Network Operations Engineer IV

Lincoln Investment recognized as one of Philadelphia's Top Workplaces for over ten years, is an independent broker dealer and registered investment professionals that offers brokerage, investment advisory and other financial professionals. Lincoln has over 1,000 financial professionals nationwide and we serve over 310,000 clients representing over 60 billion in assets. We are a majority family-owned financial services firm that regards our employees as integral players in our continuous growth. Lincoln Investment's success is built upon our dedication to helping people retire well and promoting a work environment that fosters success. Our financial strength and profitability are natural results of "helping people, having fun, and enjoying success." Lincoln Investment offers a competitive compensation and benefits package. Our Home Office is conveniently located in Fort Washington, PA, just outside of Philadelphia.

Senior Network Engineer with deep, hands-on expertise in modern data center networking, multi-site enterprise routing, hybrid Azure connectivity, Wireless, and security-first network design. This role requires strong practical experience designing, implementing, and operating tools/services such as EVPN/VXLAN fabrics (underlay and overlay), Palo Alto Networks Next-Generation Firewalls, VeloCloud SD-WAN, Cisco Meraki Switching/APs and enterprise-scale Azure networking -- along with proven leadership in driving network transformation from legacy architectures to modern, automated, cloud-integrated designs.

The candidate must be highly technical, comfortable working at Layer 2 through Layer 7, and capable of owning complex designs that span data center, campus, branch, internet edge, and Microsoft Azure environments.

Core Responsibilities

Network Architecture \& Design

• EVPN/VXLAN fabric design: Design, implement, and operate modern leaf-spine data center fabrics using EVPN/VXLAN, owning both the underlay (IP fabric, IGP, loopback/VTEP addressing) and the overlay (BGP EVPN control plane, VNI/VRF mapping, Type-2/Type-5 route handling).
• Multi-site network routing design: Architect consistent, deterministic, and highly available routing across multiple data centers, campus sites, cloud regions, and branch locations, including DCI, route stretch, and failure-domain isolation.
• Internet edge network routing design: Design and operate internet edge architectures -- BGP peering with service providers, public IP and ASN management, DDoS mitigation posture, and secure, redundant ingress/egress for production workloads.
• Wireless/WLAN: Secure Wireless design \& Initial buildout configuration.
• Layer 3-centric design: Engineer modern, routed-access designs that minimize reliance on legacy Layer 2 constructs, producing deterministic traffic flows and clean failure behavior.
• Documentation \& standards: Produce high-quality design documents, HLDs/LLDs, topology diagrams, and operational runbooks.
• Security \& Troubleshooting: Implement (every day or troubleshooting) tasks \& project related initiatives in a security first manner.

Routing, Transport \& Site Connectivity

• BGP / OSPF: Own enterprise routing architecture using BGP and OSPF, including redistribution, summarization, route filtering, communities, and path selection.
• VeloCloud SD-WAN (underlay \& overlay): Design and operate VeloCloud SD-WAN, including underlay transport (Internet, MPLS, LTE/5G) and overlay policy -- application-aware routing, dynamic path steering, QoS, and segmentation across branch and multi-site environments.
• Site-to-Site VPN connectivity: Design, deploy, and maintain Site-to-Site VPN tunnels (IPsec/IKEv2) to partners, remote sites, and cloud environments, ensuring resilient primary/backup paths, strong crypto standards, and clean failover.
• Perform deep packet-level troubleshooting across physical, virtual, and cloud networks.

Network Security \& NGFW

• Palo Alto Networks firewalls \& Panorama: Design, deploy, and operate Palo Alto NGFW platforms at scale, centrally managed through Panorama for policy, object, logging, and lifecycle management across on-prem and cloud.
• Segmentation \& Zero Trust: Implement network segmentation, micro-segmentation, and Zero Trust / least-privilege principles across the environment.
• Deliver east-west and north-south traffic inspection, secure application publishing, and private access models.
• Integrate firewalls with hybrid routing, cloud networking, and SDN constructs for consistent policy enforcement.

Hybrid \& Azure Networking

• Architect and operate hybrid connectivity between on-prem data centers and Azure using ExpressRoute (dual-circuit and failover designs), Site-to-Site and Point-to-Site VPN, and BGP peering with route filtering.
• Design and manage Azure networking components: Virtual Networks (VNets), subnets, address planning, Network Security Groups (NSGs), User Defined Routes (UDRs), Azure VPN Gateway, Virtual WAN (vWAN), and Azure Firewall / third-party NGFW integration.
• Ensure consistent routing, segmentation, and security policy enforcement across hybrid environments.

Network Services: IPAM \& DNS

• IPAM \& DNS management: Own IP address management and DNS strategy across on-prem and cloud -- address planning, subnet allocation, zone design, split-horizon DNS, and conditional forwarding -- ensuring clean hygiene and reliable delivery of core network services.

Monitoring, Observability \& Automation

• Network resource monitoring design: Design and continuously evolve monitoring, telemetry, and flow analytics (SNMP, streaming telemetry / gNMI, syslog, NetFlow/IPFIX) to provide end-to-end visibility across fabric, WAN, cloud, and edge -- with meaningful dashboards, thresholds, and alerting.
• Automation \& network issue mitigation process improvement: Drive automation and process improvement to reduce manual toil, accelerate root-cause analysis, and shorten mean-time-to-repair -- leveraging tools such as Arista CloudVision, Ansible, Python, Terraform, and vendor APIs to standardize configurations, validate changes, and self-heal common failure patterns.

Platform \& Vendor Experience

• Hands-on experience with enterprise switching, routing, SD-WAN, and security platforms, including:
• Arista EOS / CloudVision: spine-leaf switching, EVPN/VXLAN fabrics, and fabric-wide automation, telemetry, change management, and compliance through CloudVision.
• Cisco IOS-XE / NX-OS: data center and campus switching and routing on Nexus and Catalyst platforms.
• Cisco Meraki: cloud-managed campus, branch, and wireless deployments.
• Palo Alto Networks firewalls with Panorama: centralized NGFW policy and operations.
• VMware VeloCloud SD-WAN: branch and multi-site connectivity with underlay and overlay orchestration.
• Ability to translate vendor-specific implementations into vendor-agnostic architecture principles.

Network Transformation Leadership

• Lead or play a senior technical role in major network transformation projects, such as:
• Migrating from legacy Layer 2 networks to modern Layer 3 / EVPN-VXLAN designs.
• Data center modernization or consolidation.
• Enterprise SD-WAN rollouts and legacy WAN retirement.
• Hybrid cloud networking redesign.
• Develop target-state architectures and phased migration plans.
• Evaluate technical debt and design modernization strategies with minimal business disruption.

Required Technical Qualifications

• 7\+ years of enterprise network engineering experience.
• Proven hands-on expertise with EVPN/VXLAN architectures, including both underlay and overlay design and operation.
• Strong proficiency with Arista (EOS / CloudVision) and/or Cisco (NX-OS, IOS-XE, Meraki) platforms.
• Hands-on experience designing and operating Palo Alto NGFWs managed through Panorama.
• Experience designing and operating SD-WAN at enterprise scale (VeloCloud preferred).
• Deep experience with Microsoft Azure networking, including hybrid connectivity (ExpressRoute, Site-to-Site VPN, vWAN).
• Strong understanding of BGP, OSPF, routing policy, and path selection; MTU, encapsulation, and overlay behavior; high-availability and failover mechanisms.
• Working experience with IPAM and enterprise DNS.
• Demonstrated experience operating at the intersection of on-prem and Azure networking.
• Proven experience leading a network transformation initiative or serving as the senior technical authority on a complex network program.

Preferred Qualifications

• Azure certifications (AZ-700, Azure Solutions Architect Expert).
• Vendor certifications such as Arista ACE, Cisco CCNP/CCIE, Palo Alto PCNSE, or VMware VCP-NV / VeloCloud.
• Experience with automation and infrastructure-as-code -- Python, Ansible, Terraform, PowerShell -- applied to network operations.
• Familiarity with network telemetry, streaming telemetry (gNMI), NetFlow/IPFIX, and modern observability platforms.
• Experience supporting large-scale enterprise or highly regulated environments (financial services, healthcare, etc.).
• Exposure to multi-cloud networking architectures.

Success Indicators

• A well-architected, scalable EVPN/VXLAN data center fabric with clean underlay and overlay separation.
• Stable, secure, and predictable multi-site and hybrid routing between data centers, branches, and Azure.
• A resilient internet edge and SD-WAN footprint with measurable reductions in incident frequency and impact.
• Consistent security policy enforcement across physical, virtual, and cloud networks, centrally governed through Panorama.
• Mature monitoring and automation reducing mean-time-to-detect and mean-time-to-repair.
• Successful execution of a complex network transformation with measurable improvements in resiliency, operability, and cost.
• Clear technical leadership recognized by peers and cross-functional teams.

Education

Bachelor’s degree in a technical discipline or related field, or the equivalent combination of education, training, or work experience.

Physical and Other Requirements

• May sit at workstation for extended periods of time.
• May lift up to 50 lbs.
• Must be willing to participate in a weekly on-call schedule.
• Work environment is primarily remote; may need to visit data centers monthly for new installations and upgrades.

Lincoln Investment is an equal opportunity employer. Lincoln Investment prohibits discrimination and harassment of any type and affords equal employment opportunities to employees and applicants without regard to race, color, religion, sex, sexual orientation, gender identity or expression, pregnancy, age, national origin, disability status, genetic information, protected veteran status, or any other characteristic protected by law. Lincoln Investment conforms to the spirit as well as to the letter of all applicable laws and regulations.

Salary Grade 13