Writing a standard ACL for a /21 subnet You need a standard ACL that denies the entire subnet of host 172.16.144.17/21. Which line correctly matches that /21 network?

Introduction / Context:
Standard ACLs match only the source address (with a wildcard mask). To block an entire subnet, you must calculate the correct network address and wildcard from the given prefix length. Here, the host 172.16.144.17 belongs to a /21 network, so we compute that network's base and wildcard.

Given Data / Assumptions:

• Host: 172.16.144.17/21.
• /21 means mask 255.255.248.0.
• Standard ACL syntax requires a wildcard mask (inverse mask).

Concept / Approach:

For /21, the block size in the third octet is 8 (since 256 − 248 = 8). The subnet ranges are 0,8,16,…,144,152,160,… in the third octet. The address 172.16.144.17 falls in the 172.16.144.0–172.16.151.255 range. The wildcard for /21 is 0.0.7.255 (inverse of 255.255.248.0).

Step-by-Step Solution:

Verification / Alternative check:

Testing addresses at the boundaries (172.16.144.0 and 172.16.151.255) confirms they match the wildcard range, while 172.16.152.0 does not.

Why Other Options Are Wrong:

• Option A targets 172.16.48.0/20 and uses a subnet mask (not a wildcard) and the wrong network.
• Option C is a /19 wildcard pattern (block size 32 in the third octet), not /21.
• Option D corresponds to a /20 network (wildcard 0.0.15.255), wrong base.
• Option E blocks only a single host, not the /21 subnet.

Common Pitfalls:

• Confusing subnet masks with wildcard masks.
• Miscalculating the block size for non-/8 multiples.

Final Answer:

access-list 10 deny 172.16.144.0 0.0.7.255