Hey W-AL:

Seems like your APs are in Autonomous Mode running Cisco Mobility Express. From your screenshot above, try looking in the networking application group (or other network-related groups) to see if you can find it there.

The AVC profile utilizes NBAR to recognize the traffic passing through the WLC (in your case the APs) and sometimes it has to be updated. With each update, more applications are added to the pool. Suffice to say that the newer the application you want to block is, the fewer chances you have of finding it in AireOS AVC since Cisco is moving away from that platform in favor of Catalyst 9800. I can almost guarantee you will have better chances of finding those apps in C9800.

Also, (and as an alternative) you can enable NBAR on your switch, provided that it can do so, and create a class-map/policy-map (Traffic Shaping) to address your issue with the unwanted traffic, however, the same idea stated above applies here: If your switch is kind of old chances are you are not going to have that app in the pool. This alternative, btw, is how you do traffic shaping in Catalyst 9800 WLCs, the only difference with a real switch is that in the 9800 you apply it to the Policy Profile.

Thanks @MikeRamos  for this info really appreciated,

the AVC profile on AIR-AP1815 & AIR-AP1832 doesn't include all APP of network scanner, however I'm seeking to find any solution to  prevent the category of network scanner APP,

maybe in future , must buy the new WLC technology to get the best options   

thanks mate for your info & support

It is my absolute pleasure, @W-ALI !

Yeah I figured you wanted to do more like an application group type of blocking instead of an specific app. The C9800 does a tremendous job at that and has quite a lot of apps in NBAR. You can also achieve this if you have Catalyst 9Ks switches so the QoS Traffic Shaping will then happen at the switch level instead of the WLC one since they run the same NBAR packages.

yes @Rich R that's exactly what I mean,

already I did the ACL to deny Internal IPs to reach other,

but if any user get the ARP table , that's mean issue ,

because I applied & Enables the MAC filtering option,  that's allow to any user if get the ARP table to register other device after change the MAC by any APP.

I think the best practice to find any way to prevent the APP get the ARP table 

thank you very much for your support

I'm not sure there is any easy way to block the ARP but we've never really tried and I don't think NBAR will be able to it either.

Wait, this is all wrong.  

@W-ALI wants to block users from using an IP scanner and discover the MAC addresses. 

No one can stop anyone from using an app.  No one.  And, equally, no one can say, "do not scan our network" unless someone really wants to court trouble.  

Anyone, however, can minimize the scope of the scan by segmenting the network with VRF or a firewall.  The firewall, can say, "if you are in the public WiFi subnet, you cannot go anywhere else but the internet".  That means, public WiFi users have no access to corporate subnet. 

So it will definitely not help if the public WiFi subnet and the corporate subnet is the same or one big 10.0.0.0/8 subnet.  Now that, is really asking for trouble.  

Next, does anyone know what the implication is if someone decides to unitarily block ICMP echo from the network?  I do.  Things break.  Internet of Trash with poorly written code will stop working if ICMP echo response is disabled or blocked.

Finally, does it make any difference what is found?  Random MAC address is enabled by default.  

Thanks @Leo Laohoo for your great input

I would like to clarify more

the WIFI VLAN created on Firewall with below ACL:

permit to some internal server IPs by ports

deny to  private network (192.168.XX ,10.X.X.X , 172.16.0.0-172.31. 255.255)

permit to any

also I created the below ACL on Switch  port connected to WIFI

40 deny tcp 172.22.179.0 0.0.0.255 any eq 161
45 deny icmp 172.22.179.0 0.0.0.255 any echo
60 deny udp 172.22.179.0 0.0.0.255 any eq snmp
80 deny ip 172.22.179.0 0.0.0.255 172.22.179.0 0.0.0.255
100 permit ip any any (28008 matches)

The Random MAC option disabled because I enabled MAC filtering to avoid any user from register more devices ,

so if any bad user get the real MAC by ARP , maybe can make troubles for other registered users.

so I'm trying to find any solution to prevent that.

---

@W-ALI wrote:

The Random MAC option disabled because I enabled MAC filtering to avoid any user from register more devices

---

Wut?  No.  This is wrong. 
Only the owner of the end devices have the "last say" on Random MAC addresses because the clients are owned by THEM (and not you).  

---

@W-ALI wrote:

so if any bad user get the real MAC by ARP , maybe can make troubles for other registered users.

---

If I turn on Random MAC addresses on my WiFi clients, no one will know but me.  No one.  
Remember, Random MAC addresses is already enabled by default.  

Again, the entire issue about "stop scanning my network" is not going to work.  It is a hopeless exercise and benefits no one.

thanks @Leo Laohoo  for your reply and notes

we forced the WiFi users to disable random mac option and provide me with the real MAC device to add it in white list because I enabled the MAC filtering so if  enable random mac will failed login

the purpose of whitelisted MAC ,  to prevent users from add any other device because already he had the SSID password,

however in the past I enabled the 802.1X login by domain user & password , but I cant found any way to allow just concurrent session, the users was login from laptops and also the Mobile because I have no Captive portal to allow just concurrent login,

so for that I disabled 802.1X and allowed the MAC filtering.

I'm just looking for the best practice to secure the WIFI with the capabilities currently available.