Writing a standard ACL for a /21 subnet You need a standard ACL that denies the entire subnet of host 172.16.144.17/21. Which line correctly matches that /21 network?
-
Aaccess-list 10 deny 172.16.48.0 255.255.240.0
-
Baccess-list 10 deny 172.16.144.0 0.0.7.255
-
Caccess-list 10 deny 172.16.64.0 0.0.31.255
-
Daccess-list 10 deny 172.16.136.0 0.0.15.255
-
Eaccess-list 10 deny host 172.16.144.17
Answer
Correct Answer: access-list 10 deny 172.16.144.0 0.0.7.255
Explanation
Introduction / Context:Standard ACLs match only the source address (with a wildcard mask). To block an entire subnet, you must calculate the correct network address and wildcard from the given prefix length. Here, the host 172.16.144.17 belongs to a /21 network, so we compute that network's base and wildcard.
Given Data / Assumptions:
- Host: 172.16.144.17/21.
- /21 means mask 255.255.248.0.
- Standard ACL syntax requires a wildcard mask (inverse mask).
Concept / Approach:
For /21, the block size in the third octet is 8 (since 256 − 248 = 8). The subnet ranges are 0,8,16,…,144,152,160,… in the third octet. The address 172.16.144.17 falls in the 172.16.144.0–172.16.151.255 range. The wildcard for /21 is 0.0.7.255 (inverse of 255.255.248.0).
Step-by-Step Solution:
Compute mask: /21 → 255.255.248.0.Find block size: 256 − 248 = 8.Determine the network: 144 is a multiple of 8; base is 172.16.144.0.Compute wildcard: 255.255.255.255 − 255.255.248.0 = 0.0.7.255.Write ACL line: access-list 10 deny 172.16.144.0 0.0.7.255.Verification / Alternative check:
Testing addresses at the boundaries (172.16.144.0 and 172.16.151.255) confirms they match the wildcard range, while 172.16.152.0 does not.
Why Other Options Are Wrong:
- Option A targets 172.16.48.0/20 and uses a subnet mask (not a wildcard) and the wrong network.
- Option C is a /19 wildcard pattern (block size 32 in the third octet), not /21.
- Option D corresponds to a /20 network (wildcard 0.0.15.255), wrong base.
- Option E blocks only a single host, not the /21 subnet.
Common Pitfalls:
- Confusing subnet masks with wildcard masks.
- Miscalculating the block size for non-/8 multiples.
Final Answer:
access-list 10 deny 172.16.144.0 0.0.7.255