Group-based policies for inter-domain traffic

What is claimed is: 1. A method comprising, by an edge router configured to operate at a first site of a software-defined network (SDN): receiving, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different, and wherein the data packet from the first host comprises an identifier of a first group that is added by a switch having a port connected to the first host that determines the identifier of the first group based on a message from a first authentication server configuring the first host to be associated with the first group; sending, to a network apparatus, a request for an identifier of a second group that a second authentication server configured the second host to be associated with, wherein the request comprises an address of the second host; in response to sending the request for the identifier of the second group, receiving, from the network apparatus, a response comprising the identifier of the second group; determining, based on the received identifier, that the second group is a destination group; applying, to the data packet, one or more policies associated with the destination group; and causing the data packet to be routed to the second host. 2. The method of claim 1 , wherein the edge router is an WAN-edge router connected to the SDN comprising a plurality of sites. 3. The method of claim 1 , wherein a switch connected to the first host in a local area network adds the identifier of the first group to the data packet, and wherein the switch connected to the first host learns the identifier of the first group from the first authentication server during an authentication process of the first host. 4. The method of claim 1 , wherein the one or more policies are further associated with the source group. 5. The method of claim 1 , wherein the one or more policies comprise at least one of an admission control, a routing-path selection, a security policy, or a Quality of Service (QoS) policy. 6. The method of claim 1 , wherein the one or more policies comprise a traffic policing, and wherein a pre-determined maximum data rate is enforced. 7. The method of claim 1 , further comprising: determining that the identifier of the second group is not available at the edge router. 8. The method of claim 7 , wherein determining that the identifier of the second group is not available comprises searching a local database at the edge router. 9. The method of claim 1 , wherein the request is a control message sent over Overlay Management Protocol (OMP). 10. The method of claim 1 , wherein the request is a control message sent over WebSocket. 11. The method of claim 1 , wherein the network apparatus is a WAN fabric control plane, and wherein the network apparatus maintains group identifiers associated with hosts in the SDN. 12. The method of claim 1 , wherein the network apparatus is a WAN-edge router configured to operate at the second site. 13. The method of claim 12 , wherein the network apparatus determines the identifier of the second group by communicating with a local fabric control plane associated with the second site. 14. The method of claim 1 , further comprising: receiving, from the second host, a second data packet destined to the first host; identifying a source group identifier based on a source group identifier field in the second data packet; determining that the source group identifier is not identical to the identifier of the second group in a local database; and in response to the determination, updating the identifier of the second group in the local database with the source group identifier. 15. An edge router that is configured to operate at a first site of a software-defined network (SDN) comprising: one or more processors; and one or more computer-readable non-transitory storage media coupled to one or more of the processors and comprising instructions operable when executed by one or more of the processors to cause the edge router to: receive, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different, and wherein the data packet from the first host comprises an identifier of a first group that is added by a switch having a port connected to the first host that determines the identifier of the first group based on a message from a first authentication server configuring the first host to be associated with the first group; send, to a network apparatus, a request for an identifier of a second group that a second authentication server configured the second host to be associated with, wherein the request comprises an address of the second host; in response to sending the request for the identifier of the second group, receive, from the network apparatus, a response comprising the identifier of the second group; determine, based on the received identifier, that the second group is a destination group; apply, to the data packet, one or more policies associated with the destination group; and cause the data packet to be routed to the second host. 16. The edge router of claim 15 , wherein the edge router is a WAN-edge router connected to the SDN comprising a plurality of sites. 17. The edge router of claim 15 , wherein the one or more policies comprise at least one of an admission control, a routing-path selection, a security policy, or a Quality of Service (QOS) policy. 18. The edge router of claim 15 , wherein one or more of the processors are further operable when executing the instructions to: receive, from the second host, a second data packet destined to the first host; identify a source group identifier based on a source group identifier field in the second data packet; determine that the source group identifier is not identical to the identifier of the second group in a local database; and in response to the determination, update the identifier of the second group in the local database with the source group identifier. 19. One or more computer-readable non-transitory storage media embodying software that is operable on an edge router configured to operate at a first site of a software-defined network (SDN) when executed to: receive, from a first host located in the first site, a data packet destined to a second host located in a second site, wherein the first site and the second site are different, and wherein the data packet from the first host comprises an identifier of a first group that is added by a switch having a port connected to the first host that determines the identifier of the first group based on a message from a first authentication server configuring the first host to be associated with the first group; send, to a network apparatus, a request for an identifier of a second group that a second authentication server configured the second host to be associated with, wherein the request comprises an address of the second host; in response to sending the request for the identifier of the second group, receive, from the network apparatus, a response comprising the identifier of the second group; determine, based on the received identifier, that the second group is a destination group; apply, to the data packet, one or more policies associated with the destination group; and cause the data packet to be routed to the second host. 20. The media of claim 19 , wherein the edge router is a WAN-edge router connected to the SDN that comprises a