Hello Laurent,

thank you very much for the response!

I was considering the possibility to use QoS but had exactly the same concerning's about performance. 

Actually 2821 is not so bad in performance, it has integrated VPN HW acceleration and this module, if I corectly understood the docus, supports GRE tunnels. We're running about 20 GRE tunnels on it without big problem, CPU is OK in normal case, because most of them are 2-5 Mbits connection (physical).

The problem is MTU   as always, I put the command "ip mtu 1524" under the tunnel interface on both side, because firstly I'd like to hide (yes I know it's not good ) GRE path and secondly to illuminate the problem with MTU's on customer side, I know it produces fragmentation, but, as I said normally it doesn't make any problems, problems are starting if many customers generating the traffic or when one customer is a destionation for a DDos attack.

If I get back the "ip mtu 1524"  then CPU doesn't increase, no meter how much traffic are forwarding. But then come the problems with HTTPs and other MTU related things.

Actually I don't know how we can improve this part of our network, I simply hate it and don't want to spend a lot time and/or money on it.

Would it be better if we use a "xconnect" instead GRE?

As you said Fragmentation is very bad and must be avoided at all cost !!

Please try the following template and let me know if it solve your issue:

int tunnel x

ip mtu 1400

!

On the interface facing your internal network (not the one on which you are receiving the GRE traffic), apply the following command:

ip tcp adjust-mss 1360

With this config, we prevent UDP traffic from being fragmented and all TCP session will have a MSS set to max 1360 so IP MTU will never be higher than 1400 so no fragmentation of the TCP traffic.

HTH

Laurent.