As an FYI, neutron ports without any ip address have a few edge cases to be aware of, and should be avoided in most cases.
Issue 1: Nova (the compute service), will not permit you to boot an instance if one of its ports has no ip address. You can workaround this by attaching the port to the instance after creation, via e.g. openstack server add port server_id port_id. The only caveat is that only ports attached during (not after) instance creation will show up in the instance metadata, used to autogenerate network configs.
Issue 2: Due to a bug, neutron ports with no ip address can’t be attached to baremetal nodes at all, and will have the status “binding_failed”. The easiest workaround here is to just give the port an ip address, even if you’re only using it for layer 2 traffic.
Since security groups don’t do anything on baremetal instances anyway, the workaround shouldn’t change any filtering or other network behavior.
This is silly and we hope to have a fix in soonish.