Hi hrobers, thanks for your reply
I did same manipulation as you, but still able ping management hosts, here is network details
-------- show run ---------
....
interface vlan "100"
ip nat inside
description "MGMT-GW"
ip address 172.16.100.1 255.255.255.0
!
interface vlan "200"
ip nat inside
description "CLIENT-GW"
ip address 172.16.200.1 255.255.255.0
-------- ACL config ---------
(ARUBA) (config) # ip access-list stateless ACL1
(ARUBA) (config-stateless-ACL1)#network 172.16.200.0 255.255.255.0 any any deny
(ARUBA) (config-stateless-ACL1)#any any any permit
(ARUBA) (config) #interface vlan 100
(ARUBA) (vlan "100") #ip access-group out ACL1
------------show run ------
....
interface vlan "100"
ip nat inside
ip access-group out ACL1
description "MGMT-GW"
ip address 172.16.100.1 255.255.255.0
Either with this config still able to ping from VLAN 200 to VLAN 100