Aggregates that are subnet of destination are not checked for unexpected access #38
Description
In this topology
n1--router:r1--n2(10.1.2.0/24)
\--n3(10.1.2.128/25)
with rule n1-->n2
we would get this warning
This supernet rule would permit unexpected access:
permit src=network:n1; dst=network:n2; prt=tcp 80; of service:s1
Generated ACL at interface:r1.n1 would permit access to additional networks:
- network:n3
because n3 is subnet of n2.
If we replace n3 by an aggregate with same address as n2 we get a similar warning.
But if we replace n3 by an aggregate with an address that is subnet of n2, e.g. 10.1.2.128/25, currently no warning is shown.
This seems to be wrong, since packets destined for n2 can still turn off in direction to 10.1.2.128/25.