Wildcarding a /19 range in a standard ACL: You must deny all hosts from the contiguous range 192.168.160.0 through 192.168.191.255. Which standard ACL line correctly matches that range using a wildcard mask?

Introduction / Context:
Standard IP access lists in Cisco IOS use wildcard masks, not subnet masks, to match address ranges. Correctly converting a continuous range into a network base plus wildcard mask is a core skill for designing concise, maintainable ACLs that perform as intended.

Given Data / Assumptions:

• Target range: 192.168.160.0–192.168.191.255 (inclusive).
• We are writing a single standard ACL line to match the entire range.
• Standard ACL syntax: access-list deny|permit .

Concept / Approach:

Determine the block size and base network. The span from 160 to 191 is 32 addresses of the third octet (160..191), which corresponds to a /19. The equivalent subnet mask is 255.255.224.0, therefore the wildcard is 0.0.31.255 (invert the mask). The base network is 192.168.160.0.

Step-by-Step Solution:

Verification / Alternative check:

Test with a few addresses: 192.168.160.1 and 192.168.191.254 match; 192.168.159.255 and 192.168.192.1 do not. A packet trace confirms hits on this ACE.

Why Other Options Are Wrong:

A uses a subnet mask instead of a wildcard; ACLs require wildcards.

B grossly overmatches by allowing the third octet to vary up to 191.

D starts at the wrong base (192.168.0.0), which matches many unintended subnets.

Common Pitfalls:

Confusing subnet masks with wildcards; miscomputing the block size; forgetting to add a subsequent permit to avoid unintentionally blocking all traffic due to the ACL’s implicit deny at the end.

Final Answer:

access-list 10 deny 192.168.160.0 0.0.31.255