As we well know, one of the best features of Cisco IOS is the parser’s context sensitive help and tab-completion when typing in configuration or verification commands. One of the lesser known features related to this, however, is the ability to view all officially supported commands available in the parser on a per-mode basis on the CLI via the show parser dump command.
show parser dump lists all commands in exec mode, global configuration mode, route-map mode, etc. prefixed by the privilege level of the command. This includes the negation (e.g. “no router rip”) and the default (e.g. “default interface”) in addition to the actual command and its arguments. The advantage of this output is that you can quickly find the complete syntax for a command, or set of commands, just by filtering through the parser dump.
For example let’s take a look at the output of the “show parser dump route-map”, which shows us all commands under the route-map subconfiguration mode.
Router#show parser dump route-map Mode Name :route-map 0 no description <string> 0 no description 0 no description 0 no match interface <interface> 0 no match interface 0 no match interface 0 no match metric external <1-4294967295> +- <1-4294967295> 0 no match metric external <1-4294967295> +- <1-4294967295> 0 no match metric external <1-4294967295> 0 no match metric external <1-4294967295> 0 no match metric external 0 no match metric <1-4294967295> +- <1-4294967295> 0 no match metric <1-4294967295> +- <1-4294967295> 0 no match metric <1-4294967295> 0 no match metric <1-4294967295> 0 no match metric [output omitted] 0 default description <string> 0 default description 0 default description 0 default match interface <interface> 0 default match interface 0 default match interface 0 default match metric external <1-4294967295> +- <1-4294967295> 0 default match metric external <1-4294967295> +- <1-4294967295> 0 default match metric external <1-4294967295> 0 default match metric external <1-4294967295> 0 default match metric external 0 default match metric <1-4294967295> +- <1-4294967295> 0 default match metric <1-4294967295> +- <1-4294967295> 0 default match metric <1-4294967295> 0 default match metric <1-4294967295> 0 default match metric [output omitted] 15 description <string> 15 description 15 description 15 match interface <interface> 15 match interface 15 match interface 15 match metric external <1-4294967295> +- <1-4294967295> 15 match metric external <1-4294967295> +- <1-4294967295> 15 match metric external <1-4294967295> 15 match metric external <1-4294967295> 15 match metric external 15 match metric <1-4294967295> +- <1-4294967295> 15 match metric <1-4294967295> +- <1-4294967295> 15 match metric <1-4294967295> 15 match metric <1-4294967295> 15 match metric [output omitted]
Note that in the above output the commands are listed redundantly with both the prefixes “no” and “clear”, in addition to the actual command. The number at the beginning of the line is the command’s privilege level, which means that to issue the “no match interface” command you must have at least privilege level 0, but to actually issue the “match interface” command, you must be at privilege level 15.
One way to cut down on unnecessary output, while still keeping it useful, is to filter the output to only include lines that start with “15”, such as follows:
