router bgp 1
 neighbor FIREWALL peer-group
 neighbor FIREWALL local-as 65255 no-prepend replace-as
 neighbor FIREWALL ebgp-multihop 255
 neighbor 192.168.96.12 remote-as 65001
 neighbor 192.168.96.12 peer-group FIREWALL
 neighbor 192.168.96.20 remote-as 65002
 neighbor 192.168.96.20 peer-group FIREWALL
 !
 address-family ipv4
 neighbor FIREWALL route-map VRF-POLICY-IN in
 neighbor FIREWALL route-map VRF-POLICY-OUT out
 neighbor 192.168.96.12 activate
 neighbor 192.168.96.20 activate
 aggregate-address 10.255.0.0 255.255.0.0 summary-only
 exit-address-family
 !
 address-family ipv4 vrf ONE
 neighbor 192.168.96.4 remote-as 65255
 neighbor 192.168.96.4 local-as 65001 no-prepend replace-as
 neighbor 192.168.96.4 ebgp-multihop 255
 neighbor 192.168.96.4 activate
 neighbor 192.168.96.4 default-originate
 neighbor 192.168.96.4 route-map VRF-POLICY-IN in
 neighbor 192.168.96.4 route-map VRF-POLICY-OUT out
 bgp router-id 192.168.96.12
 aggregate-address 10.1.0.0 255.255.0.0 summary-only
 exit-address-family
 !
 address-family ipv4 vrf TWO
 neighbor 192.168.96.4 remote-as 65255
 neighbor 192.168.96.4 local-as 65002 no-prepend replace-as
 neighbor 192.168.96.4 ebgp-multihop 255
 neighbor 192.168.96.4 activate
 neighbor 192.168.96.4 route-map VRF-POLICY-IN in
 neighbor 192.168.96.4 route-map VRF-POLICY-OUT out
 bgp router-id 192.168.96.20
 aggregate-address 10.2.0.0 255.255.0.0 summary-only
 exit-address-family
!
ip route 192.168.96.0 255.255.252.0 192.168.96.1
ip route vrf ONE 192.168.96.0 255.255.252.0 192.168.96.9
ip route vrf TWO 192.168.96.0 255.255.252.0 192.168.96.17
!
ip prefix-list NOADVERTISE-OUT seq 5 permit 192.168.96.0/22 ge 22
!
route-map VRF-POLICY-OUT deny 10
 match ip address prefix-list NOADVERTISE-OUT
!
route-map VRF-POLICY-OUT permit 20
!
route-map VRF-POLICY-IN permit 10
 set local-preference 200