At the core of our network we have a single MX100. As we start to have more branch sites (mostly using MX64's or MX84's) we are considering adding a second MX100 or possibly an MX250 and pointing part of the sites to that as another hub. Would this be a good design? What alternatives do you recommend. I don't see the value in going to redundant MX400's yet since we aren't necessarily that large and would be quite a bit more costly since we already have a production MX100. Thanks for any feedback.
Depending on your requirements, having redundant VPN hubs could add for added redundancy incase of a VPN or site failure. Why not look at deploying 2 MX100's in HA with 2 WAN up-links to add for redundancy?
If using HA are they both active or is one passive?
Normally they are active/standby. This scenario is very popular because you don't have to buy a licence for the standby unit - just the hardware. This configuration is also very simple and robust.
You can do active/active (in which case you do need to buy a licence for both units) but it is a lot more complicated. You have to enable dynamic routing using OSPF. You have to have an OSPF network core. Also the head ends can not be directly attached to the same subnet, so you normally have to introduce stub network connections for the head ends.
Also the MS250 is considerably more powerful than an MX400 (and cheaper). No one should be buying new MX400's for new Meraki deployments now. Only those already with an MX400 and wanting a standby should be buying them.
My advice - get a standby MX100 (only need to buy hardware).
When you get to 200 sites (assuming each site has a single VPN back to the MX100) then considering upgrading to a pair of MX250s.
I don't think sites would be as much the issue as clients. Each of my sites can have between 10-50 clients. I'm worried about hitting that limit on the MX100 far before the vpn connections limit. Thoughts?
The limit is for clients behind the MX (such as on the local LAN) and not on remote sites. And it is not so much as a limit, but an indication of how much capacity the box has to handle the workload offered.
Right but once one site auto vpn's to the core isn't the core inheriting all of those clients? Aside from maybe any traffic that is routing directly out the local MX.
By default the MX is set to track clients by MAC address. It can only see the MAC address of local clients. It does not see the MAC address of remote clients.
You can change the default in "Security Appliance/Addressing & VLANs/Client tracking" to track by IP address instead. If you did this then you might need to give additional consideration to the size of the box.
https://documentation.meraki.com/MX-Z/Monitoring_and_Reporting/Client_Tracking_Options