Firewalls offers important security benefits for a campus networks, but they are also an easy target for a DoS attack (intentional or unintentional) because of session limits or things that can't be offloaded and ends up on the CPU etc.
One option to try and get the best of both worlds might be to utilize both Firewalls and ACLs in conjunction by implementing some form of policy-based redirect (Arista MSS Macro-Segmentation Services or Cisco Service Graphs with Policy-based redirect), basically classic policy-based routing (PBR).
One example implementation might be:
- Implement L3 anycast gateway for client networks in campus switches
- Set up linknet to Firewall in same VRF as client networks
- Create ACLs on client SVIs that matches and redirects all traffic except HTTPS/TCP 443 the firewall linknet, traffic to local DNS server should probably also not be redirected to firewall
- ACLs for return traffic so firewall is not confused from asymmetric routing, block non-established/SYN HTTPS to client networks
- Clients should get excellent performance for HTTPS (most applications today?)
- Clients will still be able to access most internet resources (HTTPS+DNS) even if the firewall is down/overwhelmed from DoS
- Firewalls can't really do much with encrypted HTTPS traffic except checking certificate CN/SAN name anyway, so it doesn't help much to sending all that data via the firewall?
- Stateful traffic that can't be handled via ACL (like UDP traffic) is still sent via firewall, protocols that are not as well-known/polished as HTTPS still sent via firewall
- Clients can send any TCP protocol (not just HTTPS) via port 443 and avoid the firewall
- No firewall logs for HTTPS traffic (Netflow/sflow instead?)
- Harder to troubleshoot when different protocols/applications are routed different ways
- Can't be used if you require NAT