Hi Pierre,

The first design 1armed.jpg is standard one arm mode deployment, the only care to take is to SNAT the client request using source group (with adding dstination service) so that reply packet from servers is seen by CSS.

The second design 2armed.jpg is something which i never saw. Here you tried to put VLAN 10 as client VLAN between CSS and firewall and where VIP resides, but VLAN 11 where in server resides is what i am not clear about. Servers are in VLAN 11 but their segment is that of vlan 10 (172.16.10.20) and gateway is circuit vlan 10 of CSS. I beleive this design will not work with CSS. If instead we have ACE or CSM we can configured them in bridge mode where in we bridge vlan 10 and vlan 11 and assign IP 172.16.10.10 to BVI rather to any specific VLAN.

Regarding speed Q? the 100 mbps fasthethernet port as uplinks of CSS which have services connected on 1gig, will technically not posses any challenge, because these are L2 throughputs. Also there will always be difference between CSS uplink and actual service bandwidth as a single CSS can be configured with 100 of real servers so these L2 bandwidth shall not hamper untill  CSS is processing a lot of local traffic (like management or probes) and this difference will not posses any major congestion problem. Important is expected L4-L7 throughput.