You must create a standard IP access list that denies all hosts in the IPv4 range 192.168.160.0 through 192.168.191.255. Which wildcard mask and command combination correctly matches this network range?

Introduction / Context:
Standard IP access lists on Cisco IOS rely on wildcard masks to match ranges of IPv4 addresses. In this question you must deny a very specific contiguous block of addresses from 192.168.160.0 up to 192.168.191.255. To choose the correct command, you must translate this range into a network address and wildcard mask that exactly cover this block and nothing more.

Given Data / Assumptions:

The required blocked range is 192.168.160.0 to 192.168.191.255 inclusive.
We are using a standard numbered access list with list number 10.
Standard ACLs use wildcard masks, where 0 means match exactly and 1 bits indicate do not care positions.
The ACL line must correctly cover this /19 range without including addresses outside it.

Concept / Approach:
The range 192.168.160.0 to 192.168.191.255 is a block of 32 contiguous class C style networks. The third octet runs from 160 to 191. A block of size 32 in the third octet corresponds to a prefix length of /19, which has a subnet mask of 255.255.224.0 and a wildcard mask of 0.0.31.255. In Cisco ACLs, you write the network address followed by the wildcard mask, so the correct entry should use 192.168.160.0 with wildcard 0.0.31.255.

Step-by-Step Solution:
Compute the size of the range in the third octet: 191 minus 160 plus one gives 32 values, so the block size is 32. A block size of 32 in one octet corresponds to 2^5, which means 5 host bits and therefore a prefix of 32 minus 5 equals 27 if this were a host portion, but here we are aggregating subnet level networks. For this address, the correct prefix that covers 160 through 191 is /19. The subnet mask for a /19 network is 255.255.224.0. The corresponding wildcard mask is the inverse: 0.0.31.255. In Cisco standard ACL syntax, you specify the network address and wildcard mask, so the correct line is access-list 10 deny 192.168.160.0 0.0.31.255. Check that this wildcard exactly covers all addresses from 192.168.160.0 through 192.168.191.255 and does not extend into 192.168.192.0 or below 192.168.160.0.

Verification / Alternative check:
You can verify the wildcard by adding it to the base address: 192.168.160.0 plus 0.0.31.255 gives 192.168.191.255 as the upper bound. Because wildcard bits mark positions where any value is allowed, this range matches all addresses whose third octet is in the range 160 to 191 and whose fourth octet runs from 0 to 255. That is exactly the intended block.

Why Other Options Are Wrong:
Option a uses 255.255.224.0, which is a subnet mask, not a wildcard. ACLs require wildcard masks, so this syntax is wrong in this context.
Option b uses wildcard 0.0.191.255, which would cover a much larger range than 160 through 191 in the third octet and is not tied to a clean power of two block.
Option d starts from 192.168.0.0, so it includes hosts that should not be denied, such as 192.168.0.1, making it incorrect for the specified range only.
Option e uses an extended ACL number and protocol but the question specifically frames this as a standard ACL example and focuses on the network range, so it is not the best match for the exam objective.

Common Pitfalls:
Many students confuse subnet masks and wildcard masks or try to use the subnet mask directly in ACL statements. Another common mistake is miscalculating the wildcard so that it covers too many or too few addresses. Remember that wildcards are simply the bitwise inverse of the subnet mask and that block sizes are powers of two. Practising these conversions will make ACL design much easier.

Final Answer:
The correct command is access-list 10 deny 192.168.160.0 0.0.31.255, which uses the proper wildcard mask to block 192.168.160.0 through 192.168.191.255.