Router#show parser dump route-map | include ^15_ 15 description <string> 15 description 15 description 15 match interface <interface> 15 match interface 15 match interface 15 match metric external <1-4294967295> +- <1-4294967295> 15 match metric external <1-4294967295> +- <1-4294967295> 15 match metric external <1-4294967295> 15 match metric external <1-4294967295> 15 match metric external 15 match metric <1-4294967295> +- <1-4294967295> 15 match metric <1-4294967295> +- <1-4294967295> 15 match metric <1-4294967295> 15 match metric <1-4294967295> 15 match metric 15 match tag <0-4294967295> 15 match tag 15 match tag 15 match route-type internal 15 match route-type external type-1 15 match route-type external type-2 15 match route-type external [output omitted]
From this we can see that there is much less output than before, but we still maintain all the necessary commands we want to see. Here’s another example, where we look for all OSPF related commands at the interface level:
Router#show parser dump interface | include ^15_(.*)ospf 15 ip ospf authentication 15 ip ospf authentication-key 15 ip ospf message-digest-key <1-255> 15 ip ospf network 15 ip ospf cost <1-65535> 15 ip ospf resync-timeout <1-65535> 15 ip ospf hello-interval <1-65535> 15 ip ospf dead-interval 15 ip ospf priority <0-255> 15 ip ospf retransmit-interval <1-65535> 15 ip ospf transmit-delay <1-65535> 15 ip ospf lls 15 ip ospf flood-reduction 15 ip ospf demand-circuit 15 ip ospf mtu-ignore 15 ip ospf database-filter 15 ip ospf <1-65535> area <address> secondaries none 15 ip ospf <1-65535> area <address> 15 ip ospf <1-65535> area <0-4294967295> 15 ip ospf authentication 15 ip ospf authentication-key 15 ip ospf message-digest-key <1-255> 15 ip ospf network 15 ip ospf cost <1-65535> 15 ip ospf resync-timeout <1-65535> 15 ip ospf hello-interval <1-65535> 15 ip ospf dead-interval 15 ip ospf priority <0-255> 15 ip ospf retransmit-interval <1-65535> 15 ip ospf transmit-delay <1-65535> 15 ip ospf lls 15 ip ospf flood-reduction 15 ip ospf demand-circuit 15 ip ospf mtu-ignore 15 ip ospf database-filter 15 ip ospf <1-65535> area <address> secondaries none 15 ip ospf <1-65535> area <address> 15 ip ospf <1-65535> area <0-4294967295> 15 ipv6 ospf authentication ipsec spi <256-4294967295> 15 ipv6 ospf authentication null 15 ipv6 ospf network 15 ipv6 ospf cost <1-65535> 15 ipv6 ospf hello-interval <1-65535> 15 ipv6 ospf dead-interval <1-65535> 15 ipv6 ospf priority <0-255> 15 ipv6 ospf retransmit-interval <1-65535> 15 ipv6 ospf transmit-delay <1-65535> 15 ipv6 ospf flood-reduction 15 ipv6 ospf demand-circuit 15 ipv6 ospf mtu-ignore 15 ipv6 ospf database-filter 15 ipv6 ospf neighbor <address> 15 ipv6 ospf neighbor <address> cost <1-65535> 15 ipv6 ospf neighbor <address> database-filter all out 15 ipv6 ospf neighbor <address> 15 ipv6 ospf neighbor <address> priority <0-255> 15 ipv6 ospf neighbor <address> poll-interval <0-4294967295> 15 ipv6 ospf neighbor <address> 15 ipv6 ospf <1-65535> area <address> instance <0-255> 15 ipv6 ospf <1-65535> area <address> 15 ipv6 ospf <1-65535> area <0-4294967295>
Note that this included both OSPFv2 and OSPFv3 commands (IPv4 vs. IPv6) since I didn’t limit the output just to “ip ospf”. Another great example for this is IPSec related commands in global configuration. These commands generally include the words “crypto”, “ipsec”, or “isakmp”. With the below output we can look for any iteration of this. Note that since the regular expression is fairly complex, the CPUHOG message appears that the exec process is becoming CPU intensive:
