There is only 1 data centre and 11 branch sites. Some site have only 1 or 2 APs.
 
Would I need an MX at each site as indicated in the design?
 
One design goal is to isolate the guest traffic. I know this can be done at the AP but what is the best practice?
 - An MX at each of the larger sites then combine the smaller sites with a shared MX?