Senior Network Engineer (CCIE or equivalent)

Pathway is hiring a Senior Network Engineer (CCIE or equivalent) in Markham to architect, implement, and optimize multi-site, hybrid (data center + cloud) networks for internal and client environments.

You will own HLD / LLD, lead migrations and operations, and partner with security to deliver high-availability, secure, and scalable solutions aligned to business objectives Type of Position : Permanent Full-time, on-site, five days a week Availability on call / after office hours  Key Responsibilities Network Engineering End-to-end design of resilient LAN / WAN / WLAN / SD-WAN / data center and hybrid cloud interconnects (hub-and-spoke, EVPN / VXLAN, IPv6, QoS, multicast where applicable).

HLD / LLD ownership : diagrams, BoM, IP plans, routing policies, config standards / runbooks.

Implementation & migrations : plan and execute greenfield builds, cutovers, upgrades with rollback plans.

Routing & switching : expert policy design / troubleshooting for BGP / OSPF / IS-IS, ECMP, VRFs, ACLs, L2 / L3 segmentation.

Wireless : enterprise WLAN planning / optimization (surveys, RF design, 802.1X).

Cloud networking (Azure-first) : vNet / vWAN designs, Private Link / Endpoints, Route Server, ExpressRoute, Azure Firewall / WAF / App Gateway, Bastion; on-prem to cloud connectivity and segmentation.

Observability & SRE : SNMPv3, NetFlow / IPFIX / sFlow, streaming telemetry, syslog; SLI / SLO dashboards; capacity planning and performance tuning.

Security Engineering & Compliance Network security controls : NGFW / IPS, WAF, DDoS, VPN / ZTNA, micro-segmentation (ACLs / VRFs / host-based), secure web / DNS.

Access & segmentation : 802.1X / NAC and posture checks; privileged access boundaries; PKI / cert lifecycle for network services.

Zero-Trust & SASE : identity-aware access, secure edge, policy-as-code; align with SOC / SIEM for telemetry (flows, DNS, firewall).

Compliance & RCA : map controls to ISO 27001 / SOC 2 / HIPAA / PHIPA as applicable; lead RCAs and maintain hardening baselines.

Consulting, Ownership & Collaboration Translate business requirements into clear designs and options; present to stakeholders and obtain sign-off.

Keep diagrams, inventories, as-builts, and runbooks current.

Partner with PMO / operations to meet SLAs / OLAs; participate in escalation rota and maintenance windows.

Mentor engineers; review changes for quality / risk.

Required Qualifications Certification : CCIE (any track) or equivalent expert-level certification (e.g., Fortinet NSE 7 / 8, Palo Alto PCNSE, Juniper JNCIE), or demonstrable expert-level experience.

Experience : 8+ years in network engineering with 3+ years leading complex, multi-site or multi-tenant designs / migrations.

Deep expertise in routing / switching (BGP, OSPF / IS-IS, MPLS / EVPN, QoS) and enterprise WLAN.

Hands-on with network security (NGFW / IPS, VPN / ZTNA, NAC / 802.1X, segmentation) and integrating logs with SIEM.

Cloud networking : experience with Microsoft Azure (vNet / vWAN, ExpressRoute, Private Link, Azure Firewall / WAF / App Gateway); familiarity with other clouds is a plus.

Excellent client-facing communication and documentation (HLD / LLD / runbooks / change notes).

Preferred Skills MSP / consulting background with multi-tenant operations and SLA ownership.

Fortinet ecosystem : FortiGate, FortiManager, FortiAnalyzer, SD-WAN, IPsec / SSL VPN, ZTNA, EMS, FortiNAC, WLAN / AP / switch integration.

Cisco ecosystem : Catalyst / Nexus, SDA / ACI, SD-WAN (Viptela), ISE / 802.1X, ASA / FTD, Meraki switching / Wi-Fi / SD-WAN.

Azure security integrations : Defender for Cloud, Sentinel, Azure Monitor / Log Analytics, NSGs / ASGs, Policy.

Packet capture & protocol analysis : expert with Wireshark (display filters, TLS / SSL, TCP retransmits / latency, VoIP / RTP, 802.11), plus tcpdump, dumpcap, and (nice-to-have) CloudShark / Zeek.

ITIL change / problem; disciplined incident and post-incident processes.

EVPN / VXLAN leaf-spine, service-mesh; observability (Prometheus / Grafana) and capacity modeling.

Familiarity with SASE / SD-WAN / ZTNA patterns across multiple vendors (e.g., Palo Alto, Check Point, Zscaler, Cloudflare, Aruba / Juniper / Arista).

Powered by JazzHR