200-101 · Question #168
The company internetwork is subnetted using 29 bits. Which wildcard mask should be used to configure an extended access list to permit or deny access to an entire subnet?
The correct answer is E. 0.0.0.7. For a /29 subnet, the wildcard mask used in Cisco ACLs is the bitwise inverse of the subnet mask 255.255.255.248, which equals 0.0.0.7.
Question
Options
- A255.255.255.224
- B255.255.255.248
- C0.0.0.224
- D0.0.0.8
- E0.0.0.7
- F0.0.0.3
How the community answered
(41 responses)- A2% (1)
- C10% (4)
- D5% (2)
- E80% (33)
- F2% (1)
Why each option
For a /29 subnet, the wildcard mask used in Cisco ACLs is the bitwise inverse of the subnet mask 255.255.255.248, which equals 0.0.0.7.
255.255.255.224 is the subnet mask for a /27 network, not a wildcard mask - ACLs require the inverted form of the subnet mask.
255.255.255.248 is the subnet mask itself for a /29 network, not the wildcard mask - placing it directly in an ACL would not correctly match the entire subnet.
0.0.0.224 (binary 11100000) is not the bitwise inverse of a /29 subnet mask and does not correspond to any standard subnet boundary for this prefix length.
0.0.0.8 is not a valid wildcard mask because its binary representation (00001000) is not a contiguous block of ones from the right, making it unsuitable for matching a contiguous subnet.
A 29-bit subnet mask equals 255.255.255.248 in dotted-decimal notation. The wildcard mask is the bitwise inverse of the subnet mask, so inverting 255.255.255.248 yields 0.0.0.7 (binary 00000111), which instructs the ACL to match the first 29 bits of an address while ignoring the last 3 bits - covering all hosts within the /29 subnet.
0.0.0.3 is the correct wildcard mask for a /30 subnet (255.255.255.252), not for a /29 subnet.
Concept tested: Calculating wildcard masks for Cisco ACLs
Source: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Topics
Community Discussion
No community discussion yet for this question.