I'm designing a mid-size network for about 100 users on two high latency links (Cell/SAT).
First I looked at having a ISR 4221 router with a ASA 5545-X Firewall to let the router handle the routing etc. and the firewall to do the DPI, AVC, IPS etc.
But after my understanding the ISR routers supports all of the DPI, AVC, IPS/NGIPS, Layer 7 QoS etc. the ASA would normally do. So is it any reason why I should keep the ASA 5545-X firewall and not just go for a more beefy ISR router like the 4451 with SEC license?
The bandwidth is about 400-500 Mb/s.
Personally I prefer to have FW as it own identity in thet netwok. ISR Router yes this is for branch where small user base.
your requirement you need router and FW.
To get a more comparable solution using ISR series routes, you would have to add something like Firepower Threat defense for ISR:
For that you need to add the UCS module. So the cost of the module plus license may make the difference between using a second appliance (ASA running FTD or such) less.
The protection capabilities between the two options are comparable. However you are getting into a MUCH less deployed option with FTD for ISR. You are also then tying your security to your router and possibly closing off other options. for instance, what if you wanted to adopt the SD-WAN for ISR solution (i.e. the Viptela technology)? Is that compatible with also running the other security services?
Also, if you are considering just relying on IOS Zone-Based Firewall (ZBFW) I would not recommend that option. You'd be using 10+ year old technology to attempt to protect against modern threats.