cancel
Showing results for
Did you mean:
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

## Rationale for this basic inverse mask question

Hi,

I am aware that I can do ' - 255' in order to find out a certain inverse subnet mask. However I am getting confused on how you could solve the exercise below. Answer b) below is the right one, but can you please tell me the rationale used to find out how you can allow 192.168.195.0 and block the range specified below. Thanks for your help!

Question

" You need to deny access to all hosts that lie within the range 192.168.160.0-192.168.191.0

Hosts in the 192.168.195.0 network should be granted full access.

Which of the following choices fullfills this:

a) access-list 2 deny 192.168.163.0 0.0.0.255

b) access-list 1 deny 192.168.160.0 0.0.31.255

1 ACCEPTED SOLUTION

Accepted Solutions
Green

## Re: Rationale for this basic inverse mask question

Marlon,

As you are probably aware, the 1's in the wildcard mask means do NOT care about these bits and 0's indicate it needs to match. Your concern seems to be about the 3rd octet so let's focus on that octet.

Deny 192.168.160.0 - 192.168.191.255

-Write down in binary values 160 & 191.

-then identify the common values in both addresses and these values need to match. In this scenario, the matching values stop at the 3rd bit and you don't care about the last 5 bits as they don't match.

3rd Octet:

IP

160 - 1010 0000

191 - 1011 1111

---------

xxx - 0001 1111 = 31

If you add up the last 5 bits you derive 31. Therefore, the wildcard mask you would need is 0.0.31.255.

HTH

Sundar

2 REPLIES
Silver

## Re: Rationale for this basic inverse mask question

You have to deny access to 32 contigious Class C subnets so you need to move 5 bits to the left of the class C mask. Your new /19 mask, which summerizes 32 class C subnets, is 255.255.224.0. The inverse mask is 0.0.31.255.

Of course, answer a) is obviously wrong since it denies a single Class C subnet.

Green

## Re: Rationale for this basic inverse mask question

Marlon,

As you are probably aware, the 1's in the wildcard mask means do NOT care about these bits and 0's indicate it needs to match. Your concern seems to be about the 3rd octet so let's focus on that octet.

Deny 192.168.160.0 - 192.168.191.255

-Write down in binary values 160 & 191.

-then identify the common values in both addresses and these values need to match. In this scenario, the matching values stop at the 3rd bit and you don't care about the last 5 bits as they don't match.

3rd Octet:

IP

160 - 1010 0000

191 - 1011 1111

---------

xxx - 0001 1111 = 31

If you add up the last 5 bits you derive 31. Therefore, the wildcard mask you would need is 0.0.31.255.

HTH

Sundar

138
Views
5