We have a VLAN for DAG replication, Recoverpoint (SQL Data), and right now SMTP Shadow replication is going over with the production traffic.
Should shadow replication be limited to the site? Should it go across the WAN? If so should it be on a separate VLAN?
Q1. Should shadow replication be limited to the site? Should it go across the WAN?
-> It depends on how your AD-Sites are configured, and what are the requirements for message routing. If you are going to consolidate all smtp traffic and send it out through one-site, then you can have shadow redundancy configured across WAN.
to quote the Technet article on Shadow Redundancy:
For any message delivered to a mailbox database that's part of a DAG, the shadow copy for that message is retained in the transport dumpster until that message is replicated to all DAG members. Similarly, any message submitted to Hub Transport servers from a DAG member has two copies, one in the Hub Transport server queue waiting for delivery, and a shadow copy in the sender's Sent Items folder. This approach is a key component of shadow redundancy.
However, when the Hub Transport and Mailbox server roles coexist on the same server, and you have mailbox databases that are part of a DAG, Hub Transport servers may have to route a message through an extra hop to avoid having the primary message and the shadow message on the same server hardware.
http://technet.microsoft.com/en-us/library/dd351027.aspx
Q2. If so should it be on a separate VLAN?
-> Ideally you would want to isolate your message-routing, so the answer is Yes.
