Containment is actively keeping a device off of the network, presumably because it is a rogue device.. There are two types of containment; deauths and tarpitting. Deauths does not require the WIPS license, but consumes airtime because it is actively sending deauths when a client tries to connect to a resource. Tarpitting requires the RF Protect license, but it is a method that is much more effective at keeping clients off of the network, along with consuming less airtime.
The FCC has really murky rules about containment, so you should consult your own legal resources to determine if what you are doing is lawful before turning it on in a production environment: http://community.arubanetworks.com/t5/Wireless-Access/The-FCC-has-clarified-their-stance-on-wireless-containment-but/m-p/226342#M46143