> If your network switches are MAC-address locked
... then you value obscurity over security.
If you *must* do port authentication, then use 802.1x (i.e. user has credentials to access the network)
But better to go the BeyondCorp route, and not trust the network at all. All app communication is either over HTTPS or VPN.