    29925948                    <no date>  c2600-adventerprisek9-mz.124-17.bin
    2  -rw-      289862  Aug 29 2008 08:17:36 +00:00  crashinfo_20080829-081736
    7  -rw-       55690                    <no date>  router.output.dump

49807356 bytes total (19478896 bytes free)

Router#more flash:router.output.dump | include ^15_(.*)eigrp
15 distance eigrp
15 eigrp router-id
15 eigrp stub
15 eigrp log-neighbor-changes
15 eigrp log-neighbor-warnings <1-65535>
15 eigrp log-neighbor-warnings
15 eigrp event-logging
15 eigrp event-log-size
15 distance eigrp
15 eigrp router-id
15 eigrp stub
15 eigrp log-neighbor-changes
15 eigrp log-neighbor-warnings <1-65535>
15 eigrp log-neighbor-warnings
15 eigrp event-logging
15 eigrp event-log-size
15 distance eigrp
15 eigrp router-id
15 eigrp stub
15 eigrp log-neighbor-changes
15 eigrp log-neighbor-warnings <1-65535>
15 eigrp log-neighbor-warnings
15 eigrp event-logging
[output omitted]
</pre>
About Brian McGahan, CCIE #8593, CCDE #2013::13:

Brian McGahan was one of the youngest engineers in the world to obtain the CCIE, having achieved his first CCIE in Routing & Switching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 8 years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing new products Brian consults with large ISPs and enterprise customers in the midwest region of the United States.

Find all posts by Brian McGahan, CCIE #8593, CCDE #2013::13 | Visit Website


You can leave a response, or trackback from your own site.

8 Responses to “Using the “show parser dump” command”

 
  1. Dan says:

    Nice and handy tip! Thanks Brian!

    One more question. Is there a way to show the commonly used IOS hidden commands?

    • Unfortunately, no. A “hidden” command means that it’s not “officially” supported, and it’s not added to the context sensitive help, so it won’t be in the parser dump. Here’s an example:

      Rack8R2#sh ver | in IOS
      IOS ™ C2600 Software (C2600-JK9O3S-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)
      Rack8R2#config t
      Enter configuration commands, one per line. End with CNTL/Z.
      Rack8R2(config)#ip pim aut?
      % Unrecognized command
      Rack8R2(config)#ip pim autorp listener
      Rack8R2(config)#end
      Rack8R2#show parser dump configure | include listener
      0 no ip rsvp listener

      <0-255> <0-65535> announce
      0 no ip rsvp listener
      <0-255> <0-65535> reply
      0 no ip rsvp listener
      <0-255> <0-65535> reject
      0 no ip rsvp listener
      <0-255> any
      0 no ip rsvp listener
      udp
      0 no ip rsvp listener
      tcp
      0 no ip rsvp listener
      any
      0 default ip rsvp listener
      <0-255> <0-65535> announce
      0 default ip rsvp listener
      <0-255> <0-65535> reply
      0 default ip rsvp listener
      <0-255> <0-65535> reject
      0 default ip rsvp listener
      <0-255> any
      0 default ip rsvp listener
      udp
      0 default ip rsvp listener
      tcp
      0 default ip rsvp listener
      any
      15 ip rsvp listener
      <0-255> <0-65535> announce
      15 ip rsvp listener
      <0-255> <0-65535> reply
      15 ip rsvp listener
      <0-255> <0-65535> reject
      15 ip rsvp listener
      <0-255> any
      15 ip rsvp listener
      udp
      15 ip rsvp listener
      tcp
      15 ip rsvp listener
      any
      Rack8R2#
  2. [...] @ 4:03 pm Tags: CCIE, CCIE Lab, Certification, Cisco, Cisco Certification The IE blog has a great post up about the ’show parser dump’ command.  I was connected to a production 6500 at work while I was reading this, so I decided to follow [...]

  3. Karim Jamali says:

    Thank You Brian!!!!!!!!

    It is amazing

  4. I have to give you props on this one. Very nice job.

  5. jayjay says:

    I user the command
    Router#show parser dump configure | include ^15_(.*)((ospf))

    but “router ospf ” no appear

  6. PatrickM says:

    I was looking for this useful command then tried it in my lab, got the following message:

    R1#show parser dump exec
    Command accepted, but obsolete, parser dumper has been deprecated

    I am running IOS Version 15.1(4)M4, searched for it in the Cisco command references to find that it was removed in version 15.0(1)M
    http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/show_monitor_permit_list_through_show_process_memory.html#GUID-09B270F7-B2E2-45CE-A140-638BD14E8303

    I guess it had such a large impact on buffer, system memory and CPU that Cisco decided to completely remove it from IOS 15… any ideas?

 

Leave a Reply

Categories

CCIE Bloggers