It's D -------------------------------------------------- neighbor 10.1.1.1 ttl-security hops 2 The example configuration sets the expected incoming TTL value to at least 253, which is 255 minus the TTL value of 2, and this is the minimum TTL value expected from the BGP peer. The local router will accept the peering session from the 10.1.1.1 neighbor only if it is 1 or 2 hops away. -------------------------------------------------------------- https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxebtsh.html#wp1059215

Example: Router(config-router)# neighbor 10.1.1.1 ttl-security hops 2 The example configuration sets the expected incoming TTL value to at least 253, which is 255 minus the TTL value of 2, and this is the minimum TTL value expected from the BGP peer. The local router will accept the peering session from the 10.1.1.1 neighbor only if it is 1 or 2 hops away. https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxebtsh.html

According to Cisco, the expected ping response from the neighbor should be 253 or greater because 255-253=2 or 255-254=1 which means that the neighbor is 2 or 1 hops away.

the expected incoming TTL value to at least 253 Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxebtsh.html

It's B. from 2.2.2.2, with a TTL of less than 2

neighbor 10.1.1.1 ttl-security hops 2 The local router will accept the peering session from the 10.1.1.1 neighbor only if it is 1 or 2 hops away. https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxebtsh.html#wp1059215