Imagine your network is a highway and you're the traffic controller. You need to know if a specific route is congested or broken before your users start complaining. IP SLA (Service-Level Agreement) Monitoring is Cisco's built-in tool that lets you proactively measure network performance—latency, jitter, packet loss, and more—by generating synthetic traffic. For the CCNA 200-301 exam (Objective 1.5), understanding IP SLA is crucial because it's the foundation for network assurance and automation. In real networks, it's the difference between fixing problems before anyone notices and being the last to know.
Jump to a section
Think of IP SLA as an undercover postal inspector who regularly mails test letters between post offices to measure delivery performance. The inspector doesn't rely on customer complaints; instead, they proactively send a letter from Office A to Office B, record the time it leaves, and wait for a reply. When the reply arrives, they note the round-trip time. If a letter takes too long (high latency), they flag it. If letters start disappearing (packet loss), they investigate. The inspector can also track how consistent the delivery times are (jitter) by sending multiple letters in quick succession. In this analogy, the inspector is the IP SLA source (the router that generates probes), the test letter is an IP SLA probe (e.g., an ICMP echo or UDP jitter packet), and the receiving post office is the IP SLA responder (a target router or host that replies). The inspector can be configured to send probes at specific intervals (e.g., every 60 seconds) and to react if a threshold is exceeded—like sending an alert if round-trip time exceeds 200 ms. This proactive monitoring is exactly what IP SLA does: it simulates real traffic to measure network performance without waiting for actual user traffic to report problems. The key mechanistic detail is that the inspector never uses the same stamp twice—each probe is uniquely identified to avoid misinterpreting old results. Similarly, IP SLA sequences each probe with a unique sequence number to correlate requests and responses.
What Is IP SLA and Why Does It Exist?
IP SLA (Internet Protocol Service-Level Agreement) is a Cisco IOS feature that allows a router to generate and send synthetic traffic to measure network performance metrics such as latency, jitter, packet loss, and availability. It was introduced to provide network administrators with proactive performance monitoring capabilities without requiring dedicated hardware probes. Before IP SLA, engineers relied on passive monitoring (e.g., SNMP traps) or user complaints—both of which are reactive. IP SLA enables active monitoring: you can measure the quality of a path from one router to another, or to any IP host, on a scheduled basis.
How IP SLA Works Step by Step at the Packet Level
IP SLA works by having a source router (the IP SLA sender) send probe packets to a target (the IP SLA responder or any IP host). The probe type determines the packet format. For example, an ICMP echo probe sends a standard ping packet. The responder (if configured) timestamps the packet and sends a reply. The source then calculates metrics based on the timing and sequence numbers.
Here’s a detailed walkthrough of a UDP jitter probe (one of the most common types on the exam):
1. Configuration: The administrator configures an IP SLA operation on the source router. This includes specifying the probe type (e.g., UDP jitter), target IP address, source/destination ports, frequency, and thresholds.
2. Probe Generation: At the configured frequency (default 60 seconds), the source router creates a UDP packet with a timestamp and a sequence number. For jitter, multiple packets are sent in a burst (e.g., 10 packets every 20 ms).
3. Transmission: The probe packet is encapsulated in an IP packet and forwarded toward the target. The source records the send time (T1).
4. Reception at Responder: If the target is a Cisco router with IP SLA responder enabled, it receives the packet, records the arrival time (T2), and immediately sends a reply. The reply includes T2 and the original sequence number.
5. Return: The source receives the reply and records the return time (T3). It then calculates:
- One-way latency (if responder timestamps are used): T2 - T1 (approximate, requires clock sync)
- Round-trip time (RTT): T3 - T1
- Jitter: Variation in one-way delay between consecutive packets in the burst.
6. Threshold Monitoring: The source compares the measured values against configured thresholds (e.g., rising threshold 200 ms, falling threshold 150 ms). If the threshold is exceeded, the operation can trigger a reaction (e.g., syslog message, SNMP trap, or even a route change via EEM).
7. Data Storage: Results are stored in the router's memory. You can view current statistics with show ip sla statistics.
Key States, Timers, and Defaults
- Operation state: An IP SLA operation can be in one of these states:
- pending: Not yet started.
- active: Probes are being sent.
- inactive: Stopped (e.g., after a schedule ends).
- with threshold violations: When a threshold is crossed.
- Timers:
- Frequency: Default 60 seconds for most probe types. This is how often a probe burst is sent.
- Timeout: Default 5000 ms (5 seconds). If no reply is received within this time, the probe is considered lost.
- Thresholds: Rising threshold (e.g., 200 ms) and falling threshold (e.g., 150 ms) for reaction events.
- Schedule: You must schedule an operation to start and optionally stop. Default is to start immediately and run indefinitely.
- Probe types: Common types include:
- icmp-echo: Simple ping-like probe.
- udp-jitter: Measures jitter, latency, and packet loss.
- tcp-connect: Tests TCP port reachability.
- http: Measures HTTP GET response time.
- dhcp: Tests DHCP server availability.
IOS CLI Verification Commands with Real Example Output
To verify IP SLA configuration and operation, use the following commands:
Show IP SLA configuration:
Router# show ip sla configuration
IP SLAs, Infrastructure Engine-II.
Entry number: 1
Owner: admin
Tag: ping-to-10.1.1.1
Type of operation to perform: icmp-echo
Target address: 10.1.1.1
Source address: 192.168.1.1
Type Of Service parameter: 0x0
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Bucket size: 15
Frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Accumulated Number of failures: 0
Accumulated Number of successes: 100
...Show IP SLA statistics:
Router# show ip sla statistics
Round Trip Time (RTT) for Index 1
Latest RTT: 10 ms
Latest RTT (milliseconds): 10
Latest RTT (microseconds): 10000
Number of successes: 100
Number of failures: 0
Operation time to live: ForeverShow IP SLA responder:
Router# show ip sla responder
IP SLA Responder is enabled.How IP SLA Interacts with Related Protocols
IP SLA is often used in conjunction with: - Object Tracking: You can track the result of an IP SLA operation (e.g., reachability) and use that to influence routing decisions via Policy-Based Routing (PBR) or HSRP/VRRP failover. - EEM (Embedded Event Manager): IP SLA can trigger an EEM applet when a threshold is exceeded, allowing automated scripts to run. - SNMP: IP SLA results can be polled via SNMP MIBs (CISCO-RTTMON-MIB) for integration with monitoring platforms like SolarWinds or PRTG. - NetFlow: While IP SLA is active, NetFlow can capture the synthetic traffic for analysis.
On the exam, you should know that IP SLA is an active monitoring tool, not a routing protocol. It does not dynamically change routes unless combined with object tracking and a routing policy.
Configure IP SLA Operation
Enter global configuration mode and define an IP SLA operation with a unique ID (1-2147483647). Specify the probe type. For example, to create an ICMP echo probe to 10.1.1.1: `ip sla 1` then `icmp-echo 10.1.1.1`. This enters SLA configuration mode. You can optionally set the source IP address with `source-ip 192.168.1.1`, the frequency with `frequency 30` (seconds), and the timeout with `timeout 2000` (milliseconds). The default frequency is 60 seconds, and default timeout is 5000 ms. Exit with `exit`.
Set Thresholds and Reaction
Within the IP SLA configuration (e.g., `ip sla 1`), define thresholds to trigger events. Use `threshold 200` to set a rising threshold of 200 ms and `threshold-falling 150` for a falling threshold of 150 ms. Then configure a reaction: `reaction 1` creates a reaction entry. Inside reaction configuration, specify `react rtt` to monitor round-trip time, `threshold-type immediate` to react on first violation, or `threshold-type consecutive 3` to react after 3 consecutive violations. Use `action-type trap` to send an SNMP trap or `action-type syslog` to log a message. Exit with `exit`.
Schedule the IP SLA Operation
After configuring the operation, you must schedule it to start. In global configuration mode, use `ip sla schedule 1 life forever start-time now` to start immediately and run indefinitely. You can also specify a specific start time (e.g., `start-time 08:00:00 Jan 1 2025`) and a life duration (e.g., `life 3600` for 1 hour). Use `no ip sla schedule 1` to stop it. Verify with `show ip sla configuration`.
