Default Deny rule is not working on one of the policy rules
When policy role default action is "Deny" traffic is still allowed through the filter.
Functioning as designed. When a vlan is returned in RFC3580 it has the same effect as default action "Contain to vlan." This means that any packet that doesn't match a rule is placed in the defined vlan.