Below a example of my configuration. As you can see only my management VLAN200 has an IP configured.
200=Management
201=Corporate
202=Guest
(HomeLAB-MM01) [00:0c:29:21:be:c2] #mdconnect
(HomeLAB-MC01) [MDC] *#show ip interface brief
Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 200 172.16.200.31 / 255.255.255.0 up up
vlan 1 unassigned / unassigned down down
vlan 201 unassigned / unassigned up up
vlan 202 unassigned / unassigned up up
loopback unassigned / unassigned up up
mgmt unassigned / unassigned down down
When look at the configuration of my interface you see the switch port mode is "trunk".
Where VLAN 200, 201, 202 are allowed, VLAN 200 is the native (untagged) VLAN and VLAN 201,202 are tagged.
Last part you see all VLANS 1-4094 are trusted, what means this traffic doesn't need a firewall role and not hit the internal firewall to pass layer 2 traffic.
# show configuration effective
interface gigabitethernet 0/0/0
description GE0/0/0
switchport mode trunk
switchport trunk allowed vlan 200-202
switchport trunk native vlan 200
no spanning-tree
trusted
trusted vlan 1-4094
One side note, if you use a captive-portal for guest traffic, it must have an IP addres on each controller to reach the firewall for doing a DNS-Redirection. But that is another discussion...