Follow up from an IRC conversation.
https://netbox.wikimedia.org/ipam/aggregates/4/
Context here is that 185.15.56.0/22 barely have any "prod" IPs, and might be able to be remove as a whole from our ACLs. So we don't have to think about what part of that /22 is prod or not prod, as well as not risking typoing a /24 into a /23 or /22 in our ACLs.
185.15.59.0/24 is currently used for two interconnects ( cr1-esams <--> mr1-esams and cr2-knams <--> mr1-esams) and Tilaa OOB.
https://github.com/wikimedia/operations-dns/blob/master/templates/59.15.185.in-addr.arpa
Renumbering the interconnects is straightforward, Tillaa OOB needs to sync up with them, but first we need to find new IPs, ideally in the 91.198.174.0/24 space.
From the following:
https://github.com/wikimedia/operations-dns/blob/master/templates/174.198.91.in-addr.arpa
We can use 91.198.174.240/31 for cr1-esams <--> mr1-esams
If we want the infrastructure IPs to be contiguous (eg. in the same 91.198.174.224/27) we would need to move ns2.wikimedia.org to a different (lower) IP and reclaim "91.198.174.224/28 (224-239) out-of-subnet LVS service IPs"
As this is a heavy/risky operation, I don't think it's worth it.
We can however shrink the reservation "91.198.174.224/28 (224-239) out-of-subnet LVS service IPs" to 91.198.174.232/29
And use 91.198.174.224/29 for infrastructure, eg, carve 91.198.174.224/31 for cr2-knams <--> mr1-esams
Using lower subnets (eg. 91.198.174.144/28) for infrastructure (interco, etc.) adds fragmentation and might bite us later.
We can keep Tilaa OOB on 185.15.59.0/24, that way:
1/ Something is used on that subnet (less risk of theft)
2/ No need to bother them with a renumbering
3/ We can still remove 185.15.59.0/24 from any trusted lists
And revisit it when we need 185.15.59.0/24 or 91.198.174.232/29 for other purposes.