• How to source Splunk Forwarder traffic from a Loopback Interface

Print Friendly, PDF & Email

The diagram below describes the use case:

SWITCH1 has a Splunk Forwarder that needs to send traffic to SPLUNK at  SWITCH2 is originating a default route via BGP. SWITCH1 is only advertising its Loopback0 interface into BGP.  The Splunk Forwarder CLI configuration does not currently support specifying a source interface, and in this scenario this is a problem because SWITCH3 has no route to reach, which would be the source IP for any traffic that SWITCH1 sends to SPLUNK.  SWITCH3 does however have a route to SWITCH1’s Loopback0 interface.

We verify this by pinging SPLUNK from SWITCH1 and see that it fails, unless we source it from Loopback0:

To get around the limitation of not being able to specify a source interface for the Splunk Forwarder in CLI, we can add a SNAT rule to iptables for traffic only destined to SPLUNK:

Now ping succeeds without specifying Loopback0 as the source interface:

Verify with bash sudo iptables -t nat -L -v:

We can also observe the change in default behavior via a packet capture:


The above assumes you have default iptables configuration


This change won’t persist through a reboot however, so an event-handler needs to be created to re-add the change upon boot:


Get every new post on this blog delivered to your Inbox.

Join other followers: