Subnetting math has a reputation for being scary that it doesn’t deserve. The actual operations are simple — subtraction, division, and rounding down to a multiple. The hard part is knowing which numbers to plug in. Once you have a small repeatable procedure, you can solve any “what’s the network ID and broadcast for this address?” question in about thirty seconds, on paper, without a calculator.
This is lesson 3 of Networking from Scratch. Lesson 2 set up the picture: an IPv4 address is 32 bits, the prefix length tells you how many of those bits are network, and the rest are host. This article gives you the mechanics — how to actually answer the four questions you’ll be asked over and over for the rest of your career.
The four questions you’ll always be answering
- Network ID — the address of the subnet itself. All host bits are zero. You can’t assign this to a host.
- Broadcast address — the last address in the subnet. All host bits are one. You can’t assign this to a host either.
- First and last usable hosts — everything between the network ID and the broadcast.
- Next subnet — where does this subnet end and the next one begin?
Get those four and you have everything: total addresses, usable addresses, the boundary, the neighbour. The whole exercise is a four-step procedure that I’ll lay out here.
The magic number method, in four lines
This is the technique most people end up using once they’ve done a few hundred subnetting problems. It’s called the “magic number” method because there’s exactly one magic number per problem and you compute it once.
magic = 256 - (the relevant octet of the subnet mask)
network = round the address octet down to a multiple of magic
broadcast = network + magic - 1
next subnet = network + magicThat’s the whole thing. Four lines. Let’s actually use it.
Step zero: figure out which octet matters
The mask is a sequence of ones followed by zeros — 32 bits total, written as four octets. The “interesting” octet is the one that’s neither all-ones nor all-zeros. There can only be one of those, because the mask transitions from ones to zeros exactly once.
Here’s a table of every possible mask octet and its CIDR value:
| Octet value | Bits set | Adds to /N count |
|---|---|---|
0 |
0 | 0 |
128 |
1 | +1 |
192 |
2 | +2 |
224 |
3 | +3 |
240 |
4 | +4 |
248 |
5 | +5 |
252 |
6 | +6 |
254 |
7 | +7 |
255 |
8 | +8 |
Worth memorising. Those nine numbers are the only ones that ever appear in a valid IPv4 mask, and the magic-number method works on whichever octet of the mask isn’t 255 or 0.
Quick conversion between mask form and CIDR:
| CIDR | Subnet mask | Interesting octet |
|---|---|---|
/8 |
255.0.0.0 |
2nd |
/16 |
255.255.0.0 |
3rd |
/24 |
255.255.255.0 |
4th |
/25 |
255.255.255.128 |
4th |
/26 |
255.255.255.192 |
4th |
/27 |
255.255.255.224 |
4th |
/28 |
255.255.255.240 |
4th |
/29 |
255.255.255.248 |
4th |
/30 |
255.255.255.252 |
4th |
/22 |
255.255.252.0 |
3rd |
/20 |
255.255.240.0 |
3rd |
Worked example 1: an easy /24
Question: what’s the network and broadcast for 192.168.10.42/24?
Mask is 255.255.255.0. Interesting octet: the 4th. Mask value there: 0.
magic = 256 - 0 = 256
network = round 42 down to a multiple of 256 = 0
broadcast = 0 + 256 - 1 = 255
next subnet = 0 + 256 = 256 (which carries to the next octet up)So:
- Network ID:
192.168.10.0 - Broadcast:
192.168.10.255 - First host:
192.168.10.1 - Last host:
192.168.10.254 - Next subnet:
192.168.11.0
Confirms what you already knew about a /24 — 256 addresses, 254 usable. The math is just doing the same thing more formally.
Worked example 2: the awkward /28
Question: what’s the network and broadcast for 192.168.10.85/28?
A /28 mask is 255.255.255.240. Interesting octet: 4th. Mask value: 240.
magic = 256 - 240 = 16
network = round 85 down to a multiple of 16
16 * 5 = 80, 16 * 6 = 96, so 80
broadcast = 80 + 16 - 1 = 95
next subnet = 80 + 16 = 96Result:
- Network ID:
192.168.10.80 - Broadcast:
192.168.10.95 - First host:
192.168.10.81 - Last host:
192.168.10.94 - Next subnet:
192.168.10.96
16 addresses total, 14 usable. The whole calculation took about 15 seconds. The trick is knowing that /28 means the magic number is 16, then asking yourself “what’s the largest multiple of 16 that’s less than or equal to 85?” The answer is 80.
Worked example 3: across an octet boundary (/22)
This is the case that scares people. The prefix doesn’t land on a dot, so the network ID has to span a non-zero octet.
Question: what’s the network for 10.5.79.200/22?
A /22 mask is 255.255.252.0. Interesting octet: 3rd (because the 4th is 0, an “all-zero” host octet, and the first two are all ones).
magic = 256 - 252 = 4
network = round the 3rd octet (79) down to a multiple of 4
4 * 19 = 76, 4 * 20 = 80, so 76
broadcast = next subnet's third octet - 1, with all 4th-octet bits = 1
next subnet = 76 + 4 = 80Putting it together:
- Network ID:
10.5.76.0(the 3rd octet snaps to 76, the 4th is zero) - Broadcast:
10.5.79.255(3rd octet is one less than the next subnet’s 76+4=80, so 79; 4th is all-ones, so 255) - First host:
10.5.76.1 - Last host:
10.5.79.254 - Next subnet:
10.5.80.0
That subnet contains 4 * 256 = 1024 addresses, 1022 usable. Once you’ve done two or three of these, the pattern is obvious: the magic number tells you the step size in the interesting octet, and any octets to the right of the interesting one go from 0 in the network ID to 255 in the broadcast.
