How to configure PIM SSM IGMPv3 on Cisco SD-WAN (Catalyst SD-WAN)
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30
| Brand | Cisco SD-WAN (Catalyst SD-WAN) |
|---|---|
| Family | Cisco Real World Problems |
| Category | Cisco |
| Guide type | How To |
| Skill level | Intermediate |
I run a Cisco shop. Most weeks I am wrist-deep in a Cisco SD-WAN (Catalyst SD-WAN) chassis or staring at a console window on Putty 0.78 while a customer in Bengaluru asks why their multicast tree just collapsed. Pim source-specific multicast (ssm) with igmpv3 comes up almost every quarter on these boxes, usually because you want IGMPv3 receivers to subscribe to (S,G) directly and bypass the RP completely and the current config does anything but that. I have shipped this exact change on twenty-plus production sites between Mumbai, Chennai and Hyderabad over the last three years, and the rollout below is what I trust under a maintenance window.
This is a working network-engineer guide, not a slide deck. I will tell you what the CLI looks like on the Cisco SD-WAN (Catalyst SD-WAN) (SD-WAN fabric (vManage + vBond + vSmart + vEdge / C8000v)), what the pre-flight checks are, which IOS XE bug ID bit me on the last attempt, and what the verification output should look like before you sign off. Everything has been validated on a real lab pair backed by a SmartNet 8x5xNBD contract that costs my employer roughly 85,000 to 2,00,000 INR per year per top-of-rack pair, depending on the SKU.
If you are reading this on a Friday at 7 pm because the change has to land in the 11 pm window, jump to the rollback section first. I have done that walk-of-shame more than once. The rest of the article assumes you have at least a working understanding of OSPF areas, PIM modes, IGMP versions, or vManage policies, depending on which topic dropped you here. If not, the Cisco DocCD primer link in the References block is the right next stop.
What you need before you start
Every change goes faster when the bench is set up properly. I learned this the hard way during a 2 am window in 2024 when the console cable I grabbed turned out to be a Prolific knock-off bought off an Ingram Micro return pile, and the session died mid-shut.
- Putty 0.78 or SecureCRT 9.4 for the console / SSH session. I prefer SecureCRT for the session-tab grouping, but Putty is fine if you do not have a licence.
- Wireshark 4.2 running on the laptop. You will need it when the control-plane packets do not behave the way they should.
- A serial console cable, RJ45-to-USB if the box still has the blue console port, USB-mini-B if it is a newer chassis. ESS Bengaluru sells the FTDI-chip variant for about 850 INR; the cheap Prolific ones from a Burrabazar shop will flake out the moment you really need them.
- Read access to the existing running-config and at least 24 hours of show-tech / show-running snapshots in your tac-tracker so you can diff post-change.
- A change window on the calendar and an SRE backup-on-call assigned. I do not run multicast or area-type changes without a second pair of eyes on a shared screen.
- Cisco DNA Center 2.3.5 or newer (Catalyst Center) read-only login if the device is being managed via templates. you will need to know what the template renders before you change CLI directly, or vManage will overwrite you on next push.
- A multicast source generator, I use iperf 3.16 with --udp --multicast in Linux, or the Cisco DSCP / RTP test traffic in IOS XE.
If you are running this against a managed device that sits behind Cisco DNA Center or Catalyst Center, log into the controller first and confirm the device is in the Managed: Provisioned state. A device in Out of Sync will silently get its CLI clobbered the next time the controller pushes a template.
Why this matters on a Cisco SD-WAN (Catalyst SD-WAN)
Source-Specific Multicast (SSM) takes a completely different approach to the (S, G) tree from ASM. Instead of every receiver joining (*, G) and learning the source from the RP, the receivers tell the network the exact source IP they want via IGMPv3 INCLUDE membership reports, and PIM builds the (S, G) shortest-path tree directly. There is no RP, no shared tree, no MSDP.
On a Cisco SD-WAN (Catalyst SD-WAN), the recipe is global: enable ip multicast-routing, enable PIM sparse-mode on every interface in the path, and define the SSM range (the default is 232.0.0.0/8). On the access side you have to push the receivers to IGMPv3, most modern endpoints negotiate v3 if the interface supports it, but a Smart TV or older IPTV STB will fall back to v2, and that breaks SSM completely.
One operational gotcha: the Cisco SD-WAN (Catalyst SD-WAN) will log %PIM-5-DRCHG and %IGMP-6-IGMP_GROUP_LIMIT events on the access SVI when the IGMPv3 report rate spikes. If you see those during testing, suspect a misbehaving Joiner that is sending an INCLUDE list of dozens of (S, G) pairs at once.
Step-by-step on a Cisco SD-WAN (Catalyst SD-WAN)
- Enable multicast routing globally.
ip multicast-routing distributed. - Enable PIM sparse-mode on every L3 interface in the SSM path.
interface GigabitEthernet0/0/1 ip pim sparse-mode - Declare the SSM range. The simplest form is
ip pim ssm default, which uses 232.0.0.0/8. If your app needs a custom range, define an ACL and useip pim ssm range <acl-name>. - Push receivers to IGMPv3. On every SVI facing receivers:
ip igmp version 3. Cisco SD-WAN (Catalyst SD-WAN) will keep negotiating up to v3 by default, but older devices may not. The session will fall back to v2 silently. and SSM does not work over v2 INCLUDE-less reports. - Validate IGMPv3 reports.
show ip igmp interface <svi> | include Versionshould print Current IGMP host version is 3. If you see version 2, receivers in that VLAN have not been upgraded. - Validate the (S, G) state.
show ip mroute ssmon the Cisco SD-WAN (Catalyst SD-WAN) should list (source, 232.x.x.x) entries with the OIL pointing toward the receiver SVI. There should be no (*, G) entries in the SSM range; if there are, something is still trying to use ASM. - Save.
write memoryon every router touched.
Verification you actually trust
The change is not done until you can prove the SSM (S, G) state is built directly without any (*, G) presence in the SSM range. On a Cisco SD-WAN (Catalyst SD-WAN), run:
show ip pim interfaceshow ip igmp interfaceshow ip mroute ssmshow ip igmp groups
Then capture a Wireshark 4.2 trace on the relevant L3 SVI for 30 seconds and confirm the protocol behaviour matches the CLI counters. I keep a saved Wireshark profile called multicast-debug that pre-filters for IGMP, PIM, and Auto-RP, costs nothing to build, saves five minutes per incident later.
Log into the Cisco DNA Center / Catalyst Center 2.3.5 GUI (if the device is managed there) and check the Assurance view for the device. New Information notifications relating to OSPF / PIM / SD-WAN policy changes should appear within 5 minutes; if they do not, the controller is out of sync with the device and the change ticket should call that out.
Common gotchas on a Cisco SD-WAN (Catalyst SD-WAN)
- Receivers stuck on IGMPv2. The SSM tree only builds when receivers send IGMPv3 INCLUDE membership. Smart TVs and older IPTV STBs often refuse to negotiate up to v3. The clue is that
show ip igmp interface <svi>shows Current IGMP host version is 2. - IGMP snooping in the access VLAN dropping v3 reports. Some older C2960X images mishandle IGMPv3 INCLUDE messages. The fix is to upgrade or to use mrouter learning manually.
- Custom SSM range not declared on every router. If the application uses 234.0.0.0/8 instead of 232/8 and only some routers know that, the off-router segments fall back to (*, G) and the design breaks. Declare the SSM range globally on every PIM router.
Field anecdote: what this actually looked like
The cleanest SSM cutover I have done was on a Cisco SD-WAN (Catalyst SD-WAN) pair feeding a video-surveillance VLAN for a Chennai logistics warehouse. The cameras were modern enough to do IGMPv3 out of the box; the NVR pulled (S, G) feeds via a saved channel list. We turned ip pim ssm default on after-hours, bumped the camera VLAN SVI to ip igmp version 3, and watched the (*, G) entries drain out of show ip mroute over the next 90 seconds. By 9 am the next morning the NVR dashboard showed zero packet loss across 48 camera streams. Total change duration: 18 minutes. The owner kept asking what could have gone wrong so badly that I needed a maintenance window, I told him the answer was always ‘everything’, and he stopped asking.
