Denying the /19 subnet of a given host (standard ACL): You must start a standard ACL by denying the entire subnet that contains host 172.16.198.94/19. Which first ACE is correct?

Introduction / Context:
When you are given a host address and prefix, you must determine that host’s subnet and then craft an ACL entry that matches the entire subnet using a wildcard mask. This ensures your rule applies uniformly to all addresses within that network, not just a single IP.

Given Data / Assumptions:

• Host: 172.16.198.94/19.
• /19 means mask 255.255.224.0; wildcard 0.0.31.255.
• Standard numbered ACL format is required.

Concept / Approach:

For a /19, the third octet increments in blocks of 32 (0, 32, 64, 96, 128, 160, 192, 224). The value 198 lies in the 192–223 block, so the subnet base is 172.16.192.0. The wildcard derived from /19 is 0.0.31.255, covering .192.0 through .223.255.

Step-by-Step Solution:

Verification / Alternative check:

Check boundaries: lowest 172.16.192.0 and highest 172.16.223.255 are matched; neighboring subnets (172.16.160.0/19 and 172.16.224.0/19) are not.

Why Other Options Are Wrong:

B matches the entire 172.16.0.0/16, far too broad.

C starts the block at 172, which is not a valid /19 boundary in the third octet.

D proposes a /20-style wildcard and the wrong base.

Common Pitfalls:

Mixing up wildcard and subnet masks; choosing the wrong block start; forgetting to follow a deny with the proper permits to avoid overblocking.

Final Answer:

access-list 10 deny 172.16.192.0 0.0.31.255