arp – Blocking network scanning attempts at the switchport

Have noticed that I can scan the network though I have set an arp limit rate on the Cisco switch switchport and need some recommendations.

The previous engineer set an arp rate limit of 200 and probably with good reason too… looking at you Windows OS! :-]

But that allowed strangers to connect their laptops to the network and scan it.
I’ve set the arp limit to 50 which triggers into the ‘err-disable’ state soon after I start scanning.

But if I scan a different subnet to the one I’m currently connected to, the switchport does not go into err-disable and I can successfully scan.

Can anyone recommend some reading materials and provide tips if any to mitigate this?

Thanks in advance for any assistance.