I have a site where there is 5 buildings all with a cross-connect to a MDF. All network routing is working with this poor setup but some network Level 2 leaks happen (DHCP being most common). Is there a way to limit the current bonded interfaces to only work with Level 3 and higher networks to eliminate this problem? Yes a Level 3 Spine switch is the answer but this client does not have the funds to do this so trying to see if can create it based on current setup.

Setup is 5 * CRS125 with 2 bonded links back to the Main CRS125

My theory is limit the bonded links to Level 3 network only. Meaning Level 1 and 2 can only happen within that building but still allow data to move freely across full site on the level 3 and 4.

I'd hesitate to call DHCP "L2", it's a regular IP protocol, except that part of the exchange uses broadcast addresses. So I'd say you need to attach the following ingress ACL rules to the trunk ports:

• drop frames carrying IP/UDP packets towards server port (67)
• accept frames carrying IP packets
• accept frames carrying ARP packets
• accept STP BPDUs and other "link-local" traffic (by dst-mac-address)(?)
• drop the rest

If IPv6 is used there, I'm not sure it is enough to drop RA packets and their solicitations.

But somehow a lot is missing in the picture - you say the whole network is a flat L2, but then where are the "legal" DHCP servers? I.e. would it not be a better solution to use VLANs, creating groups of ports which cannot leak to each other at all, and route the traffic among these groups?