First to know, at the end of the ACE list is a hidden implicit "deny any", so whatever does not pass a test line, gets denied, which is what you are seeing.
You should add a "allow ip any" at the end of the ACEs if you need traffic to pass that wasn't in the test lines.
You applied your acl to the inbound (pkts coming into vlan3), but you really wanted to apply it at vlan2.
To me, you could employ a couple of types of ACLs:
RACL - routed acl's to test the traffic coming into vlan...only layer 3 traffic and can be applied in or out
VACL - vlan acl's to block inter-vlan traffic...only layer2 - the vlan broadcast domain traffic, and once applied is for in only traffic test.
1) apply the specific subnets you want to access the server vlan as ACL in on vlan2
2) apply a VACL on the other vlans to block the traffic from each client on that vlan
a) your example acl would be to apply it as "in" on vlan2 - that is a RACL
b) create an acl looks like:
-
ip access-list extended "acl-vl3-to-vl3"
permit ip 172.18.0.0 0.0.255.255
vlan 3 ip access-group acl-vl3-to-vl3 vlan
-
Step b) above is a VACL.
====
Get this CLI ref guide from the HP Networking site and look in the vlan section for basic quick examples: (starting at pg 197)
http://h10144.www1.hp.com/docs/training/HP-Networking-and-Cisco-CLI-Reference-Guide_June_10_WW_Eng_ltr.pdfThis guide has alot of other "stuff" in it, including comparisons between ProVision ASIC, Comware5, and Cisco CLI's, but it allows for perhaps a bit easier learning when trying to implement a specific feature/function than sometimes reading the actual manuals.
hth...Jeff