diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py
index bc7e92768c2..b1518cddf01 100644
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@@ -14,6 +14,7 @@
 
 import netaddr
 from neutron_lib.api.definitions import port as port_def
+from neutron_lib.api import extensions
 from neutron_lib.api import validators
 from neutron_lib.callbacks import events
 from neutron_lib.callbacks import exceptions
@@ -794,6 +795,8 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
 
         :returns: the default security group id for given tenant.
         """
+        if not extensions.is_extension_supported(self, 'security-group'):
+            return
         default_group_id = self._get_default_sg_id(context, tenant_id)
         if default_group_id:
             return default_group_id
@@ -845,7 +848,8 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
         if not validators.is_attr_set(port.get(ext_sg.SECURITYGROUPS)):
             default_sg = self._ensure_default_security_group(context,
                                                              port['tenant_id'])
-            port[ext_sg.SECURITYGROUPS] = [default_sg]
+            if default_sg:
+                port[ext_sg.SECURITYGROUPS] = [default_sg]
 
     def _check_update_deletes_security_groups(self, port):
         """Return True if port has as a security group and it's value
diff --git a/neutron/tests/unit/db/test_securitygroups_db.py b/neutron/tests/unit/db/test_securitygroups_db.py
index f0bfdf38b63..333fdf26e15 100644
--- a/neutron/tests/unit/db/test_securitygroups_db.py
+++ b/neutron/tests/unit/db/test_securitygroups_db.py
@@ -74,6 +74,10 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase):
         self.setup_coreplugin(core_plugin=DB_PLUGIN_KLASS)
         self.ctx = context.get_admin_context()
         self.mixin = SecurityGroupDbMixinImpl()
+        is_ext_supported = mock.patch(
+            'neutron_lib.api.extensions.is_extension_supported')
+        self.is_ext_supported = is_ext_supported.start()
+        self.is_ext_supported.return_value = True
 
     def test_create_security_group_conflict(self):
         with mock.patch.object(registry, "notify") as mock_notify:
@@ -564,3 +568,13 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase):
             get_default_sg_id.assert_has_calls([
                 mock.call(self.ctx, 'tenant_1'),
                 mock.call(self.ctx, 'tenant_1')])
+
+    def test__ensure_default_security_group_when_disabled(self):
+        with mock.patch.object(
+                    self.mixin, '_get_default_sg_id') as get_default_sg_id,\
+                mock.patch.object(
+                        self.mixin, 'create_security_group') as create_sg:
+            self.is_ext_supported.return_value = False
+            self.mixin._ensure_default_security_group(self.ctx, 'tenant_1')
+            create_sg.assert_not_called()
+            get_default_sg_id.assert_not_called()