Arista EOS

Arista EOS — Arista data-center switches. EOS uses a Cisco-IOS-style CLI; ~90% of the surface mirrors Cisco IOS. The differences live in the shell-escape blocks — EOS runs on a Fedora userland, so bash and embedded python are direct bypass routes that need explicit blocks.

Shorthand expansion

Identical to Cisco IOS — sh / sho / shw → show, wr / wri → write, p → ping, tr → traceroute. wr mem canonicalization is the same critical-path concern as on Cisco IOS.

Allowed (head)

show, ping, traceroute
dir, more
terminal length, terminal monitor, terminal no monitor

Blocked (head)

Arista-specific shell + scripting escapes:

bash — drops to the underlying Fedora root shell. The most important block on EOS — once in bash, the permit list is fully bypassed and the attacker has root on the box.
python, python2, python3 — embedded Python interpreters, same blast radius as bash, different entry points
event-handler — Arista’s analog to Cisco IOS’s event manager; defining or invoking a handler runs arbitrary scripts
agent — TerminAttr / state-streaming agent control
daemon — manual daemon launch

Privileged-mode + configure:

enable, disable
configure, conf t

Saves + file mutations:

write, copy, delete, erase, format, boot

Reload / reset / clear:

reload, reset, clear

Session control:

logout, exit, quit, end

Pipe stages

Allowed: include, exclude, begin, section, count, json (EOS-specific — JSON output format), format

Blocked:

redirect, tee, append — file writes
awk — arbitrary awk scripts can write files and spawn subshells via system(); the only platform we explicitly block awk on because EOS routes pipe output through a real awk binary