You’re missing the point.

Suppose you have 500 servers. You carefully put each of the 500 iLOs on the special iLO VLAN, you can enable 802.1x or MACSET or magical locked Ethernet jacks or whatever and make absolutely certain that only perfectly trustworthy IT admins using perfectly trustworthy computers can touch that network.

And you still lose! Because an attacker can compromise an unimportant sales computer, escalate to root (or SYSTEM), and compromise that computer’s iLO via the internal pretend-PCI transport as discussed in the OP. And now the attacker is on the supposedly secure iLO VLAN.

Replace iLO with any other BMC or BMC-like solution (AMT, for example), and the scope of this issue should be apparent.

To mitigate this, either proper hardware rooted security for BMCs is needed (giving a strong zero-trust model) or a very carefully configured network that isolates all hosts from each other. Or, preferably, both.

Who said the unimportant sales computer (desktop) uses ILO? You said you have 500 ILO servers on a special VLAN (or even galvanic separated).

It could be an unimportant sales server. [0] Not everyone has a fleet of essentially interchangeable Kubernetes servers, and a credible threat model should allow compromise of a single server without permanently infecting the entire fleet with an APT.

[0] Windows Server, Citrix, etc are real. Just because it has an old fashioned GUI doesn’t mean it doesn’t have rack ears and a management port.

Sure, that makes sense. Thanks.