diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2
index d4f6bfe..a9a5e62 100644
--- a/roles/exit/templates/frr.conf.j2
+++ b/roles/exit/templates/frr.conf.j2
@@ -3,7 +3,7 @@
     | selectattr('role') | selectattr('role.value', '==', 'loopback')
     | map(attribute='address') %}
 {% set inside_vrfs = interfaces | selectattr('parent') | selectattr('parent.name', '==', 'bridge')
-    | selectattr('vrf') | map(attribute='vrf.name') | reject('==', 'outside') | sort %}
+    | selectattr('vrf') | map(attribute='vrf.name') | reject('==', 'outside') | sort | unique %}
 
 frr defaults datacenter
 log syslog informational
@@ -239,7 +239,7 @@ ipv6 prefix-list office permit {{ prefix.prefix }} ge {{ prefix.prefix | ipaddr(
 
 # individual prefix lists for each inside network
 {% for prefix in vrf_prefixes | selectattr('vrf.name', 'in', inside_vrfs)
-    | sort(attribute='family.value') | sort(attribute='vlan.vid') %}
+    | sort(attribute='family.value') | sort(attribute='vrf.name') %}
 {% if prefix.family.value == 4 %}
 ip prefix-list {{ prefix.vrf.name }} permit {{ prefix.prefix }} ge {{ prefix.prefix | ipaddr('prefix') }}
 {% else %}
diff --git a/roles/exit/templates/networks.intf.j2 b/roles/exit/templates/networks.intf.j2
index a9f3857..99b6d64 100644
--- a/roles/exit/templates/networks.intf.j2
+++ b/roles/exit/templates/networks.intf.j2
@@ -1,6 +1,6 @@
 {# VRF outside is special, all others are inside but also firewalled from each other. #}
 {% set inside_vrfs = interfaces | selectattr('parent') | selectattr('parent.name', '==', 'bridge')
-    | selectattr('vrf') | map(attribute='vrf') | rejectattr('name', '==', 'outside') -%}
+    | selectattr('vrf') | map(attribute='vrf') | rejectattr('name', '==', 'outside') | unique -%}
 
 # A separate VRF for each inside network so we can firewall between them.
 {% for vrf in inside_vrfs %}