the first paragraph is the usual binding of mac to ip, entry is made on any dhcp server.
the second and other paragraphs are explained to the chief briefly: there will be no security on stupid unmanaged switches of the class "dlink for 50 bucks", because security costs money - these are normal managed switches with support for acl, vlan, able to configure their ports depending on a) the incoming mac (a stupid old network printer, or a box on the door from an access control system)
and b) configure your switch port in accordance with:
1. configuring workstations for password authentication on the network, that is, after entering a valid domain login / password, the switch port configured to the desired vlan (accounting, admins, support, test vlan), and an IP address from the desired subnet.
3. logging connections to switch ports to a dedicated log server with notifications sent at the “port fa0/1/2 on switch2.campus3.company.local is up” level, knowing where the switch is located and which socket is switched on this port, you can send a guard to “room 123, 3rd floor, building 3” to see who is having fun there.

It always amuses me when people start saying that it is on Windows, and transferring to nix is ​​not possible. Especially when it comes to dhcp.
If you really need it, then take and read about dhcp and you may realize that on Windows and on nix it works the same way, only the implementations differ.
33 Wikipedia:
The DHCP protocol provides three ways to allocate IP addresses:
Manual allocation. With this method, the network administrator maps the hardware address (for Ethernet networks, this is the MAC address) of each client computer to a specific IP address. In fact, this way of allocating addresses differs from manually configuring each computer only in that the address information is stored centrally (on the DHCP server), and therefore it is easier to change it if necessary.
Automatic distribution . With this method, each computer is allocated an arbitrary free IP address from the range defined by the administrator for permanent use.
Dynamic Allocation. This method is similar to automatic distribution, except that the address is issued to the computer not for permanent use, but for a certain period. This is called an address lease. After the lease expires, the IP address is again considered free, and the client is obliged to request a new one (however, it may turn out to be the same). In addition, the client himself can refuse the received address.
Choose what you need and read how it is implemented in your software.
Yes, this will not help from spoofing the mac address, other protection measures are needed here.
Well, and so in pursuit .
Two pools of addresses are created
. In one, everything is configured as you want and as it should.
The second pool is made fake, the issuance of addresses from this pool is allowed to everyone. but there are no servers in this network. they just get the ip address and nothing more. When the computer receives an address via dhcp and there is no way to give it out, it is stupid for a long time. Yes, and this suggests that there is something to break. let them use a fake grid

I believe that without replacing switches, you can’t do without switches that can IP + MAC Binding

In DHCP, make all bindings static.
For all unused IP addresses, make static ARP entries on Windows Server with the left MAC address.

This defense is a fool's defense. Even children can write static IPs. Well, you tied the IP to the poppies, but this did not add a bit of security.

cisco switch for the whole office + port security

The correct solution is to implement IEEE 802.1X bound to Network Access Protection Services in your Windows Server.