Endpoint security mechanism to detect ip theft on a virtual machine mobility in switch fabric

What is claimed is: 1 . A method comprising: receiving, by a first network element in a network fabric, a first request message comprising an endpoint entity identifier associated with an endpoint entity, the first request message being triggered by a second network element in the network fabric receiving a multicast reverse address resolution protocol request; performing, by the first network element, a lookup in a local database, based on the endpoint entity identifier; and based on the lookup indicating that the endpoint entity identifier is not found in the local database, broadcasting a second request message which is a probe to the endpoint entity so as to trigger an Internet Protocol (IP) address theft validating process by the second network element based on a response to the second request message from the endpoint entity. 2 . The method of claim 1 , further comprising: based on the lookup indicating that the endpoint entity identifier is not found in the local database, discarding the first request message without further action, wherein the endpoint entity identifier is a media access control (MAC) address. 3 . The method of claim 1 , wherein the IP address theft validating process comprises: receiving, by the first network element, a duplicate address request message with a remote IP query comprising an IP address; performing, by the first network element, an endpoint IP address lookup in the local database; based on the endpoint IP address lookup indicating a presence of the endpoint entity corresponding to the IP address, transmitting a unicast probe request to check for existence of the endpoint entity and setting a reply flag; receiving a reply, by the first network element from the endpoint entity, indicating that the endpoint entity is alive at a location where the endpoint entity is originally learned; based on the reply flag being set and the reply, transmitting by the first network element, a message indicating an IP theft violation and blocking access of the endpoint entity to the network fabric; and based on reaching a timeout without receiving the reply, removing, by the first network element, an entry of the endpoint entity from the local database so that the endpoint entity is secured at a new location. 4 . The method of claim 1 , wherein: the first network element is a leaf node element of a plurality of leaf node elements in a software defined network (SDN) fabric, and the endpoint entity is one of a plurality of endpoint entities that are respectively associated with a corresponding one of a plurality of hypervisors and that communicate with via the plurality of leaf node elements. 5 . The method of claim 1 , wherein: the first network element is a switch connected to a plurality of endpoint entities, and the plurality of endpoint entities are virtual machines. 6 . The method of claim 1 , wherein: the first request message is a multicast duplicate address request message comprising a remote media access control (MAC) address query triggered by the multicast reverse address resolution protocol request indicating a move of a virtual machine from a hypervisor, and the second request message is a multicast address resolution protocol (ARP) probe request or a neighbor solicitation probe request, which triggers from the endpoint entity identified in the second request message, an ARP reply or a neighbor advertisement reply. 7 . The method of claim 1 , wherein the first network element and the second network element are switches within a plurality of software defined network (SDN) fabrics in a multi-fabric architecture and wherein the first network element is connected to a plurality of virtual machines. 8 . An apparatus comprising: a plurality of ports at which network communications are received and from which network communications are sent; a memory; and a processor coupled to the memory, wherein the processor is operative to: receive, via the plurality of ports, a first request message comprising an endpoint entity identifier associated with an endpoint entity, the first request message being triggered by a network element in a network fabric receiving a multicast reverse address resolution protocol request; perform a lookup in a local database based on the endpoint entity identifier; and based on the lookup indicating that the endpoint entity identifier is not found in the local database, broadcast a second request message which is a probe to the endpoint entity so as to trigger an Internet Protocol (IP) address theft validating process by the network element based on a response to the second request message from the endpoint entity. 9 . The apparatus of claim 8 , wherein the processor is further operative to: based on the lookup indicating that the endpoint entity identifier is not found in the local database, discard the first request message without further action, wherein the endpoint entity identifier is a media access control (MAC) address. 10 . The apparatus of claim 8 , wherein the processor is operative to perform the IP address theft validating process by: receiving a duplicate address request message with a remote IP query comprising an IP address; performing an endpoint IP address lookup in the local database; based on the endpoint IP address lookup indicating a presence of the endpoint entity corresponding to the IP address, transmitting a unicast probe request to check for existence of the endpoint entity and setting a reply flag; receiving a reply, from the endpoint entity, indicating that the endpoint entity is alive at a location where the endpoint entity is originally learned; based on the reply flag being set and the reply, transmitting a message indicating an IP theft violation and blocking access of the endpoint entity to the network fabric; and based on reaching a timeout without receiving the reply, removing an entry of the endpoint entity from the local database so that the endpoint entity is secured at a new location. 11 . The apparatus of claim 8 , wherein: the apparatus is a leaf node element of a plurality of leaf node elements in a software defined network (SDN) fabric, and the endpoint entity is one of a plurality of endpoint entities that are respectively associated with a corresponding one of a plurality of hypervisors and that communicate with via the plurality of leaf node elements. 12 . The apparatus of claim 8 , wherein: the apparatus is a switch connected to a plurality of endpoint entities, and the plurality of endpoint entities are virtual machines. 13 . The apparatus of claim 8 , wherein: the first request message is a multicast duplicate address request message comprising a remote media access control (MAC) address query triggered by the multicast reverse address resolution protocol request indicating a move of a virtual machine from a hypervisor, and the second request message is a multicast address resolution protocol (ARP) probe request or a neighbor solicitation probe request, which triggers from the endpoint entity identified in the second request message, an ARP reply or a neighbor advertisement reply. 14 . The apparatus of claim 8 , wherein the apparatus and the network element are switches within a plurality of software defined network (SDN) fabrics in a multi-fabric architecture and wherein the apparatus is connected to a plurality of virtual machines. 15 . One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to perform operations including: receiving a first request mess