Router#show parser dump configure | include ^15_(.*)((crypto)|(ipsec)|(isakmp)) *Jan 19 11:31:52.032: %SYS-3-CPUHOG: Task is running for (2004)msecs, more than (2000)msecs (0/0),process = Exec. -Traceback= 0x8005B2A4 0x8005B9F8 0x8006911C 0x8006A778 0x8006A250 0x811AB110 0x811AB004 0x811AB570 0x811A470C 0x811A39E8 0x811C3974 0x80244E10 0x80248504 *Jan 19 11:31:54.035: %SYS-3-CPUHOG: Task is running for (4007)msecs, more than (2000)msecs (0/0),process = Exec. -Traceback= 0x80065318 0x8006A630 0x8006A250 0x811AB110 0x811AB004 0x811AB570 0x811A470C 0x811A39E8 0x811C3974 0x80244E10 0x80248504 *Jan 19 11:31:54.187: %SYS-3-CPUYLD: Task ran for (4156)msecs, more than (2000)msecs (0/0),process = Exec *Jan 19 11:32:32.538: %SYS-3-CPUHOG: Task is running for (2003)msecs, more than (2000)msecs (0/0),process = Exec. -Traceback= 0x8006A40C 0x8006A250 0x811AB110 0x811AB004 0x811AB570 0x811A470C 0x811A39E8 0x811C3974 0x80244E10 0x80248504 *Jan 19 11:32:34.541: %SYS-3-CPUHOG: Task is running for (4006)msecs, more than (2000)msecs (0/0),process = Exec. -Traceback= 0x8006A414 0x8006A250 0x811AB110 0x811AB004 0x811AB570 0x811A470C 0x811A39E8 0x811C3974 0x80244E10 0x80248504 *Jan 19 11:32:34.606: %SYS-3-CPUYLD: Task ran for (4068)msecs, more than (2000)msecs (0/0),process = Exec15 ip nbar port-map ipsec 15 crypto pki token default max-retries 15 crypto pki token default removal timeout 15 crypto pki token default user-pin 15 crypto pki token default secondary config 15 crypto pki token <string> 15 crypto pki authenticate <string> 15 crypto pki enroll <string> interface <string> use <string> password <string> 15 crypto pki enroll <string> interface <string> use <string> 15 crypto pki enroll <string> 15 crypto pki enroll 15 crypto pki import <string> pkcs12 terminal <string> 15 crypto pki import <string> pkcs12 <URL> 15 crypto pki import <string> pem usage-keys exportable terminal <string> 15 crypto pki import <string> pem usage-keys exportable url <URL> 15 crypto pki import <string> pem usage-keys 15 crypto pki import <string> pem 15 crypto pki import <string> certificate 15 crypto pki export <string> pkcs12 terminal <string> 15 crypto pki export <string> pkcs12 <URL> 15 crypto pki export <string> pem terminal 3des <string> 15 crypto pki export <string> pem terminal des 15 crypto pki export <string> pem terminal 15 crypto pki export <string> pem url <URL> 15 crypto pki crl request <string> 15 crypto pki certificate query 15 crypto pki certificate map <string> 15 crypto pki certificate map <string> <1-65535> 15 crypto pki certificate validate <string> 15 crypto ca 15 crypto provisioning petitioner 15 crypto provisioning registrar 15 crypto wui tti 15 crypto engine software ipsec 15 crypto engine nm <0-3> 15 crypto engine onboard Number 15 crypto engine aim Number 15 crypto engine em <0-3> 15 crypto engine slot Number 15 crypto engine accelerator 15 crypto engine accelerator Number 15 crypto key generate rsa usage-keys label <string> modulus <360-2048> exportable 15 crypto key generate rsa usage-keys label <string> modulus <360-2048> 15 crypto key generate rsa usage-keys label <string> 15 crypto key generate rsa usage-keys 15 crypto key generate rsa general-keys 15 crypto key generate rsa 15 crypto key generate 15 crypto key zeroize rsa <string> 15 crypto key zeroize rsa 15 crypto key zeroize 15 crypto key export rsa <string> pem terminal 3des <string> 15 crypto key export rsa <string> pem terminal des 15 crypto key export rsa <string> pem url <URL> 15 crypto key import rsa <string> pem usage-keys exportable terminal <string> 15 crypto key import rsa <string> pem usage-keys exportable url <URL> 15 crypto key import rsa <string> pem usage-keys 15 crypto key import rsa <string> pem 15 crypto key pubkey-chain rsa 15 crypto key encrypt write rsa name <string> passphrase <string> 15 crypto key encrypt write rsa name <string> 15 crypto key encrypt write rsa 15 crypto key encrypt 15 crypto key decrypt write rsa name <string> passphrase <string> 15 crypto key decrypt write rsa name <string> 15 crypto key decrypt write rsa 15 crypto key decrypt 15 crypto keyring <string> vrf <string> 15 crypto keyring <string> 15 crypto xauth <interface> 15 crypto logging session 15 crypto isakmp aggressive-mode disable 15 crypto isakmp invalid-spi-recovery 15 crypto isakmp policy <1-10000> 15 crypto isakmp key <string> hostname <string> no-xauth 15 crypto isakmp key <string> hostname <string> 15 crypto isakmp key <string> address <address> <address> 15 crypto isakmp key <string> address <address> 15 crypto isakmp key <string> 15 crypto isakmp key <0-9> 15 crypto isakmp key 15 crypto isakmp key 15 crypto isakmp identity 15 crypto isakmp keepalive 15 crypto isakmp client configuration address-pool local 15 crypto isakmp client configuration group <string> 15 crypto isakmp xauth timeout 15 crypto isakmp peer hostname <string> vrf <string> 15 crypto isakmp peer hostname <string> 15 crypto isakmp peer address <address> 15 crypto isakmp nat keepalive 15 crypto isakmp profile <string> 15 crypto ipsec optional retry 15 crypto ipsec optional 15 crypto ipsec security-association lifetime seconds 15 crypto ipsec security-association lifetime seconds 15 crypto ipsec security-association lifetime kilobytes 15 crypto ipsec security-association idle-time 15 crypto ipsec security-association idle-time default 15 crypto ipsec security-association idle-time 15 crypto ipsec security-association replay disable 15 crypto ipsec security-association replay disable 15 crypto ipsec security-association replay window-size 15 crypto ipsec security-association replay window-size 15 crypto ipsec transform-set <string> 15 crypto ipsec fragmentation 15 crypto ipsec df-bit 15 crypto ipsec nat-transparency spi-matching 15 crypto ipsec nat-transparency udp-encapsulation 15 crypto ipsec profile <string> 15 crypto identity <string> 15 crypto call admission limit ike sa 15 crypto mib ipsec flowmib history tunnel size 15 crypto mib ipsec flowmib history failure size 15 crypto dynamic-map <string> <1-65535> 15 crypto dynamic-map <string> 15 crypto dynamic-map <string> <1-65535> 15 crypto map <string> <1-65535> 15 crypto map <string> 15 crypto map <string> <1-65535> ipsec-manual 15 crypto map <string> <1-65535> ipsec-isakmp dynamic <string> discover 15 crypto map <string> <1-65535> ipsec-isakmp dynamic <string> 15 crypto map <string> <1-65535> ipsec-isakmp profile <string> 15 crypto map <string> <1-65535> ipsec-isakmp 15 crypto map <string> <1-65535> 15 crypto map <string> local-address 15 crypto map <string> redundancy replay-interval inbound <0-1000> outbound <1000-100000> 15 crypto map <string> client configuration address initiate 15 crypto map <string> client authentication list 15 crypto map <string> client accounting list 15 crypto map <string> isakmp authorization list 15 crypto map <string> isakmp-profile 15 ip mobile tunnel crypto 15 snmp-server enable traps isakmp policy add 15 snmp-server enable traps isakmp policy delete 15 snmp-server enable traps isakmp tunnel start 15 snmp-server enable traps isakmp tunnel stop 15 snmp-server enable traps ipsec cryptomap add 15 snmp-server enable traps ipsec cryptomap delete 15 snmp-server enable traps ipsec cryptomap attach 15 snmp-server enable traps ipsec cryptomap detach 15 snmp-server enable traps ipsec tunnel start 15 snmp-server enable traps ipsec tunnel stop 15 snmp-server enable traps ipsec too-many-sas 15 snmp-server host <string> vrf <string> traps version 1 <string> isakmp 15 snmp-server host <string> vrf <string> traps version 1 <string> ipsec
For outputs that you want to reference frequently, like the “crypto” output above if you are in the CCIE Security Lab Exam, you can either log your output to a file through your terminal emulation software, or you can redirect the output to a file in flash, as seen below.
