Hey there GUY: 172.16.1.0 with a wildcard mask of 0.0.0.127 means the same as 172.16.1.0/25. In other words, only various combinations of the last seven bits may have been manipulated to form the host addresses that belong to the subnetwork that this acl will affect. This makes the range 172.16.1.0 to 172.16.1.127 (not 128, as you wrote)
Similarly, 172.16.1.128 0.0.0.127 will affect the range from 172.16.1.128 to 172.16.1.255. What you've written: "172.16.1.0/28 to 172.16.1.128/28" isn't really a range, but rather two different subnets available with /28 masks. There are sixteen: 172.16.1.0/28 172.16.1.16/28 172.16.1.32/28 ...etc until you get to 172.16.1.240/28 The 'first' eight of these (.o/28 through .112/28) all share the same bit structure through the first 25 bits, so that is why the first example acl you cited (172.16.1.0 with a wildcard mask of 0.0.0.127) would work for that. Similarly, the 172.16.1.128 0.0.0.127 will block out the rest because the bit structure for all of those is the same for the first 25 bits. Remember , the wildcard mask just tells the router to ignore anything that's masked out with a "1" bit in the mask. HTH :-{)] Mark A. Morenz, MS Ed, CCNA, CCAI Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23674&t=23648 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]