Policy Verification in a Network

What is claimed is: 1 . A method comprising: determining, at a network connected device, a network policy to be verified, wherein the network policy is applied to network packets sent to an endpoint within a network, wherein application of the policy to network traffic can result in at least two outcomes; determining, at the network connected device, a switch that is provisionable to host the endpoint; provisioning, via the network connected device, a simulated endpoint version of the endpoint at the switch; sending, over the network via the network connected device, at least one packet for each of the at least two outcomes of the policy to the simulated endpoint; and receiving, via the network at the network connected device, at least one response from the simulated endpoint indicating how the policy was applied to each of the packets. 2 . The method according to claim 1 , wherein the network connected device comprises a network controller. 3 . The method of claim 2 , wherein the network controller comprises a fabric controller. 4 . The method of claim 1 , further comprising pre-reserving a plurality of switches for policy verification, and wherein determining the switch that is provisionable to host the endpoint comprises selecting at least one of the plurality of switches. 5 . The method of claim 1 , wherein sending the at least one packet for each of the at least two outcomes of the policy comprises a sending a traceroute packet for each of the at least two outcomes, and wherein receiving the at least one response comprises receiving at least one response for each of the traceroute packets. 6 . The method of claim 1 , wherein sending at least one packet for each of the at least two outcomes of the policy comprises configuring a five-tuple header of at least one packet to induce application of the policy to the packet. 7 . The method of claim 1 , wherein provisioning the simulated endpoint comprises hosting the simulated endpoint on a switch control plane of the switch. 8 . The method of claim 7 , wherein hosting the simulated endpoint on the switch control plane comprises hosting the simulated endpoint on a switch central processing unit. 9 . The method of claim 1 , wherein provisioning the simulated endpoint comprises hosting the simulated endpoint on an application specific integrated circuit of a front panel port of the switch. 10 . The method of claim 1 , wherein receiving the at least one message comprises receiving Access Control List logging messages. 11 . The method of claim 1 , wherein the network comprises a production environment network. 12 . The method of claim 1 , wherein the policy is applied to traffic sent to endpoints of an endpoint group. 13 . An apparatus comprising: a network interface configured to send network packets over a network; and a processor, wherein the processor is configured to: determine a network policy to be verified, wherein the network policy is applied to network packets sent to an endpoint within the network, wherein application of the policy to network traffic can result in at least two outcomes; determine a switch that is provisionable to host the endpoint; provision a simulated endpoint version of the endpoint at the switch; send, via the network interface, at least one packet for each of the at least two outcomes of the policy to the simulated endpoint; and receive, via network interface, at least one response from the simulated endpoint indicating how the policy was applied to each of the packets. 14 . The apparatus of claim 13 , wherein the processor is configured to send the at least one packet for each of the at least two outcomes of the policy by sending a traceroute packet for each of the at least two outcomes. 15 . The apparatus of claim 13 , wherein the processor is configured to send the at least one packet for each of the at least two outcomes of the policy by configuring a five-tuple header of at least one packet to induce application of the policy to the packet. 16 . The apparatus of claim 13 , wherein the processor is configured to provision the simulated endpoint by provisioning the switch to host the simulated endpoint on a switch control plane of the switch. 17 . A non-transitory computer readable storage media encoded with instructions, wherein the instructions, when executed by a processor, cause the processor to: determine a network policy to be verified, wherein the network policy is applied to network packets sent to an endpoint within a network, wherein application of the policy to network traffic can result in at least two outcomes; determine a switch that is provisionable to host the endpoint; provision a simulated endpoint version of the endpoint at the switch; send, via the network, at least one packet for each of the at least two outcomes of the policy to the simulated endpoint; and receive, via network, at least one response from the simulated endpoint indicating how the policy was applied to each of the packets. 18 . The non-transitory computer readable storage media of claim 17 , wherein the instructions cause the processor to send the at least one packet for each of the at least two outcomes of the policy by sending a traceroute packet for each of the at least two outcomes. 19 . The non-transitory computer readable storage of claim 17 , wherein the instructions cause the processor to send the at least one packet for each of the at least two outcomes of the policy by configuring a five-tuple header of at least one packet to induce application of the policy to the packet. 20 . The non-transitory computer readable storage of claim 17 , wherein the instructions cause the processor to provision the simulated endpoint by provisioning the switch to host the simulated endpoint on a switch control plane of the switch.