Subnet-size cheat sheet
Memorise this once and you’ll never have to recompute the count:
| CIDR | Total addresses | Usable hosts | Magic number (4th octet) |
|---|---|---|---|
/24 |
256 | 254 | 256 |
/25 |
128 | 126 | 128 |
/26 |
64 | 62 | 64 |
/27 |
32 | 30 | 32 |
/28 |
16 | 14 | 16 |
/29 |
8 | 6 | 8 |
/30 |
4 | 2 | 4 |
/31 |
2 | 2 (point-to-point) | 2 |
/32 |
1 | 1 (host route) | 1 |
The pattern is clean: each step halves the size. /24 = 256, then 128, 64, 32, 16, 8, 4, 2, 1. If someone asks you “how many hosts in a /27?” you should be able to answer “30” in under a second.
Note on /31: historically /31 didn’t make sense because there were only two addresses and one was the network ID, one was the broadcast. RFC 3021 redefined /31 for point-to-point links so both addresses can be hosts. Modern routers and Linux kernels honour this; you’ll see /31s on router-to-router links to save addresses.
Going the other way: how big a subnet do I need?
The other common question: “I need to fit N hosts; what prefix do I use?”
The formula is: usable hosts = 2ⁿ – 2, where n is the number of host bits. Reverse it:
| Hosts needed | Host bits required | Prefix | Usable hosts |
|---|---|---|---|
| 2 | 2 (or use /31) | /30 | 2 |
| 5 | 3 | /29 | 6 |
| 10 | 4 | /28 | 14 |
| 20 | 5 | /27 | 30 |
| 50 | 6 | /26 | 62 |
| 100 | 7 | /25 | 126 |
| 200 | 8 | /24 | 254 |
| 500 | 9 | /23 | 510 |
| 1000 | 10 | /22 | 1022 |
The prefix is always 32 - n. Round up to the next power-of-two host count, count the bits, subtract from 32. Don’t use a /27 for 30 hosts and assume you can grow into it — you can’t; /27 only has 30 usable. If you might grow to 35, pick /26.
VLSM in one paragraph
VLSM (Variable Length Subnet Masking) just means “you can use different prefix lengths for different subnets in the same network.” Your big LAN can be a /23, your point-to-point router links can be /30s, your DMZ can be a /28. The internet has worked this way since the early 1990s; classful addressing (the original idea that the prefix length was implied by the first octet) is dead, has been for decades, and isn’t worth learning except as history. Every modern protocol carries the prefix explicitly with the address.
Practice problems
Try these. Answers below the table.
| # | Address | Find |
|---|---|---|
| 1 | 10.0.0.130/25 |
Network, broadcast, first/last host |
| 2 | 172.20.5.99/27 |
Network, broadcast, usable count |
| 3 | 192.168.1.130/30 |
Is this a usable host or a reserved address? |
| 4 | 10.10.130.50/22 |
Network, broadcast (the awkward one) |
| 5 | How many hosts fit in a /26? |
One number |
Answers:
- Magic = 128. Network =
10.0.0.128. Broadcast =10.0.0.255. First/last =.129 / .254. - Magic = 32. 99 rounded down to 32-multiple = 96. Network =
172.20.5.96. Broadcast =172.20.5.127. 30 usable hosts. - Magic = 4. 130 rounded down = 128. Network =
192.168.1.128, broadcast =.131..130is one of the two usable hosts. (Other usable:.129.) - Interesting octet is the 3rd. Magic = 4. 130 rounded down to 4-multiple = 128. Network =
10.10.128.0. Broadcast =10.10.131.255. - 62 hosts (64 total, minus network and broadcast).
If those felt mechanical, congratulations — subnetting is now mechanical for you. The 30-second-per-problem speed comes from doing maybe twenty more of these, not from memorising more theory.
Things that trip people up
- The magic number is for one octet. Not the whole address. Find the interesting octet first.
- Round down the address octet, not up. The network ID is always less than or equal to the address, never greater.
- Octets to the right of the interesting one are
0in the network ID and255in the broadcast. Always. - Octets to the left of the interesting one don’t change. They’re part of the network portion already.
- The mask doesn’t belong to the address. Two computers can have the same IP and different masks; they’re on different networks.
What’s next
You can now subnet anything. The next article in the pathway switches from “here’s an address, what does it mean?” to “how did this device get its address in the first place?” That’s DHCP — the four-packet exchange that hands out IPs to every laptop, phone, and IoT thing on a network — and ARP, the protocol your computer uses to actually find the next-hop’s hardware address once it knows the IP.
Bookmark the magic-number formula. You’ll use it on the job at least once a week, and it’ll pay for itself the first time you have to design a subnet on the back of a napkin during an outage.