Best practice design using non stackable switches means you need to connect lower numbered ports between the switches and having higher numbered ports connected from the switches to the firewall. However if you use port-channels ONLY have dual links betwen the switches in a port channel and have single links from each switch to the upstream MX. About your root guard enquiry: The MX does not participate in STP and does not even know the protocol and will just forward BDPU's. So when your MS sends a BPDU upstream on the port towards the MX, the MX will just forward it out it's other ports including the one going to the other switch. This is why you just don't enable any STP guard on ports leading UP to the MX. You can still use root guard on the switch acting as root bridge towards the other switch on the port channel.
... View more
