# Rationale for this basic inverse mask question

Feb 23rd, 2007

Hi,

I am aware that I can do ' - 255' in order to find out a certain inverse subnet mask. However I am getting confused on how you could solve the exercise below. Answer b) below is the right one, but can you please tell me the rationale used to find out how you can allow 192.168.195.0 and block the range specified below. Thanks for your help!

Question

" You need to deny access to all hosts that lie within the range 192.168.160.0-192.168.191.0

Hosts in the 192.168.195.0 network should be granted full access.

Which of the following choices fullfills this:

a) access-list 2 deny 192.168.163.0 0.0.0.255

b) access-list 1 deny 192.168.160.0 0.0.31.255

Marlon,

As you are probably aware, the 1's in the wildcard mask means do NOT care about these bits and 0's indicate it needs to match. Your concern seems to be about the 3rd octet so let's focus on that octet.

Deny 192.168.160.0 - 192.168.191.255

-Write down in binary values 160 & 191.

-then identify the common values in both addresses and these values need to match. In this scenario, the matching values stop at the 3rd bit and you don't care about the last 5 bits as they don't match.

3rd Octet:

IP

160 - 1010 0000

191 - 1011 1111

---------

xxx - 0001 1111 = 31

If you add up the last 5 bits you derive 31. Therefore, the wildcard mask you would need is 0.0.31.255.

HTH

Sundar

Overall Rating: 5 (2 ratings)

## Replies

ahmednaas Fri, 02/23/2007 - 11:38

You have to deny access to 32 contigious Class C subnets so you need to move 5 bits to the left of the class C mask. Your new /19 mask, which summerizes 32 class C subnets, is 255.255.224.0. The inverse mask is 0.0.31.255.

Of course, answer a) is obviously wrong since it denies a single Class C subnet.

sundar.palaniappan Fri, 02/23/2007 - 12:03

Marlon,

As you are probably aware, the 1's in the wildcard mask means do NOT care about these bits and 0's indicate it needs to match. Your concern seems to be about the 3rd octet so let's focus on that octet.

Deny 192.168.160.0 - 192.168.191.255

-Write down in binary values 160 & 191.

-then identify the common values in both addresses and these values need to match. In this scenario, the matching values stop at the 3rd bit and you don't care about the last 5 bits as they don't match.

3rd Octet:

IP

160 - 1010 0000

191 - 1011 1111

---------

xxx - 0001 1111 = 31

If you add up the last 5 bits you derive 31. Therefore, the wildcard mask you would need is 0.0.31.255.

HTH

Sundar