Router#show parser dump router router.output.dump
Router#dir flash:
Directory of flash:/
1 -rw- 29925948 <no date> c2600-adventerprisek9-mz.124-17.bin
2 -rw- 289862 Aug 29 2008 08:17:36 +00:00 crashinfo_20080829-081736
7 -rw- 55690 <no date> router.output.dump
49807356 bytes total (19478896 bytes free)
Router#more flash:router.output.dump | include ^15_(.*)eigrp
15 distance eigrp
15 eigrp router-id
15 eigrp stub
15 eigrp log-neighbor-changes
15 eigrp log-neighbor-warnings <1-65535>
15 eigrp log-neighbor-warnings
15 eigrp event-logging
15 eigrp event-log-size
15 distance eigrp
15 eigrp router-id
15 eigrp stub
15 eigrp log-neighbor-changes
15 eigrp log-neighbor-warnings <1-65535>
15 eigrp log-neighbor-warnings
15 eigrp event-logging
15 eigrp event-log-size
15 distance eigrp
15 eigrp router-id
15 eigrp stub
15 eigrp log-neighbor-changes
15 eigrp log-neighbor-warnings <1-65535>
15 eigrp log-neighbor-warnings
15 eigrp event-logging
[output omitted]
</pre>
About Brian McGahan, CCIE #8593, CCDE #2013::13:
Brian McGahan was one of the youngest engineers in the world to obtain the CCIE, having achieved his first CCIE in Routing & Switching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 8 years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing new products Brian consults with large ISPs and enterprise customers in the midwest region of the United States.
Find all posts by Brian McGahan, CCIE #8593, CCDE #2013::13 | Visit Website
You can leave a response, or trackback from your own site.
8 Responses to “Using the “show parser dump” command”
Leave a Reply
Nice and handy tip! Thanks Brian!
One more question. Is there a way to show the commonly used IOS hidden commands?
Unfortunately, no. A “hidden” command means that it’s not “officially” supported, and it’s not added to the context sensitive help, so it won’t be in the parser dump. Here’s an example:
Rack8R2#sh ver | in IOS
<0-255> <0-65535> announceIOS ™ C2600 Software (C2600-JK9O3S-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)
Rack8R2#config t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R2(config)#ip pim aut?
% Unrecognized command
Rack8R2(config)#ip pim autorp listener
Rack8R2(config)#end
Rack8R2#show parser dump configure | include listener
0 no ip rsvp listener
0 no ip rsvp listener <0-255> <0-65535> reply
0 no ip rsvp listener <0-255> <0-65535> reject
0 no ip rsvp listener <0-255> any
0 no ip rsvp listener udp
0 no ip rsvp listener tcp
0 no ip rsvp listener any
0 default ip rsvp listener <0-255> <0-65535> announce
0 default ip rsvp listener <0-255> <0-65535> reply
0 default ip rsvp listener <0-255> <0-65535> reject
0 default ip rsvp listener <0-255> any
0 default ip rsvp listener udp
0 default ip rsvp listener tcp
0 default ip rsvp listener any
15 ip rsvp listener <0-255> <0-65535> announce
15 ip rsvp listener <0-255> <0-65535> reply
15 ip rsvp listener <0-255> <0-65535> reject
15 ip rsvp listener <0-255> any
15 ip rsvp listener udp
15 ip rsvp listener tcp
15 ip rsvp listener any
Rack8R2#
[...] @ 4:03 pm Tags: CCIE, CCIE Lab, Certification, Cisco, Cisco Certification The IE blog has a great post up about the ’show parser dump’ command. I was connected to a production 6500 at work while I was reading this, so I decided to follow [...]
Thank You Brian!!!!!!!!
It is amazing
I have to give you props on this one. Very nice job.
I user the command
Router#show parser dump configure | include ^15_(.*)((ospf))
but “router ospf ” no appear
I was looking for this useful command then tried it in my lab, got the following message:
R1#show parser dump exec
Command accepted, but obsolete, parser dumper has been deprecated
I am running IOS Version 15.1(4)M4, searched for it in the Cisco command references to find that it was removed in version 15.0(1)M
http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/show_monitor_permit_list_through_show_process_memory.html#GUID-09B270F7-B2E2-45CE-A140-638BD14E8303
I guess it had such a large impact on buffer, system memory and CPU that Cisco decided to completely remove it from IOS 15… any ideas?
I think maybe the CCIE team had it removed once we started telling people you could use it for syntax help