Senior Network Engineer; CCIE or equivalent

Pathway is hiring a Senior Network Engineer (CCIE or equivalent) in Markham to architect, implement, and optimize multi-site, hybrid (data center + cloud) networks for internal and client environments.

You will own HLD/LLD, lead migrations and operations, and partner with security to deliver high-availability, secure, and scalable solutions aligned to business objectives Type of Position:
Permanent Full-time, on-site, five days a week Availability on call/ after office hours Key Responsibilities Network Engineering End-to-end design of resilient LAN/WAN/WLAN/SD-WAN/data center and hybrid cloud interconnects (hub-and-spoke, EVPN/VXLAN, IPv6, QoS, multicast where applicable).

HLD/LLD ownership: diagrams, BoM, IP plans, routing policies, config standards/runbooks.

Implementation & migrations: plan and execute greenfield builds, cutovers, upgrades with rollback plans.

Routing & switching: expert policy design/troubleshooting for BGP/OSPF/IS-IS, ECMP, VRFs, ACLs, L2/L3 segmentation.

Wireless: enterprise WLAN planning/optimization (surveys, RF design, 802.1X).

Cloud networking (Azure-first): vNet/vWAN designs, Private Link/Endpoints, Route Server, Express Route, Azure Firewall/WAF/App Gateway, Bastion; on-prem to cloud connectivity and segmentation.

Observability & SRE: SNMPv3, Net Flow/IPFIX/sFlow, streaming telemetry, syslog; SLI/SLO dashboards; capacity planning and performance tuning.

Security Engineering & Compliance Network security controls: NGFW/IPS, WAF, DDoS, VPN/ZTNA, micro-segmentation (ACLs/VRFs/host-based), secure web/DNS.

Access & segmentation: 802.1X/NAC and posture checks; privileged access boundaries; PKI/cert lifecycle for network services.

Zero-Trust & SASE: identity-aware access, secure edge, policy-as-code; align with SOC/SIEM for telemetry (flows, DNS, firewall).

Compliance & RCA: map controls to ISO 27001/SOC 2/HIPAA/PHIPA as applicable; lead RCAs and maintain hardening baselines.

Consulting, Ownership & Collaboration Translate business requirements into clear designs and options; present to stakeholders and obtain sign-off.

Keep diagrams, inventories, as-builts, and runbooks current.

Partner with PMO/operations to meet SLAs/OLAs; participate in escalation rota and maintenance windows.

Mentor engineers; review changes for quality/risk.

Required Qualifications Certification: CCIE (any track) or equivalent expert-level certification (e.g., Fortinet NSE 7/8, Palo Alto PCNSE, Juniper JNCIE), or demonstrable expert-level experience.

Experience:

8+ years in network engineering with 3+ years leading complex, multi-site or multi-tenant designs/migrations.

Deep expertise in routing/switching (BGP, OSPF/IS-IS, MPLS/EVPN, QoS) and enterprise WLAN.

Hands-on with network security (NGFW/IPS, VPN/ZTNA, NAC/802.1X, segmentation) and integrating logs with SIEM.

Cloud networking: experience with Microsoft Azure (vNet/vWAN, Express Route, Private Link, Azure Firewall/WAF/App Gateway); familiarity with other clouds is a plus.

Excellent client-facing communication and documentation (HLD/LLD/runbooks/change notes).

Preferred Skills MSP/consulting background with multi-tenant operations and SLA ownership.

Fortinet ecosystem:
Forti Gate, Forti Manager, Forti Analyzer, SD-WAN, IPsec/SSL VPN, ZTNA, EMS, Forti

NAC, WLAN/AP/switch integration.

Cisco ecosystem:
Catalyst/Nexus, SDA/ACI, SD-WAN (Viptela), ISE/802.1X, ASA/FTD, Meraki switching/Wi-Fi/SD-WAN.

Azure security integrations:
Defender for Cloud, Sentinel, Azure Monitor/Log Analytics, NSGs/ASGs, Policy.

Packet capture & protocol analysis: expert with Wireshark (display filters, TLS/SSL, TCP retransmits/latency, VoIP/RTP, 802.11), plus tcpdump, dumpcap, and (nice-to-have) Cloud Shark/Zeek.

ITIL change/problem; disciplined incident and post-incident processes.

EVPN/VXLAN leaf-spine, service-mesh; observability (Prometheus/Grafana) and capacity modeling.

Familiarity with SASE/SD-WAN/ZTNA patterns across multiple vendors (e.g., Palo Alto, Check Point, Zscaler, Cloudflare, Aruba/Juniper/Arista).