I would consider root-guard and tcn-guard as unnecessary since these are related to BPDUs received which are already treated by the bpdu-guard.
So IMHO bpdu-guard and admin-edge is a good combination for edge (access) ports and on higher level switches (e.g. core / aggregation) root-guard and depending on your design also tcn-guard for the downlinks to the access switches.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.