VLAN configuration on HP J9279A

Question

I've tried to set up separate VLAN for lab environment on one of my HP switches (J9279A/J9280A).

Network schema:

               WAN
                |
                GW
                |
              port1
                |
SW_2---Trk1---SW_1---Trk2---SW_3

Subnets:

• 192.168.100.0/24 - vlan 1 - management network, switches, router, etc.
• 192.168.10.0/24 - vlan 2 - user devices
• 192.168.50.0/24 - vlan 3 - iscsi devices
• 10.100.0.0/16 - vlan 100 - lab subnet (that is not working at the moment)

SW_1 config:

vlan 1 
   name "Management" 
   forbid 2 
   untagged 1,Trk1-Trk2 
   ip address 192.168.100.240 255.255.255.0 
   no untagged 2-20 
   jumbo 
   ip proxy-arp 
   exit 
vlan 2 
   name "users" 
   forbid 4,6,8,10,12,19-20 
   untagged 2-3,5,7,9,11,13-18 
   ip address 192.168.10.240 255.255.255.0 
   tagged 1,Trk1-Trk2 
   jumbo 
   exit 
vlan 3 
   name "iscsi" 
   forbid 2-3,5,7,9,11,13-18 
   untagged 4,6,8,10,12,19-20 
   tagged 1,Trk1-Trk2 
   jumbo 
   exit 
vlan 100 
   name "10.100" 
   forbid 2-20 
   tagged Trk1-Trk2 
   exit

SW_2 config:

vlan 1 
   name "Management" 
   forbid 1-22 
   untagged Trk1 
   ip address 192.168.100.241 255.255.255.0 
   no untagged 1-22 
   jumbo 
   exit 
vlan 2 
   name "users" 
   forbid 7-16 
   untagged 1-6,17-22 
   tagged Trk1 
   jumbo 
   exit 
vlan 3 
   name "iscsi" 
   forbid 1-6,8-22 
   untagged 7 
   tagged Trk1 
   jumbo 
   exit 
vlan 100 
   name "10.100" 
   untagged 8-16 
   exit

SW_3 config:

vlan 1 
   name "Management" 
   forbid 1-46 
   untagged Trk1 
   ip address 192.168.100.242 255.255.255.0 
   no untagged 1-46 
   jumbo 
   ip proxy-arp 
   exit 
vlan 2 
   name "users" 
   untagged 1-35,45-46 
   no ip address 
   tagged Trk1 
   jumbo 
   exit 
vlan 3 
   name "iscsi" 
   forbid 1-6,8-46 
   tagged Trk1 
   jumbo 
   exit 
vlan 100 
   name "10.100" 
   forbid 4-35,37-46 
   untagged 36 
   tagged Trk1 
   exit 

Device (IBM X3550 M2) is connected to SW_2 on ports 11-12. Interface configuration:

auto eth2
iface eth2 inet static
  address 10.100.0.11
  netmask 255.255.0.0

auto eth3
iface eth3 inet static
  address 10.100.0.12
  netmask 255.255.0.0

My understanding is, that in current configuration this device should lay in its own, separate network inaccessible from any other VLAN. I've done some testing, and, to my surprise, I am able to connect to this machine.

I've run wireshark to see what's going on, and broadcast ping (ping -b 10.100.255.255) is also received by my PC, that is connected to port 1 in SW_3 (untagged in VLAN 2).

Configuration of interface on my PC:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:d9:83:4f brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.16/24 brd 192.168.10.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.100.0.2/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fed9:834f/64 scope link 
       valid_lft forever preferred_lft forever

Could anyone explain to me what is going on, and how this should be set up correctly?