• How to source Splunk Forwarder traffic from a Loopback Interface

 
 
Print Friendly, PDF & Email

The diagram below describes the use case:

SWITCH1 has a Splunk Forwarder that needs to send traffic to SPLUNK at 10.0.0.10.  SWITCH2 is originating a default route via BGP. SWITCH1 is only advertising its Loopback0 interface into BGP.  The Splunk Forwarder CLI configuration does not currently support specifying a source interface, and in this scenario this is a problem because SWITCH3 has no route to reach 192.168.255.0, which would be the source IP for any traffic that SWITCH1 sends to SPLUNK.  SWITCH3 does however have a route to SWITCH1’s Loopback0 interface.

We verify this by pinging SPLUNK from SWITCH1 and see that it fails, unless we source it from Loopback0:

To get around the limitation of not being able to specify a source interface for the Splunk Forwarder in CLI, we can add a SNAT rule to iptables for traffic only destined to SPLUNK:

Now ping succeeds without specifying Loopback0 as the source interface:

Verify with bash sudo iptables -t nat -L -v:

We can also observe the change in default behavior via a packet capture:

NOTE

The above assumes you have default iptables configuration

 

This change won’t persist through a reboot however, so an event-handler needs to be created to re-add the change upon boot:

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: