diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2
index aaa2b61..1467844 100644
--- a/roles/exit/templates/frr.conf.j2
+++ b/roles/exit/templates/frr.conf.j2
@@ -100,7 +100,7 @@ router bgp {{ asn.asn }} vrf outside
 {% endfor %}
 
     redistribute static
-    redistribute connected
+    redistribute connected route-map ifaces-outside
     import vrf default
     import vrf route-map outside-import
   exit-address-family
@@ -122,7 +122,7 @@ router bgp {{ asn.asn }} vrf outside
 {% endfor %}
 
     redistribute static
-    redistribute connected
+    redistribute connected route-map ifaces-outside
     import vrf default
     import vrf route-map outside-import
   exit-address-family
@@ -177,7 +177,7 @@ router bgp {{ asn.asn }} vrf {{ vrf.name }}
 
 {% for family in ['ipv4', 'ipv6'] %}
   address-family {{ family }} unicast
-    redistribute connected
+    redistribute connected route-map ifaces-{{ vrf.name }}
     import vrf inside
 {% if vrf.custom_fields.imports %}
 {% for import in vrf.custom_fields.imports %}
@@ -268,6 +268,19 @@ route-map loopback-inside permit 1
 route-map loopback-outside permit 1
   match interface outside
 
+# Route maps for local interfaces for each inside VRF. These are used to
+# prevent individual tenant VRFs from redistributing routes from virtual
+# ("-v0") interfaces into the common inside VRF. These routes don’t work.
+# For each VRF, a route map ifaces-vrf is defined that only permits bridge.*
+# interfaces in that VRF. Not sure if this actually helps, but doesn’t hurt.
+# Probably related to Cumulus issues 4531952, 4548512 and/or 4548514.
+{% for vrf in vrfs.values() %}
+{% for vlan_id in vrf_prefixes | selectattr('vrf.id', '==', vrf.id) | map(attribute='vlan.vid') | sort | unique %}
+route-map ifaces-{{ vrf.name }} permit {{ loop.index }}
+  match interface bridge.{{ vlan_id }}
+{% endfor %}
+{% endfor %}
+
 # Route maps for importing between VRFs.
 route-map default-import permit 10
   match ip address prefix-list default