Enable IP SLA Responder (if needed)
For accurate one-way latency measurements, the target router must act as an IP SLA responder. On the target router, enable the responder globally: `ip sla responder`. This allows the router to process incoming IP SLA probe packets and reply with precise timestamps. Without the responder, the source can only measure round-trip time (RTT) using its own timestamps. The responder is required for UDP jitter and other advanced probe types. Verify with `show ip sla responder`.
Verify Operation and Statistics
Use `show ip sla configuration` to review the entire configuration. Use `show ip sla statistics` to see the latest results, including RTT, number of successes/failures, and any threshold violations. For real-time monitoring, use `show ip sla statistics detail` for more granular data like jitter values. If the operation is not working, check that the target is reachable and that ACLs/firewalls allow the probe traffic (IP SLA uses protocol 46 for some probes, but common ones like ICMP echo use ICMP).
Integrate with Object Tracking
To use IP SLA for route failover, create a track object that references the IP SLA operation. Example: `track 1 ip sla 1 reachability` creates a track that is up if the IP SLA operation reports success. Then use this track in a routing protocol (e.g., `ip route 0.0.0.0 0.0.0.0 10.1.1.254 track 1`) or in HSRP (e.g., `standby 1 track 1 decrement 10`). If the IP SLA fails (e.g., no reply), the track goes down, and the route or HSRP priority is adjusted. Verify with `show track`.
In enterprise networks, IP SLA is a cornerstone of proactive monitoring and intelligent failover. Consider a company with two internet connections—a primary MPLS link and a backup broadband link. The network engineer configures an IP SLA ICMP echo probe from the border router to a reliable public IP (e.g., 8.8.8.8) every 30 seconds. The probe's results are tracked via object tracking. If the primary link fails (probe times out), the track goes down, causing the default route to switch to the backup link. This provides automatic failover within seconds, far faster than waiting for BGP convergence. Without IP SLA, the router would not know the link is dead until a user complains or a routing protocol neighbor goes down.
Another common scenario is Voice over IP (VoIP) quality monitoring. A network manager configures a UDP jitter probe between two branch routers to simulate a VoIP call. The probe sends 10 packets every 20 ms, mimicking a G.729 codec. The results show jitter, latency, and packet loss. If jitter exceeds 30 ms or loss exceeds 1%, the engineer can be alerted via SNMP and investigate the WAN link. This proactive approach prevents poor call quality from going unnoticed.
Scale considerations: A single router can support hundreds of IP SLA operations, but each probe consumes CPU and memory. For large deployments, use moderate frequencies (e.g., 60 seconds) and avoid running too many operations simultaneously. Misconfiguration pitfalls include forgetting to enable the responder on the target (leading to inaccurate one-way measurements), setting thresholds too low (causing false alarms), or not scheduling the operation (it won't run). Also, IP SLA traffic should be marked with appropriate DSCP values to ensure it traverses QoS policies correctly; otherwise, the measurements may not reflect real user experience.
The CCNA 200-301 exam tests IP SLA under Objective 1.5 (Network Access) as part of network monitoring. You are expected to know the purpose, configuration steps, and verification commands. The exam focuses on the following:
Purpose: IP SLA is used for proactive performance monitoring, not for routing (though it can influence routing via object tracking).
Common probe types: ICMP echo, UDP jitter, TCP connect. Know which one measures jitter.
Default values: Frequency = 60 seconds, Timeout = 5000 ms.
Key commands: ip sla <id>, icmp-echo, frequency, timeout, ip sla schedule, show ip sla statistics, show ip sla configuration.
Object tracking integration: The track command references an IP SLA operation. The track is up if the operation succeeds.
Common wrong answers and why candidates choose them: 1. Confusing IP SLA with NetFlow: NetFlow is for traffic analysis, not synthetic monitoring. Candidates often think IP SLA collects real user traffic. 2. Thinking IP SLA requires a responder for all probe types: ICMP echo does not require a responder; the source can calculate RTT using its own timestamps. Only advanced probes (UDP jitter) need a responder for one-way measurements. 3. Assuming IP SLA automatically changes routes: It does not. You must combine it with object tracking and routing policies. 4. Misremembering default frequency: Some think it's 30 seconds or 120 seconds. The default is 60 seconds.
