Hi @to_at !
Yeah, you are not the only one who's puzzled here, I am feeling the same, but thanks to your tests and observations seems like this puzzle slowly arranges to something more clear...
Let's take the PC with IP 192.168.0.11 that uses 1920s as a default gateway and confirm the following:
1. You can successfully reach 192.168.200.2 (vlan 200) and 192.168.201.2 (vlan 201) from my desktop PC, it means that if you initiate a connection from your PC to those two hosts in vlans 200 and 201 everything works as expected.
2. Ping from switch UI to 192.168.0.11 using 192.168.0.2 as source IP works fine
3. Ping from switch UI to 192.168.0.11 using either 192.168.200.1 or 192.168.201.1 fails
4. Ping from 192.168.200.2 or from 192.168.200.2 to 192.168.0.2 works (it has nothing to do with 192.168.0.11, but I decided to include this to the list)
5. Ping from 192.168.200.2 or from 192.168.201.2 to 192.168.0.11 fails.
If all that points are correct, it looks like a firewall issue on 192.168.0.11. Two facts point us to this root cause:
1. You can successfully reach hosts in VLANs 200 and 201 when initiate bi-directional connection (you mentioned PuTTY, so it must be either telnet or ssh connection to 192.168.200.2, nothing was mentioned about 192.168.201.2 though, but I guess it won't be the issue) from 192.168.0.11. So it looks like it can't be routing or uni-directional routing issue, as neither telnet nor ssh would be able to establish.
2. Ping to 192.168.0.11 from switch UI with source IP 192.168.201.1 fails with error "destination port unreachable". This error means that 192.168.0.11 got the ICMP echo from 192.168.201.1 and replied back with this error and this packet reached 192.168.201.1. It looks like routing works fine, but the destination simply rejects those echo requests. Here is what RFC 792 says:
If, in the destination host, the IP module cannot deliver the datagram because the indicated protocol module or process port is not active, the destination host may send a destination unreachable message to the source host.
In order to completely exclude routing from the list of possible trouble-makers, I suggest you to run Wireshark (or tcpdump) on 192.168.0.11 and on 192.168.200.2 (it won't hurt if you run it on 192.168.201.2 as well) and try to ping 192.168.0.11 again. Normally packet capturing software can see packets before they got rejected by software firewall, so chances are if you ping again 192.168.0.11 from either 192.168.201.1 or 192.168.201.2 or even 192.168.200.2 in the capture running on 192.168.0.11 you will see incoming ICMP requests from those hosts and then reply from your PC - "destination unreachable (port unreachable)"