Vendor coverage
Cisco IOS-XE
Cisco IOS-XE — the Linux-underlay descendant of classic IOS. The permit list mirrors Cisco IOS and adds three IOS-XE-specific blocks for the Linux-underlay escape vectors.
Shorthand expansion
Identical to Cisco IOS — sh / sho / shw → show,
wr / wri → write, p → ping, tr → traceroute.
Allowed (head)
Same as Cisco IOS — show, ping, traceroute, dir, more,
terminal length, terminal monitor, terminal no monitor,
where.
Blocked (head)
Inherits all Cisco IOS blocks (enable, configure, write,
copy, reload, clear, tclsh, event manager run, session
control verbs) AND adds:
IOS-XE-specific shell / container escapes:
guestshell— drops to a Linux container shell on the underlying IOS-XE Linux kernel. Full bypass; arguably the most important block on IOS-XE because guestshell is enabled by default on several platforms.app-hosting— manage, deploy, or run third-party containers. Both a state mutation and a code-execution path.request platform software— image management subtree.
Pipe stages
Identical to Cisco IOS — allowed: include, exclude, begin,
section, count, format; blocked: redirect, tee, append.