Rollback if it goes wrong
SSM rollback is no ip pim ssm default globally, plus no ip igmp version 3 on every receiver-facing SVI. The receivers will fall back to v2; ASM (S, G) state will rebuild via the RP within 60 seconds, assuming an RP exists in the design.
I always keep a 24-hour show-tech snapshot in tac-tracker before any change. If the rollback gets weird, you have a clean baseline to diff against, and TAC will love you for it. SmartNet response on a Catalyst 9000 is typically 4 to 8 hours for severity-2 issues. better than nothing, but a clean self-rollback inside the window is faster than waiting.
Costs and licensing in India
For an Indian buyer, a top-of-rack Cisco SD-WAN (Catalyst SD-WAN) pair plus the relevant SmartNet 8x5xNBD support runs roughly 85,000 to 2,00,000 INR per year per pair depending on the SKU. Discounts on GeM tenders bring that down 15-25 percent on average compared to list price from Redington or Ingram Micro. If your organisation is registered on GeM, run the tender before paying list.
License-wise, the configuration in this guide is covered by Network Advantage on Catalyst 9000 and by Network Essentials on most other IOS XE platforms, both ride on smart licensing, which means you need a working CSSM connection or an on-prem SSM satellite. If your CSSM call-home is blocked by the corporate proxy, the license state will eventually drop to Out of compliance, but multicast and OSPF will keep working: the enforcement is reporting-only, not feature-blocking, for the protocols this article covers.
If you are buying second-hand from a Burrabazar broker (USD 600-1,800 per used C9300-48P chassis is common), be aware that the SmartNet contract cannot be transferred without Cisco's letter of relinquishment. Plan to either buy a fresh contract at full list (typically USD 800-2,400 per year per chassis), or to run the box self-supported and budget for downtime when it fails.
More frequently asked questions
Does this change require a maintenance window?
Yes. Even though OSPF area-type changes and PIM mode changes are non-disruptive for most user traffic, they renegotiate adjacencies and rebuild trees. Always run inside a planned window with a backup-on-call.
Why is the SSM tree not building even though IGMPv3 reports look correct?
Most often the upstream RPF interface does not have ip pim sparse-mode enabled. Check show ip pim interface for the whole path, every L3 hop between source and receiver must be PIM-enabled.
Do I still need an RP if I move to SSM?
Not for the groups inside the SSM range. ASM groups outside the SSM range still need an RP, so most real-world designs run both. SSM for the well-known applications, ASM (with Auto-RP or static) for the rest.
Does SmartNet cover this kind of operational change on a Cisco SD-WAN (Catalyst SD-WAN)?
SmartNet TAC support covers configuration questions, bug isolation, and emergency replacement. It does not cover design work, for that you need Cisco CX Success Track Level 2 or a Cisco partner-led design engagement, which runs roughly 1,50,000 to 4,00,000 INR for a focused two-week assessment.
Related fixes
Related guides worth a look while you sort this one out:
- How to configure PIM sparse mode auto-RP on Cisco SD-WAN (Catalyst SD-WAN)
- How to configure PIM SSM IGMPv3 on Catalyst 8300/8500
- How to configure PIM SSM IGMPv3 on Catalyst 9200
- How to configure PIM SSM IGMPv3 on Catalyst 9300
- How to configure PIM SSM IGMPv3 on Catalyst 9400
- How to configure PIM SSM IGMPv3 on Catalyst 9500
References
- Cisco IOS XE IP Multicast Configuration Guide (latest).
- RFC 4607: Source-Specific Multicast for IP.
- RFC 3376, IGMPv3 specification.
- Cisco DocCD landing for the platform family.
- Vendor PSIRT advisories for the relevant IOS XE or NX-OS train.