Elimination strategy for scenario questions: If a question describes testing network performance by sending synthetic traffic, the answer is likely IP SLA. If it mentions measuring jitter for VoIP, look for UDP jitter probe. If it involves failover based on reachability, look for object tracking with IP SLA.
IP SLA is an active monitoring tool that generates synthetic traffic to measure network performance metrics like latency, jitter, and packet loss.
Default frequency for IP SLA probes is 60 seconds; default timeout is 5000 ms.
Common probe types on CCNA: icmp-echo (RTT), udp-jitter (jitter, latency, loss), tcp-connect (port reachability).
IP SLA requires a responder on the target for accurate one-way latency measurements; ICMP echo works without a responder.
Use `ip sla <id>` to create an operation, `ip sla schedule <id> life forever start-time now` to start it.
Verify with `show ip sla statistics` and `show ip sla configuration`.
IP SLA can be tracked via object tracking (`track <num> ip sla <id> reachability`) to influence routing or HSRP failover.
These come up on the exam all the time. Here's how to tell them apart.
IP SLA
Synthetic traffic generation
Measures latency, jitter, packet loss
Proactive monitoring
Requires configuration of probes
Can trigger reactions (SNMP, syslog)
NetFlow
Captures real user traffic
Provides traffic volume, top talkers, etc.
Reactive monitoring (analyzes existing traffic)
Requires flow exporter and collector
Used for capacity planning and security analysis
Mistake
IP SLA is a routing protocol that can dynamically change routes.
Correct
IP SLA is a monitoring tool; it does not change routes by itself. It provides metrics that can be used by object tracking to influence routing decisions.
Candidates often confuse monitoring with routing because IP SLA is often used in failover scenarios.
Mistake
IP SLA requires a responder on the target for all probe types.
Correct
Only advanced probes like UDP jitter require a responder for one-way measurements. ICMP echo works with any host that responds to ping.
The term 'responder' suggests it's always needed, but basic probes use standard protocol replies.
Mistake
IP SLA collects real user traffic statistics like NetFlow.
Correct
IP SLA generates synthetic traffic; it does not capture or analyze real user data. NetFlow is for real traffic analysis.
Both are monitoring tools, but they serve different purposes.
Mistake
The default frequency for IP SLA probes is 30 seconds.
Correct
The default frequency is 60 seconds. This is a common exam trap.
Candidates may guess a lower value because they think monitoring should be frequent.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A regular ping is a one-off manual test; IP SLA is automated and scheduled. IP SLA stores historical statistics, can trigger events on threshold violations, and integrates with object tracking for automated failover. It also supports advanced probes like UDP jitter that measure multiple metrics simultaneously.
Only for certain probe types. ICMP echo and TCP connect work with any standard host that responds. UDP jitter and UDP echo require an IP SLA responder on the target to timestamp packets for one-way delay calculations. Without a responder, the source can only measure RTT.
Use `show ip sla configuration` to see the schedule and state. Use `show ip sla statistics` to see the latest results. If the operation is active, the statistics will show successes and failures. If the state is 'pending', it hasn't started; if 'inactive', it has stopped.
Yes, IP SLA supports IPv6 probes. The configuration is similar but uses IPv6 addresses. For example, `ip sla 1` then `icmp-echo ipv6 2001:db8::1`. The same verification commands work.
The default timeout is 5000 milliseconds (5 seconds). If no reply is received within this time, the probe is considered failed. You can change it with the `timeout` command inside the SLA configuration.
It depends on the router platform and available memory. Low-end routers may support a few hundred, while high-end routers can support thousands. Cisco recommends not exceeding 2000 operations per router for stability. Each operation consumes CPU and memory.
It depends on the probe type. ICMP echo requires ICMP to be permitted. UDP jitter requires the specified UDP ports to be open. The IP SLA probe uses random source ports but fixed destination ports (e.g., UDP 162 for some probes). You may need to configure firewall rules to allow the traffic.
You've just covered IP SLA Monitoring — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?