Network Engineer L3

Network Engineer L3 — Roles & Responsibilities

1. Network Design & Architecture

• Own HLD/LLD for enterprise LAN/WAN, DC, and cloud connectivity
• Design redundant, scalable topologies — spine-leaf, hub-spoke, SD-WAN
• Define IP addressing, VLAN structure, routing domains, and segmentation strategy

2. Escalation & Incident Ownership

• Final escalation point for L1/L2 — you close it, not pass it
• Lead P1/P2 bridge calls, drive RCA, own post-mortem
• Coordinate with NOC, security, and vendors during major incidents

3. Routing & Switching (Advanced)

• Manage and tune BGP policies, OSPF areas, MPLS/VRF, redistribution
• Handle complex STP issues, VPC/MLAG, LACP, and trunk failures
• Own inter-DC and ISP peering configurations

4. Security & Compliance

• Enforce segmentation — VRF, VLAN isolation, firewall zones
• Review and approve ACLs, firewall rules, NAC policies
• Support audits — PCI, ISO 27001, NIST alignment on network layer

5. Cloud & Hybrid Networking

• Own AWS/Azure network integration — VPN Gateway, ExpressRoute, Transit Gateway
• Design and troubleshoot hybrid connectivity — on-prem to cloud routing
• Collaborate with cloud architects on network policy

6. Automation & Tooling

• Build and maintain automation — Python, Ansible, Netmiko
• Automate config backups, compliance checks, provisioning workflows
• Integrate with ITSM/IPAM/NMS platforms

7. Monitoring & Performance

• Own network observability — NetFlow, SNMP, syslog pipelines
• Proactive capacity planning — identify bottlenecks before they become incidents
• Define and track SLAs, latency, packet loss thresholds

8. Documentation & Change Management

• Maintain accurate network diagrams, IP plans, and runbooks
• Author and review RFCs/change records — no undocumented changes
• Keep post-mortems and lessons-learned documented

9. Vendor & Stakeholder Management

• Own TAC cases — Cisco, Palo Alto, Juniper, Fortinet
• Evaluate new hardware/software — PoC, testing, recommendation
• Present technical decisions to management and non-technical stakeholders

10. Mentorship & Leadership

• Technically guide L3 engineers — knowledge transfer, not just answers
• Conduct design and config peer reviews
• Set team standards — naming conventions, hardening baselines, change process

Desired Candidate Profile — Network Engineer L3

Technical Depth

• Can design end-to-end — not just configure what's handed to them
• Understands why a protocol behaves a certain way, not just how to configure it
• Reads packet captures, interprets routing tables, and diagnoses without a runbook
• Has broken things in production and fixed them under pressure

Core Technical Profile

DomainWhat We ExpectRoutingBGP multihoming, path manipulation, OSPF tuning, MPLS L3VPNSwitchingVPC/MLAG, MSTP, Q-in-Q, LACP negotiation issuesFirewallsZone-based policy, NAT hairpin, asymmetric routing issuesSD-WANPolicy-based routing, app-aware steering, overlay/underlay separationCloudExpressRoute, Direct Connect, Transit Gateway, route propagationAutomationScript-first mindset — Python, Ansible, REST APIsMonitoringCan build a dashboard, not just read one

Experience Profile

• 5–8 years hands-on — enterprise, SP, or large MSP environment
• Has owned a network migration or redesign project end to end
• Has managed multi-vendor environments — not just one OEM
• Has worked on-call and handled real P1 incidents alone

Certifications

LevelCertRequiredCCNP Enterprise / JNCIP / NSE4+Strong PlusCCIE / JNCIE / NSE7BonusAWS/Azure Networking Specialty

Problem-Solving Style

• Structured — isolates layer by layer, doesn't guess randomly
• Calm under pressure — incident bridge calls don't rattle them
• Data-driven — uses logs, flows, and captures — not assumptions
• Owns the problem — doesn't deflect to another team without evidence

Communication & Soft Skills

• Can explain a routing loop to a CISO without using BGP terminology
• Writes clean, clear documentation — diagrams match reality
• Pushes back on bad designs — respectfully, with data
• Comfortable presenting to management and defending technical decisions

Mindset

• Security-first — thinks about attack surface when designing, not after
• Automation bias — if done more than twice, it should be scripted
• Proactive — monitors trends, flags risks before they become incidents
• Continuous learner — tracks CVEs, vendor EOL, protocol RFCs

Red Flags (What disqualifies a candidate)

• Can configure but can't explain why
• Has never touched a firewall or security policy
• Relies entirely on GUI — no CLI fluency
• No experience with change management or documentation discipline
• Falls apart when the runbook doesn't apply