Big Hole on 3Com FastIP -- The Broken Vlan

Hi,
  I found there is a big security problem on 3Com Switchs those support
FastIP.

Steps:
1, Configure the switch enable FastIP(only appear on web configure);
2, Create 2 VLANs based port, such as vlan 100 and vlan 200;
3, Add ports 2 vlan 100 and vlan 200;
4, Prepare 2 PCs, connect to the ports belongs to the diffrent Vlan;
5, Configure 2 PC's IP , make them in the same ip segment;
6, Lookup 2 PCs MAC address, then rigster them as static ARP recoders
use "arp -s ...";
7, Now, These 2 pc can ping each other---pass through the diffrent
Vlans!

 I made a capture use ethereal, there are no NHRP packet has been
captured .
And, some vendors equipments(such as Huawei) does not need to input the
static arp .

Conditions:
1,Switchs: 3Com 3300SM
        Operational Version : 2.71
        Hardware Version : 0
        Boot Version : 1.00
        MAC Address : 00:04:0b:80:2a:78
        Product Number : 3C16987A
        Serial Number : 7MCV5802A78
2,PCs: 3 types OS tesed: Windows XP ,Linux and TP-LINK Wileless Router
NIC: 3 types NIC tesed: RTL8139, 3Com905c (embedded on mainboard),
Intel pro/100+

zt
Received on Mon May 1 00:52:27 2006