Most policy types are implemented by the TCP/IP stack. IPSec dynamic VPNs are implemented by the IKE daemon.
As packets are sent or received, they are matched against policies of the appropriate type as needed. In general, policy processing occurs at the following layers in the stack:
Some types of IDS checks are also performed at the IP layer in the stack.
When a matching policy is found, it is implemented against the packet. Depending on the policy type and packet contents, this results in a wide variety of actions. For example, the packet might be discarded, processed according to its priority, or have its routing changed. For information about the policy action statements and the kinds of processing that can be applied for each policy type, see the Policy Agent and policy applications information in z/OS Communications Server: IP Configuration Reference.