Upd: the new switch and PoE dongle arrived.
Helpfully, the dongle comes packaged with a stumpy little dc-dc "suicide cable", which can be connected between itself and the switch. Or at least it could, if TP-link actually used the same connector on the (otherwise compatible!) switch. Instead of just plugging it straight in I spent over an hour rifling through my box of old tech and cables looking for something with the right plug that I could snip off and turn into a suitable power cable.
Thanks, TP-link. Would adding a few 10p cables to the package really have been such a big deal?
The PoE dongle also comes with an RJ45 patch cable, which is nice - except it's much, much longer than the power lead. (Why?)
So, two custom cables later, the switch is configured with all the right VLAN settings and it's installed in my loft. It seems to be working fine, except I can't see its management interface now it's somewhere inaccessible.
Turns out that, when it has multiple ports configured, it seemingly
randomly chooses a VLAN for its own management interface - which affects the IP address it's allocated and the other ports on my network from which it can be accessed.
First it's on the VLAN I reserve for wireless access points, then after a reboot it's on the trusted VLAN for servers. Disable most of its ports and it then chooses the 'untrusted' VLAN, reserved for devices that get to see the internet but nothing on the local network; that was fun to recover from.
Eventually I set a static IP and it seems OK, but now it's the one device in the whole house not using DHCP.
How do 'normal' folks cope with this stuff...?