No ACL on the uplink port of the controller, and the VLAN is trusted (VLAN 130 in this case):
interface gigabitethernet 2/24
description "gig2/24"
trusted
trusted vlan 1-4094
switchport mode trunk
switchport trunk native vlan 135
switchport trunk allowed vlan 1,99,109-110,115,120,130-131,135,150,170,1038,1221
"Show acl hits role Staff" output:
User Role ACL Hits
------------------
Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
---- ------ --- --- ------- ------ ----------- -------- ---------- -----
Staff allowall any any any permit 860 9036 8676