Loop guard should not be enabled on a host port? it should be enabled on trunk ports to prevent Layer 2 switching loops from occurring. Loop guard is only used on interfaces that Spanning Tree Protocol (STP) considers to be point-to-point links. When a trunk port configured with loop guard stops receiving bridge protocol data units (BPDUs), loop guard will put the port into the loop-in-consistent state instead of allowing the port to transition to the forwarding state. If you were to enable loop guard on a port connected to a host computer, the port would transition to the loop-in-consistent state because a host does not send BPDUs.

PortFast can be enabled on a host port. PortFast enables a port to immediately access the network by transitioning the port into the STP forwarding state without passing through the STP listening and learning states. Because the ports are not expected to receive BPDUs, they are not required to learn the network topology. Host ports that are not enabled for PortFast can cause a high number of STP topology changes to flood throughout the network, thereby causing high CPU utilization on network switches. However, care should be taken to ensure that PortFast is not enabled on a port that is connected to a switch or other networking device. If you enable PortFast on such a port, you risk creating switching loops because the port is permanently in the STP forwarding state.

BPDU guard can be enabled on a host port to ensure that the port cannot receive BPDUs, thereby defining the edge of the STP domain. When a port that is configured with BPDU guard receives a BPDU, BPDU guard immediately puts the port into the errdisable state and shuts down the port. The port must be manually reenabled, or it can be recovered automatically through the errdisable timeout function.

Root guard can be enabled on a host port? however, it is more useful to enable PortFast and BPDU guard on a host port instead. Root guard is typically used to prevent a designated port from becoming a root port, thereby influencing which bridge will become the root bridge on the network. When root guard is applied to a port, the port is permanently configured as a designated port. A port that receives a superior BPDU will normally attempt to become a root port. However, if a designated port configured with root guard receives a superior BPDU, the port will be put into the root-in-consistent state and no data will flow through that port until it stops receiving superior BPDUs.