I know a sales engineer is the person who will tell me what equipment/feature set I need in the end, but I want to make sure I'm asking the right questions (and that what I'm trying to do can be done!)

This is a continuation of this discussion (which I appreciate Christopher Gatlin's help with):

https://supportforums.cisco.com/message/3165713

Here's an example of the setup I'm pondering:

Site A

Router 1:

Fa0/0 - 10.0.0.1/24 (connected to local network)

Fa0/1 - 172.25.1.1/24 (connected to carrier ethernet)

Fa0/2 - 99.99.99.1/29 (connected to DSL Internet)

ASA1:

Ethernet0/1 - 10.0.1.2/24 (local network)

Ethernet0/0 - 88.88.88.88/29 (connected to 10Mb fiber Internet)

Site B

Router 2:

Fa0/0 - 10.0.10.1/24 (local network)

Fa0/1 - 172.25.1.2/24 (carrier ethernet)

Fa0/2 - 77.77.77.1/29 (DSL Internet)

Site C

Router 3:

Fa0/0 - 10.0.20.1/24 (local network)

Fa0/1 - 172.25.1.3/24 (carrier ethernet)

Fa0/2 - 66.66.66.1/29 (DSL Internet)

I need to achieve the following:

1. Traffic between sites will be encrypted, whether it is over carrier ethernet or DSL.

2. All Internet-bound traffic will route through the ASA1 at Site A.

3. If the carrier ethernet fails, traffic will route between sites over the DSL lines.

Here's the direction I was going:

1. Router 1 will have a default route of 10.0.1.2 (ASA1).

2. Router 2 and 3 will have a default route of 172.25.1.1 (carrier ethernet interface on Router 1).

3. Router 1, 2, and 3 will have static routes for the IPs of the DSL interfaces on their neighboring routers.

4. Point-to-point VPN tunnels between Routers will be built over the DSL connections.

5. GRE tunnels over the VPN tunnels over DSL will be built.

6. EIGRP will be enabled on the GRE interfaces, and the carrier ethernet interfaces.  Routes should be discovered through the carrier ethernet and the GRE tunnels at that point.

The disadvantage I can see so far is that if the carrier ethernet is down, and Site B or C is routing traffic over the GRE over VPN over DSL, they will lose Internet access (because the default route to 172.25.1.1 will be down).  Maybe I can do something with route tracking for this, but it actually isn't a big concern - this scenario should be in place a tiny percentage of the time, and users will still have access to the Internet through Citrix servers located at Site A.

Here are the questions I have:

1. Will this work?  And will it work with one router per site, as in my example?

2. How should I encrypt traffic on the carrier ethernet network?  Obviously the route is already there - no internal traffic has to be NAT'd or anything to reach another internal network, because I'm using internal IPs on the carrier ethernet interfaces of the routers.  The traffic can pass right through.  But I don't want that traffic to go through unencrypted!  Do I need another VPN tunnel and another GRE tunnel over it for each carrier ethernet connection?  Or can I encrypt using Transport mode, as opposed to Tunnel, so I can just use the route that's already there, or is that not a viable option?  Really, I just need to make sure local network traffic is encrypted while it routes over the 172.25.1.x network - I don't actually care if Internet-bound traffic is.

3. If this will all work, what feature set do I need to make sure I purchase with the routers?  I'm thinking I'll want firewall, IPSEC, and dynamic routing.  Anything I'm missing?