System administration

How to understand in cisco because of what vlans became visible to each other?

In general, before the new year, some kind of garbage happened with the network and troubles began .. all VLANs became visible to each other .. and there are more than 24 of them ..
users, telephony, cameras, servers, etc.
in general we have.
-two data centers with virtual machines (in each storage system); tsody-iron in 250 vlanah, Wirth. server 100th
- two central switches Catalyst 4500
they go trunk'and stacks and data centers:

!
interface TenGigabitEthernet2/10
description ----- Link to STACK1 -----
 switchport trunk allowed vlan 10,20,30,40,50-55,57,60,61,104,110,192,200,250........
 switchport mode trunk
!
interface GigabitEthernet3/5
 description --link to  ЦОД  собственно у меня еще подозрения в глюках vCentra с его вритуальным свичом--
 switchport trunk allowed vlan 10,20,30,50-53,55,57,60,61,100,104,110,200,250........
 switchport mode trunk
!
!
interface GigabitEthernet3/6
 description ----- link to ESXi -----
 switchport trunk allowed vlan 10,20,30,50-53,55,57,60,61,100,104,110,200,250..........
 switchport mode trunk
!         
.... и т.п........

-3x3 stack of C2960S ciscos, there are cleanly configured ports for access, for example, users:

!
interface GigabitEthernet1/0/5
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 40
 spanning-tree portfast
 spanning-tree bpduguard enable
!

- there is a router C2951 but about it below.
from each stack goes 10Gbit optics to 4500 (both)
4500 catalysts among themselves 10Gbit optics

so ... it was about a diagram .... there is still a lot of all the iron like iron ports 4 pieces ... cisco wlc5508 but it doesn't matter.
back to catalyst 4500
all vlans are described

!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description ----- Users Vlan -----
 ip address 10.100.10.2 255.255.255.0
 ip helper-address 10.100.100.250
 no ip redirects
 standby 10 ip 10.100.10.1
 standby 10 timers 1 3
 standby 10 priority 110
 standby 10 preempt delay minimum 120
 ip policy route-map Internet_access  ну и сами правила на интернет
!

By default, all traffic goes to C2951, but we resolve Internet_access rules to anyone where possible, but I also think this is not rich here (I cut down the ports going to it, nothing changed except the Internet). there are still different subnets that go to vpn, but I will give an example of the main one:

!
ip route 0.0.0.0 0.0.0.0 10.100.200.1
ip route 10.0.0.0 255.0.0.0 10.100.100.212
!

and the problem itself is that users (10vlan) began to get into VLANs (for example, vlan61) not intended for them:
raceroute to 10.100.61.32 (10.100.61.32), 30 hops max, 60 byte packets
1 10.100.10.2 (10.100.10.2) 0.897 ms 1.037 ms 1.126 ms 2 10.100.61.32 ( 10.100.61.32
) 0.418 ms 0.524 ms 0.610 ms

what to twist ... set the direction