802.1x, the rest is done without significant difficulties. But implementing 802.1x on a network is not a trivial task.

Let's say you have managed switches.
then you either organize 802.1X with a radius server (which few people will pull, because it's troublesome), or limit the operation of ports on switches by MAC addresses (which will work until some cunning employee appears who writes on his router MAC of your own computer). this is also troublesome, in the long run even more than the previous option.
if the switches are unmanaged, it is possible to restrict by MACs and most likely on Mikrotik (depending on the model), but access to the local network cannot be blocked in this way.
however, if the organization is large and normal, then it will easily pull the first option.

The most trivial thing they wrote to you in the comments is to cut all traffic in excess of ttl, only it does not increase in the switch
More complex ad + proxy + internal dns

Ensuring security is done not only by software and hardware, but also by administrative means.
The Internet should go through a proxy that excludes the possibility of a simple access to it from a mobile phone, and of course with logging who climbs where.
In terms of left routers, it is enough to have a link in the job / contract to the information security policy. Which spells out a ban on the unauthorized connection of any devices and changing key settings.