ARP security issue

Hi.
I am about to turn my network over to static ARP entries and apply “arp-reply only” on the WLAN.

But one question, having studied the dynamic entries over a few days, then simply making each one static after cross refering them to my user database, I note that with my MT’s running in pseudo-bridge, that I have a MAC address for the Wlan of that with the appropriate IP of the bridged interface.
Then I have the same MAC showing up against the customer IP address of his PC and when then is also an IP phone involved, another IP address, ALL against the same MAC.

Is that right? I am assuming that I cant go wrong by just substituting static against those entries that were dynamically found… But I cant help wondering how it works when its possible to have 3 IP addresses against 1 MAC address in the ARP table.

Can someone put my mind at rest please?

if there are three host beihind an ap in station mode, the router acting as AP will see three diferent ips with the same mac, no matter wich arp mode is selected, if the wireless conection is wds or bridge in all the wireless nodes the router will be able to ‘see’ each mac

in reply-only mode, the router will not answer the arp broadcast from your clients, so you will have to add manually ip and mac