Denying the /20 subnet of a given host (standard ACL): You must begin a standard ACL by denying the entire subnet that contains host 172.16.50.172/20. Which first ACE is correct?

Introduction / Context:
Writing an ACL from a given host/prefix pair requires converting the prefix into its network base and an appropriate wildcard. For a /20 network, you must identify the correct 16-address block of the third octet and then craft the wildcard that matches precisely that range.

Given Data / Assumptions:

• Host: 172.16.50.172/20.
• /20 mask is 255.255.240.0; wildcard is 0.0.15.255.
• Standard numbered ACL format is used.

Concept / Approach:

/20 means the third octet increments in blocks of 16 (0, 16, 32, 48, 64, …). The value 50 belongs to the 48–63 block, so the base is 172.16.48.0. The wildcard that matches a /20 is 0.0.15.255, covering .48.0 through .63.255.

Step-by-Step Solution:

Verification / Alternative check:

Addresses 172.16.48.1 and 172.16.63.254 match; 172.16.64.1 does not. Packet-hit counters confirm the ACE works as intended.

Why Other Options Are Wrong:

A uses a subnet mask field instead of a wildcard; ACLs require wildcards.

B matches the entire /16—far too broad.

C points to the wrong base (64) and uses an overly broad wildcard (31.255, i.e., /19).

Common Pitfalls:

Placing subnet masks where wildcards are expected; using the wrong block start due to off-by-one errors; forgetting to add a final explicit deny/permit as policy dictates.

Final Answer:

access-list 10 deny 172.16.48.0 0.0.15.255