This represents the campus and enterprise modules, is the DMZ labeled correctly? If so why does the DMZ get an IPS, maybe this is a very budget less design, or traffic intense network?
The IPS/IDS appliances are supposed to be placed behind your firewall, so that the traffic analyzed would be filtered by rules in the firewall beforehand. The DMZ zone is an external-facing part of the network where you interact with other organizations/partners/businesses. It is typically composed of an Internal zone, commonly called iDMZ, and an External zone, called eDMZ. Within the DMZ zone, iDMZ is a trusted domain within the DMZ, and eDMZ the untrusted domain. These deployments are commonly addressed with Virtual Firewalls providing segmentation between both parts of the DMZ. As the firewalls are filtering the traffic between zones, it would make sense to deploy an IPS/IDS system behind them. This certainly depends on your requirements and how specific they are. I have seen it in the iDMZ to protect your devices in the trusted zone you are placing within the DMZ. In the external DMZ, everything is simply denied unless otherwise.
I would add Port Security in the access layer to limit the amount of MAC addresses per port in user-facing ports.
read above :) - Although, Maybe MACSec :D but that would not be at the access layer.
I dont think you are, please write your comments if you have more thoughts :D
Hope that helps